diff --git a/Makefile b/Makefile index 5c4b247614..b8d0b122de 100755 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ GIT_COMMIT ?= $(shell git rev-parse HEAD) REGISTRY ?= andyzhangx REGISTRY_NAME ?= $(shell echo $(REGISTRY) | sed "s/.azurecr.io//g") IMAGE_NAME ?= azurefile-csi -IMAGE_VERSION ?= v1.34.1 +IMAGE_VERSION ?= v1.35.0 # Use a custom version for E2E tests if we are testing in CI ifdef CI ifndef PUBLISH diff --git a/README.md b/README.md index d946cc183f..f374ee5225 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,6 @@ ### About This driver allows Kubernetes to access [Azure File](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction) volume using smb and nfs protocols, csi plugin name: `file.csi.azure.com`. -> This driver only permits the mounting of SMB file shares using key-based (NTLM v2) authentication, and therefore does not support the maximum security profile of Azure File share settings. On the other hand, mounting NFS file shares does not require key-based authentication. Disclaimer: Deploying this driver manually is not an officially supported Microsoft product. For a fully managed and supported experience on Kubernetes, use [AKS with the managed Azure File CSI driver](https://learn.microsoft.com/azure/aks/azure-files-csi). @@ -17,9 +16,9 @@ Disclaimer: Deploying this driver manually is not an officially supported Micros |Driver Version |Image | supported k8s version | |----------------|---------------------------------------------------------- |-----------------------| |master branch |mcr.microsoft.com/k8s/csi/azurefile-csi:latest | 1.21+ | -|v1.34.1 |mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.1 | 1.21+ | -|v1.33.4 |mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.4-2 | 1.21+ | -|v1.32.6 |mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.6-3 | 1.21+ | +|v1.35.0 |mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 | 1.21+ | +|v1.34.3 |mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.3 | 1.21+ | +|v1.33.7 |mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.7 | 1.21+ | ### Driver parameters Please refer to [driver parameters](./docs/driver-parameters.md) @@ -52,10 +51,11 @@ This option does not depend on cloud provider config file, supports cross subscr ### Features - [Windows](./deploy/example/windows) - [NFS](./deploy/example/nfs) - - [Volume Snapshot](./deploy/example/snapshot) + - [Volume Snapshot and Restore](./deploy/example/snapshot) - [Volume Expansion](./deploy/example/resize) - [Volume Cloning](./deploy/example/cloning) - - [Workload identity](./docs/workload-identity-static-pv-mount.md) + - [Mount with workload identity](./docs/workload-identity-static-pv-mount.md) + - [Mount with managed identity](./docs/managed-identity-mount.md) ### Troubleshooting - [CSI driver troubleshooting guide](./docs/csi-debug.md) diff --git a/charts/README.md b/charts/README.md index fbe3413a80..bb8af43203 100644 --- a/charts/README.md +++ b/charts/README.md @@ -18,7 +18,7 @@ ### install a specific version ```console helm repo add azurefile-csi-driver https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts -helm install azurefile-csi-driver azurefile-csi-driver/azurefile-csi-driver --namespace kube-system --version 1.33.4 +helm install azurefile-csi-driver azurefile-csi-driver/azurefile-csi-driver --namespace kube-system --version 1.35.0 ``` ### install on RedHat/CentOS @@ -61,10 +61,10 @@ The following table lists the configurable parameters of the latest Azure File C | `image.azurefile.tag` | azurefile-csi-driver container image tag | `` | | `image.azurefile.pullPolicy` | azurefile-csi-driver image pull policy | `IfNotPresent` | | `image.csiProvisioner.repository` | csi-provisioner container image | `/oss/kubernetes-csi/csi-provisioner` | -| `image.csiProvisioner.tag` | csi-provisioner container image tag | `v5.2.0` | +| `image.csiProvisioner.tag` | csi-provisioner container image tag | `v6.1.0` | | `image.csiProvisioner.pullPolicy` | csi-provisioner image pull policy | `IfNotPresent` | | `image.csiResizer.repository` | csi-resizer container image | `/oss/kubernetes-csi/csi-resizer` | -| `image.csiResizer.tag` | csi-resizer container image tag | `v1.13.2` | +| `image.csiResizer.tag` | csi-resizer container image tag | `v2.0.0` | | `image.csiResizer.pullPolicy` | csi-resizer image pull policy | `IfNotPresent` | | `image.livenessProbe.repository` | liveness-probe container image | `/oss/kubernetes-csi/livenessprobe` | | `image.livenessProbe.tag` | liveness-probe container image tag | `v2.15.0` | @@ -127,10 +127,10 @@ The following table lists the configurable parameters of the latest Azure File C | `node.logLevel` | node driver log level |`5` | | `snapshot.enabled` | whether enable snapshot feature | `false` | | `snapshot.image.csiSnapshotter.repository` | csi-snapshotter container image | `/oss/kubernetes-csi/csi-snapshotter` | -| `snapshot.image.csiSnapshotter.tag` | csi-snapshotter container image tag | `v8.3.0` | +| `snapshot.image.csiSnapshotter.tag` | csi-snapshotter container image tag | `v8.4.0` | | `snapshot.image.csiSnapshotter.pullPolicy` | csi-snapshotter image pull policy | `IfNotPresent` | | `snapshot.image.csiSnapshotController.repository` | snapshot-controller container image | `/oss/kubernetes-csi/snapshot-controller` | -| `snapshot.image.csiSnapshotController.tag` | snapshot-controller container image tag | `v8.3.0` | +| `snapshot.image.csiSnapshotController.tag` | snapshot-controller container image tag | `v8.4.0` | | `snapshot.image.csiSnapshotController.pullPolicy` | snapshot-controller image pull policy | `IfNotPresent` | | `snapshot.snapshotController.name` | snapshot controller name | `csi-snapshot-controller` | | `snapshot.snapshotController.replicas` | the replicas of snapshot-controller | `2` | diff --git a/charts/index.yaml b/charts/index.yaml index c1daf9b59a..e54ce5ae27 100644 --- a/charts/index.yaml +++ b/charts/index.yaml @@ -2,606 +2,696 @@ apiVersion: v1 entries: azurefile-csi-driver: - apiVersion: v1 - appVersion: 1.34.1 - created: "2025-09-29T02:02:02.515306773Z" + appVersion: 1.35.0 + created: "2026-02-04T12:37:32.203008415Z" description: Azure File Container Storage Interface (CSI) Storage Plugin - digest: 5027319489d3664f500d97edbcd057b953cd1dd96e5597a19cdb829a17e6512b + digest: d64bd9b92527485c12ba1e952984d303abfee7574e3e9c755e3e81a893f9a7c3 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.34.1/azurefile-csi-driver-1.34.1.tgz - version: 1.34.1 + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/latest/azurefile-csi-driver-1.35.0.tgz + version: 1.35.0 + - apiVersion: v1 + appVersion: 1.35.0 + created: "2026-02-04T12:37:32.31208133Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: 97920d1975be74e4df68ca5bf5b7a5a72f92f526766ddd1e5abd573927e42e0c + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.35.0/azurefile-csi-driver-1.35.0.tgz + version: 1.35.0 + - apiVersion: v1 + appVersion: 1.34.3 + created: "2026-02-04T12:37:32.311072426Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: 8712fa3c245306d31666bc141e1cef5d3c9c57ae84f6b99bd065e3d79c7418ad + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.34.3/azurefile-csi-driver-1.34.3.tgz + version: 1.34.3 + - apiVersion: v1 + appVersion: 1.34.2 + created: "2026-02-04T12:37:32.309622291Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: 4af105f1a663bc52986dbe6265275bad2185188960c7f1c54298becf8fb0ac44 + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.34.2/azurefile-csi-driver-1.34.2.tgz + version: 1.34.2 - apiVersion: v1 appVersion: 1.34.1 - created: "2025-09-29T02:02:02.412289377Z" + created: "2026-02-04T12:37:32.308565287Z" description: Azure File Container Storage Interface (CSI) Storage Plugin - digest: cadb924635f156168ceceb6232d3e64d92d6698ca1d9dc95da96fe40cb5bce66 + digest: 6df4402cef98a2d1956e9937c78a9ec696c9fe988e3e0f70ae36b8102b33b12d name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/latest/azurefile-csi-driver-1.34.1.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.34.1/azurefile-csi-driver-1.34.1.tgz version: 1.34.1 - apiVersion: v1 appVersion: 1.34.0 - created: "2025-09-29T02:02:02.514134328Z" + created: "2026-02-04T12:37:32.307499156Z" description: Azure File Container Storage Interface (CSI) Storage Plugin - digest: 0cedbcbf4b3829345906cab99b3c195ae7f84f9c2b94e05a4f7c993342b2a28d + digest: 73e800493612f43560f63d37987557a99e05fd1c6e187e9fc6e9efa66acbcd75 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.34.0/azurefile-csi-driver-1.34.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.34.0/azurefile-csi-driver-1.34.0.tgz version: 1.34.0 + - apiVersion: v1 + appVersion: 1.33.7 + created: "2026-02-04T12:37:32.306482958Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: e8804ed83f5b7eb586e9cf58a6033ffdc18b0b19ed335ba6172e4914d05a4dd5 + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.33.7/azurefile-csi-driver-1.33.7.tgz + version: 1.33.7 + - apiVersion: v1 + appVersion: 1.33.6 + created: "2026-02-04T12:37:32.305060452Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: 72c8b52516c20404643d000f9b62d22460d46bc85f7d77fbb158d5a71412f959 + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.33.6/azurefile-csi-driver-1.33.6.tgz + version: 1.33.6 + - apiVersion: v1 + appVersion: 1.33.5 + created: "2026-02-04T12:37:32.303591379Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: 81d0fca6f62753d7935e86e9c50e8a0ec9383990d6e6a26969c668961157947f + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.33.5/azurefile-csi-driver-1.33.5.tgz + version: 1.33.5 - apiVersion: v1 appVersion: 1.33.4 - created: "2025-09-29T02:02:02.512550182Z" + created: "2026-02-04T12:37:32.302065326Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 6ed8e83505cf4cc862b5f0b7b7fb593c0874b03e6e6897a8ff8431b0d466f940 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.33.4/azurefile-csi-driver-1.33.4.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.33.4/azurefile-csi-driver-1.33.4.tgz version: 1.33.4 - apiVersion: v1 appVersion: 1.33.3 - created: "2025-09-29T02:02:02.511409847Z" + created: "2026-02-04T12:37:32.301078954Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 90f62bf4bb789b5a280f407a858a90777797efb6685e94a99181eb9120a7925f name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.33.3/azurefile-csi-driver-1.33.3.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.33.3/azurefile-csi-driver-1.33.3.tgz version: 1.33.3 - apiVersion: v1 appVersion: 1.33.2 - created: "2025-09-29T02:02:02.509907534Z" + created: "2026-02-04T12:37:32.299813391Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: eaf7d867fce56c5eeef20508431a05cf582e75557d01f2cbf5b6e48f0a48e99a name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.33.2/azurefile-csi-driver-1.33.2.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.33.2/azurefile-csi-driver-1.33.2.tgz version: 1.33.2 - apiVersion: v1 appVersion: 1.33.1 - created: "2025-09-29T02:02:02.507920698Z" + created: "2026-02-04T12:37:32.298528211Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 8fc2cbb27eb155c2de8eb443f94f456b073f70868f7150ef83d239820e2e0cfb name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.33.1/azurefile-csi-driver-1.33.1.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.33.1/azurefile-csi-driver-1.33.1.tgz version: 1.33.1 - apiVersion: v1 appVersion: 1.33.0 - created: "2025-09-29T02:02:02.505582114Z" + created: "2026-02-04T12:37:32.297189992Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: d714398328ca063c97cc851cf7691b7197b0cfd169f7b2f020b9108bc6e0cdc4 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.33.0/azurefile-csi-driver-1.33.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.33.0/azurefile-csi-driver-1.33.0.tgz version: 1.33.0 + - apiVersion: v1 + appVersion: 1.32.9 + created: "2026-02-04T12:37:32.294361253Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: e77911f10e0814e339d2406db0449e51ea4d65cb24fe52ff9bcb2e51f1b70d6b + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.32.9/azurefile-csi-driver-1.32.9.tgz + version: 1.32.9 + - apiVersion: v1 + appVersion: 1.32.8 + created: "2026-02-04T12:37:32.29337418Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: f5a1af31513bebff0bad29c7f3cad70f29f54f9b53b083a63620b09b9056b7dc + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.32.8/azurefile-csi-driver-1.32.8.tgz + version: 1.32.8 + - apiVersion: v1 + appVersion: 1.32.7 + created: "2026-02-04T12:37:32.292370485Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: b6024b2470a0d11fd5867ddd4b15edc18618ccf47687f0731029566b69d73543 + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.32.7/azurefile-csi-driver-1.32.7.tgz + version: 1.32.7 - apiVersion: v1 appVersion: 1.32.6 - created: "2025-09-29T02:02:02.504005535Z" + created: "2026-02-04T12:37:32.291366891Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 01d071ab81368d7c5aca80129c8bab1bb6bc415b4168a735258583316fa00bbc name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.32.6/azurefile-csi-driver-1.32.6.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.32.6/azurefile-csi-driver-1.32.6.tgz version: 1.32.6 - apiVersion: v1 appVersion: 1.32.5 - created: "2025-09-29T02:02:02.502923208Z" + created: "2026-02-04T12:37:32.290388004Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 39d99e29fcf2356dd8be0e2c0ec5024c18b6590765ab2f760d355fbdb10daab1 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.32.5/azurefile-csi-driver-1.32.5.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.32.5/azurefile-csi-driver-1.32.5.tgz version: 1.32.5 - apiVersion: v1 appVersion: 1.32.4 - created: "2025-09-29T02:02:02.501803462Z" + created: "2026-02-04T12:37:32.288943949Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 00b85b95ee584c4dd55bc511425a9eefd310601080aa9be4fd7007c75e40b362 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.32.4/azurefile-csi-driver-1.32.4.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.32.4/azurefile-csi-driver-1.32.4.tgz version: 1.32.4 - apiVersion: v1 appVersion: 1.32.1 - created: "2025-09-29T02:02:02.500662025Z" + created: "2026-02-04T12:37:32.287920828Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 2b13bbc91aa7fcd3a763318a49fd899f5faba633ec67f21c9dc4ed034a0607e3 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.32.1/azurefile-csi-driver-1.32.1.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.32.1/azurefile-csi-driver-1.32.1.tgz version: 1.32.1 - apiVersion: v1 appVersion: 1.32.0 - created: "2025-09-29T02:02:02.498593142Z" + created: "2026-02-04T12:37:32.286537816Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 36ab8c5dd55a00ffbd4fcdfe29013b58fa362a4f234015b5ddcd9ce7cfd4966f name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.32.0/azurefile-csi-driver-1.32.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.32.0/azurefile-csi-driver-1.32.0.tgz version: 1.32.0 + - apiVersion: v1 + appVersion: 1.31.8 + created: "2026-02-04T12:37:32.28512092Z" + description: Azure File Container Storage Interface (CSI) Storage Plugin + digest: de38999364efd0d31e8e1d7b300e0ad5318187a67908296cdce599ff748f1d94 + name: azurefile-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.31.8/azurefile-csi-driver-1.31.8.tgz + version: 1.31.8 - apiVersion: v1 appVersion: 1.31.7 - created: "2025-09-29T02:02:02.497205804Z" + created: "2026-02-04T12:37:32.284046694Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 71e098b5b87a1da5e28405f7b911556d5a4a0a7ac8f41b3582eb858c9d8bd31f name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.31.7/azurefile-csi-driver-1.31.7.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.31.7/azurefile-csi-driver-1.31.7.tgz version: 1.31.7 - apiVersion: v1 appVersion: 1.31.6 - created: "2025-09-29T02:02:02.496104843Z" + created: "2026-02-04T12:37:32.282904371Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: c75a046741036a4c22f36277ffc2f7a8897022f1df2828660c60f09806e0adf0 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.31.6/azurefile-csi-driver-1.31.6.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.31.6/azurefile-csi-driver-1.31.6.tgz version: 1.31.6 - apiVersion: v1 appVersion: 1.31.5 - created: "2025-09-29T02:02:02.495014502Z" + created: "2026-02-04T12:37:32.281403512Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 6f52374c8bd89bc06c9183fc2df5d59e4b001d89a37b33c44dd6d33b57d5d7f0 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.31.5/azurefile-csi-driver-1.31.5.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.31.5/azurefile-csi-driver-1.31.5.tgz version: 1.31.5 - apiVersion: v1 appVersion: 1.31.4 - created: "2025-09-29T02:02:02.493136649Z" + created: "2026-02-04T12:37:32.279879255Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: e9ecbf2af7f0ac73c154901b9f9e7bf3c17b190b2d85b2ddb5ad7074a41d1a80 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.31.4/azurefile-csi-driver-1.31.4.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.31.4/azurefile-csi-driver-1.31.4.tgz version: 1.31.4 - apiVersion: v1 appVersion: 1.31.2 - created: "2025-09-29T02:02:02.491490687Z" + created: "2026-02-04T12:37:32.278539854Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: f6b1e1a8193729c7115a3544ce2c7b6123a63350616d7a5f5fb9313f17500092 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.31.2/azurefile-csi-driver-1.31.2.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.31.2/azurefile-csi-driver-1.31.2.tgz version: 1.31.2 - apiVersion: v1 appVersion: 1.31.0 - created: "2025-09-29T02:02:02.490420112Z" + created: "2026-02-04T12:37:32.277304618Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 1c845c70fce56ee90b3ce9e043de581eda35d9daaa700adb6cd458af02bd0301 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.31.0/azurefile-csi-driver-1.31.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.31.0/azurefile-csi-driver-1.31.0.tgz version: 1.31.0 - apiVersion: v1 appVersion: v1.30.9 - created: "2025-09-29T02:02:02.489073481Z" + created: "2026-02-04T12:37:32.275964615Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 7d2b815419844ae3dcc42b2d2b68eb1bda01b436ae25ee01d6261527d71027c3 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.30.9/azurefile-csi-driver-v1.30.9.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.30.9/azurefile-csi-driver-v1.30.9.tgz version: v1.30.9 - apiVersion: v1 appVersion: v1.30.8 - created: "2025-09-29T02:02:02.487786572Z" + created: "2026-02-04T12:37:32.274073736Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: b3d00652437672e5470cca9d552c5718e1070ab9da66bfa2cb22c0ef5162715a name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.30.8/azurefile-csi-driver-v1.30.8.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.30.8/azurefile-csi-driver-v1.30.8.tgz version: v1.30.8 - apiVersion: v1 appVersion: v1.30.7 - created: "2025-09-29T02:02:02.485834595Z" + created: "2026-02-04T12:37:32.272748622Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 2034bb28c298847c412bd7fbf7850929e2b5a4b9a011726e373a7eabf325b57f name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.30.7/azurefile-csi-driver-v1.30.7.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.30.7/azurefile-csi-driver-v1.30.7.tgz version: v1.30.7 - apiVersion: v1 appVersion: v1.30.6 - created: "2025-09-29T02:02:02.484444653Z" + created: "2026-02-04T12:37:32.271534976Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 1ebab292295056e48cc848d45a48a6715ee4b1bcb0de6c31ff3fbe028ecc1159 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.30.6/azurefile-csi-driver-v1.30.6.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.30.6/azurefile-csi-driver-v1.30.6.tgz version: v1.30.6 - apiVersion: v1 appVersion: v1.30.5 - created: "2025-09-29T02:02:02.482987926Z" + created: "2026-02-04T12:37:32.270158024Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 6b3692dac69d38c069f3ad271d4a72db47e99c78b3881644fe970aa3978a29f3 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.30.5/azurefile-csi-driver-v1.30.5.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.30.5/azurefile-csi-driver-v1.30.5.tgz version: v1.30.5 - apiVersion: v1 appVersion: v1.30.4 - created: "2025-09-29T02:02:02.48193294Z" + created: "2026-02-04T12:37:32.268785291Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: cc928f9a3704d37838a04e2691714ad97000b8985db1c02be48e30071a94cd3a name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.30.4/azurefile-csi-driver-v1.30.4.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.30.4/azurefile-csi-driver-v1.30.4.tgz version: v1.30.4 - apiVersion: v1 appVersion: v1.30.2 - created: "2025-09-29T02:02:02.480857557Z" + created: "2026-02-04T12:37:32.266830676Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: fc059dd694e8cb922cf7e4c073fe7c6a0beec54cef22a1e2b089280b3957e0eb name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.30.2/azurefile-csi-driver-v1.30.2.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.30.2/azurefile-csi-driver-v1.30.2.tgz version: v1.30.2 - apiVersion: v1 appVersion: v1.30.1 - created: "2025-09-29T02:02:02.479329179Z" + created: "2026-02-04T12:37:32.265591052Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 4311cb88212ad1341e2d4bd470aaab03c8cd8397ad9be20177814d3a69bfdd9b name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.30.1/azurefile-csi-driver-v1.30.1.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.30.1/azurefile-csi-driver-v1.30.1.tgz version: v1.30.1 - apiVersion: v1 appVersion: v1.30.0 - created: "2025-09-29T02:02:02.478296976Z" + created: "2026-02-04T12:37:32.264254837Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 57e4c1185b8941ff9285588791a5d8897883da7fab69f0dd21fadc97bd7553db name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.30.0/azurefile-csi-driver-v1.30.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.30.0/azurefile-csi-driver-v1.30.0.tgz version: v1.30.0 - apiVersion: v1 appVersion: v1.29.10 - created: "2025-09-29T02:02:02.47105756Z" + created: "2026-02-04T12:37:32.255354063Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: fac12cd7a4b1142e50d83112bdf659e5f1dacb0862bebc3b7cd9c0e54ef0c386 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.29.10/azurefile-csi-driver-v1.29.10.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.29.10/azurefile-csi-driver-v1.29.10.tgz version: v1.29.10 - apiVersion: v1 appVersion: v1.29.9 - created: "2025-09-29T02:02:02.477252881Z" + created: "2026-02-04T12:37:32.263020081Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 3103431483cf832076ae3d67d2cf02640ed50b134c2c8d2cc6ba62bdd52613bf name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.29.9/azurefile-csi-driver-v1.29.9.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.29.9/azurefile-csi-driver-v1.29.9.tgz version: v1.29.9 - apiVersion: v1 appVersion: v1.29.7 - created: "2025-09-29T02:02:02.475828053Z" + created: "2026-02-04T12:37:32.261578659Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: d31aba313d13f53e90ad41ccbc65ff4d95c957dd22672d634a98c2a2998dc5e9 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.29.7/azurefile-csi-driver-v1.29.7.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.29.7/azurefile-csi-driver-v1.29.7.tgz version: v1.29.7 - apiVersion: v1 appVersion: v1.29.5 - created: "2025-09-29T02:02:02.474309999Z" + created: "2026-02-04T12:37:32.260232826Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: e243170530c27b63b7091543b94ce197eeebbe9f5b1b1075f64af73cd69a43ce name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.29.5/azurefile-csi-driver-v1.29.5.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.29.5/azurefile-csi-driver-v1.29.5.tgz version: v1.29.5 - apiVersion: v1 appVersion: v1.29.4 - created: "2025-09-29T02:02:02.473242971Z" + created: "2026-02-04T12:37:32.258407916Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 16ff777186fc090d80a73551bbe2690a81c4b37a8a64b53e21e58cb9a2ea4570 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.29.4/azurefile-csi-driver-v1.29.4.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.29.4/azurefile-csi-driver-v1.29.4.tgz version: v1.29.4 - apiVersion: v1 appVersion: v1.29.2 - created: "2025-09-29T02:02:02.472170724Z" + created: "2026-02-04T12:37:32.25715712Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 37d89c48dda1666fa0a73a4b038b0f0da7f291b4b07abac47a6ccecda11464b3 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.29.2/azurefile-csi-driver-v1.29.2.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.29.2/azurefile-csi-driver-v1.29.2.tgz version: v1.29.2 - apiVersion: v1 appVersion: v1.29.1 - created: "2025-09-29T02:02:02.469605431Z" + created: "2026-02-04T12:37:32.254057312Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 5f1060cf8d7cd81dcde897f7c0ef83908e49145a2af84a3615c8faf4a1cea007 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.29.1/azurefile-csi-driver-v1.29.1.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.29.1/azurefile-csi-driver-v1.29.1.tgz version: v1.29.1 - apiVersion: v1 appVersion: v1.29.0 - created: "2025-09-29T02:02:02.46804474Z" + created: "2026-02-04T12:37:32.252654141Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 2da242b471ff0eaf6ea3f1a9d2c1f6aaa1b78c8cbb4e850bbefb336e043b8098 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.29.0/azurefile-csi-driver-v1.29.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.29.0/azurefile-csi-driver-v1.29.0.tgz version: v1.29.0 - apiVersion: v1 appVersion: v1.28.13 - created: "2025-09-29T02:02:02.442908522Z" + created: "2026-02-04T12:37:32.243227441Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: dd78057674cbbc119201f820f4a168cbac0a2663e8acba827d66247b9b456e5a name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.28.13/azurefile-csi-driver-v1.28.13.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.28.13/azurefile-csi-driver-v1.28.13.tgz version: v1.28.13 - apiVersion: v1 appVersion: v1.28.12 - created: "2025-09-29T02:02:02.441553014Z" + created: "2026-02-04T12:37:32.241629808Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 68de5f2048c770bff5d95966c1af00375b7bfc0f8b7e114c807b6e8958538a76 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.28.12/azurefile-csi-driver-v1.28.12.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.28.12/azurefile-csi-driver-v1.28.12.tgz version: v1.28.12 - apiVersion: v1 appVersion: v1.28.10 - created: "2025-09-29T02:02:02.44044499Z" + created: "2026-02-04T12:37:32.240255481Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 9c7bae01fc3770550ebddcd5045f69d66baca6c6fc4678da3de6c1d4f63a3592 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.28.10/azurefile-csi-driver-v1.28.10.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.28.10/azurefile-csi-driver-v1.28.10.tgz version: v1.28.10 - apiVersion: v1 appVersion: v1.28.9 - created: "2025-09-29T02:02:02.466980127Z" + created: "2026-02-04T12:37:32.250774443Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 489319dfa4bd9efeefede1fac20bbead9d309da3c90f34d178c30054d562881f name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.28.9/azurefile-csi-driver-v1.28.9.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.28.9/azurefile-csi-driver-v1.28.9.tgz version: v1.28.9 - apiVersion: v1 appVersion: v1.28.7 - created: "2025-09-29T02:02:02.465888052Z" + created: "2026-02-04T12:37:32.249534648Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 7bb57767321958e5851b621962988fb7e245f583430cb19a573b28d33f83d923 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.28.7/azurefile-csi-driver-v1.28.7.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.28.7/azurefile-csi-driver-v1.28.7.tgz version: v1.28.7 - apiVersion: v1 appVersion: v1.28.6 - created: "2025-09-29T02:02:02.464801408Z" + created: "2026-02-04T12:37:32.248308458Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: cdf86fd396da34c8bf6c401d236dc12ce24697fa8565c63c605f8b5d8d1b195b name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.28.6/azurefile-csi-driver-v1.28.6.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.28.6/azurefile-csi-driver-v1.28.6.tgz version: v1.28.6 - apiVersion: v1 appVersion: v1.28.3 - created: "2025-09-29T02:02:02.445136173Z" + created: "2026-02-04T12:37:32.246912131Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 58e138f7a8f2a925c56ca26dc220cab2dc723691c23fd011b457624d11889395 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.28.3/azurefile-csi-driver-v1.28.3.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.28.3/azurefile-csi-driver-v1.28.3.tgz version: v1.28.3 - apiVersion: v1 appVersion: v1.28.2 - created: "2025-09-29T02:02:02.444006047Z" + created: "2026-02-04T12:37:32.245237333Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 426fad83a42035af15af775bd37c73309ef0cfe22686babb0668be71da70a66e name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.28.2/azurefile-csi-driver-v1.28.2.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.28.2/azurefile-csi-driver-v1.28.2.tgz version: v1.28.2 - apiVersion: v1 appVersion: v1.27.3 - created: "2025-09-29T02:02:02.438829964Z" + created: "2026-02-04T12:37:32.238672465Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 330d2b11f93e2b10d36f64ed6de528b61351ca794dd9b2c3690c6f6790008732 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.27.3/azurefile-csi-driver-v1.27.3.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.27.3/azurefile-csi-driver-v1.27.3.tgz version: v1.27.3 - apiVersion: v1 appVersion: v1.27.2 - created: "2025-09-29T02:02:02.437833228Z" + created: "2026-02-04T12:37:32.237196008Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: ab72e0e5f360a38f63e87147ef47ef213016578e8ba64fbb32ecaf2aad7ffdf3 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.27.2/azurefile-csi-driver-v1.27.2.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.27.2/azurefile-csi-driver-v1.27.2.tgz version: v1.27.2 - apiVersion: v1 appVersion: v1.26.10 - created: "2025-09-29T02:02:02.434793307Z" + created: "2026-02-04T12:37:32.228863362Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 80d2fccdab497044587f8a3299cc761cdf364c2d2d0b4f4cb0ab8197021dc218 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.26.10/azurefile-csi-driver-v1.26.10.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.26.10/azurefile-csi-driver-v1.26.10.tgz version: v1.26.10 - apiVersion: v1 appVersion: v1.26.6 - created: "2025-09-29T02:02:02.436813719Z" + created: "2026-02-04T12:37:32.232059321Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 3c20488343b47ed618e8c809f6fcdd83f22e00a4d07c78ca097573cafd7075a9 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.26.6/azurefile-csi-driver-v1.26.6.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.26.6/azurefile-csi-driver-v1.26.6.tgz version: v1.26.6 - apiVersion: v1 appVersion: v1.26.5 - created: "2025-09-29T02:02:02.435792287Z" + created: "2026-02-04T12:37:32.230278295Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 62ac6ab864264ee1e2fb86e8093c8e8263c2c0d3bafff60704c31fd72e40c604 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.26.5/azurefile-csi-driver-v1.26.5.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.26.5/azurefile-csi-driver-v1.26.5.tgz version: v1.26.5 - apiVersion: v1 appVersion: v1.25.1 - created: "2025-09-29T02:02:02.433315522Z" + created: "2026-02-04T12:37:32.227140766Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 2bf374cc321c5bc8e76e06cd5df85ce7d7d14574397e7e7f7173077393f554c4 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.25.1/azurefile-csi-driver-v1.25.1.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.25.1/azurefile-csi-driver-v1.25.1.tgz version: v1.25.1 - apiVersion: v1 appVersion: v1.24.11 - created: "2025-09-29T02:02:02.430320755Z" + created: "2026-02-04T12:37:32.222993735Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 501e27a634966a4ae5528025577e926745d896ffa2c253dc69c13623b84254d2 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.24.11/azurefile-csi-driver-v1.24.11.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.24.11/azurefile-csi-driver-v1.24.11.tgz version: v1.24.11 - apiVersion: v1 appVersion: v1.24.7 - created: "2025-09-29T02:02:02.432337762Z" + created: "2026-02-04T12:37:32.225804761Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 9e5b3f32ad823f845e5a09af230f7a934851943d6afcab3bd545233838680d83 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.24.7/azurefile-csi-driver-v1.24.7.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.24.7/azurefile-csi-driver-v1.24.7.tgz version: v1.24.7 - apiVersion: v1 appVersion: v1.24.6 - created: "2025-09-29T02:02:02.431334343Z" + created: "2026-02-04T12:37:32.224431948Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: dbd0a6e27a09fec002c57029bd6e34a6ee92d1c10e708935e3f2150069a35ee5 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.24.6/azurefile-csi-driver-v1.24.6.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.24.6/azurefile-csi-driver-v1.24.6.tgz version: v1.24.6 - apiVersion: v1 appVersion: v1.23.0 - created: "2025-09-29T02:02:02.429091836Z" + created: "2026-02-04T12:37:32.221408695Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 5fcb33617d16e90df1e7041b0df02e5bd92595e86381db30d356b0b2e3500bc4 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.23.0/azurefile-csi-driver-v1.23.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.23.0/azurefile-csi-driver-v1.23.0.tgz version: v1.23.0 - apiVersion: v1 appVersion: v1.22.0 - created: "2025-09-29T02:02:02.427392354Z" + created: "2026-02-04T12:37:32.220280748Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 253d87a8b876dbdd55870a7fee88547393179d03f193661125f5a0b63411f922 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.22.0/azurefile-csi-driver-v1.22.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.22.0/azurefile-csi-driver-v1.22.0.tgz version: v1.22.0 - apiVersion: v1 appVersion: v1.21.0 - created: "2025-09-29T02:02:02.426414443Z" + created: "2026-02-04T12:37:32.219069918Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: d45bf3455ebadc9cc5afaf9da66aa1ea1d4b719cfdff5af661f93bb26c01a504 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.21.0/azurefile-csi-driver-v1.21.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.21.0/azurefile-csi-driver-v1.21.0.tgz version: v1.21.0 - apiVersion: v1 appVersion: v1.20.0 - created: "2025-09-29T02:02:02.425483741Z" + created: "2026-02-04T12:37:32.217689059Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 7cc43d57a79137aea5414fb51a9bbd77bb679b29ee49c06865c1a5b9ba60be99 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.20.0/azurefile-csi-driver-v1.20.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.20.0/azurefile-csi-driver-v1.20.0.tgz version: v1.20.0 - apiVersion: v1 appVersion: v1.19.0 - created: "2025-09-29T02:02:02.424171564Z" + created: "2026-02-04T12:37:32.216441199Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 18f6efbed424efd661fde43be2e5a48a5012a46a7938c33b36963cbd9875a5af name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.19.0/azurefile-csi-driver-v1.19.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.19.0/azurefile-csi-driver-v1.19.0.tgz version: v1.19.0 - apiVersion: v1 appVersion: v1.18.0 - created: "2025-09-29T02:02:02.422970455Z" + created: "2026-02-04T12:37:32.214622433Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 696ca23d9ee517f71ef5e852955c8d0f1017c331c025426c6fcbe7a06d006c66 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.18.0/azurefile-csi-driver-v1.18.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.18.0/azurefile-csi-driver-v1.18.0.tgz version: v1.18.0 - apiVersion: v1 appVersion: v1.17.0 - created: "2025-09-29T02:02:02.421998736Z" + created: "2026-02-04T12:37:32.213210817Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 5632f61265a3b78dce3e2b15e07cc9b14a7f54a778878c02ca2d9fe69ca0344e name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.17.0/azurefile-csi-driver-v1.17.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.17.0/azurefile-csi-driver-v1.17.0.tgz version: v1.17.0 - apiVersion: v1 appVersion: v1.16.0 - created: "2025-09-29T02:02:02.420126597Z" + created: "2026-02-04T12:37:32.212094362Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: a7a2d57e8eca7dc06c8b2cffb9bccb857753eb110b8e70760b3e04f4e6a87552 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.16.0/azurefile-csi-driver-v1.16.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.16.0/azurefile-csi-driver-v1.16.0.tgz version: v1.16.0 - apiVersion: v1 appVersion: v1.15.0 - created: "2025-09-29T02:02:02.418501375Z" + created: "2026-02-04T12:37:32.21096867Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: c1a31dadce233a90c19dce70f6cc92ba2e20bbaa1b1883baea72381d09303118 name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.15.0/azurefile-csi-driver-v1.15.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.15.0/azurefile-csi-driver-v1.15.0.tgz version: v1.15.0 - apiVersion: v1 appVersion: v1.14.0 - created: "2025-09-29T02:02:02.417609295Z" + created: "2026-02-04T12:37:32.209707575Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 0c9ad4afa5ebfdb2851ad93eb16a0382d61448714b7556899360730a2fdf463a name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.14.0/azurefile-csi-driver-v1.14.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.14.0/azurefile-csi-driver-v1.14.0.tgz version: v1.14.0 - apiVersion: v1 appVersion: v1.13.0 - created: "2025-09-29T02:02:02.416702437Z" + created: "2026-02-04T12:37:32.208552378Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 214042b029d858b50a0f8bba33a7aa2b41d1b67bce16f957ca183ae7438dac3f name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.13.0/azurefile-csi-driver-v1.13.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.13.0/azurefile-csi-driver-v1.13.0.tgz version: v1.13.0 - apiVersion: v1 appVersion: v1.12.0 - created: "2025-09-29T02:02:02.41576386Z" + created: "2026-02-04T12:37:32.207326829Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: fbd63929671066a26df898d32282a6e79c39499a39c71761c546d069459d847d name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.12.0/azurefile-csi-driver-v1.12.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.12.0/azurefile-csi-driver-v1.12.0.tgz version: v1.12.0 - apiVersion: v1 appVersion: v1.11.0 - created: "2025-09-29T02:02:02.414826655Z" + created: "2026-02-04T12:37:32.205420138Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 76bd438f8391d08235b09fbca859f25a9fcf8e018fd1e7e33444ca9ea946ce4b name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.11.0/azurefile-csi-driver-v1.11.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.11.0/azurefile-csi-driver-v1.11.0.tgz version: v1.11.0 - apiVersion: v1 appVersion: v1.10.0 - created: "2025-09-29T02:02:02.413212766Z" + created: "2026-02-04T12:37:32.204208626Z" description: Azure File Container Storage Interface (CSI) Storage Plugin digest: 845a9de8b571b255d05ae9c643d9b90a57fe6507ff3fb735c88b41f99f6f28dc name: azurefile-csi-driver urls: - - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/release-1.33/charts/v1.10.0/azurefile-csi-driver-v1.10.0.tgz + - https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts/v1.10.0/azurefile-csi-driver-v1.10.0.tgz version: v1.10.0 -generated: "2025-09-29T02:02:02.410990986Z" +generated: "2026-02-04T12:37:32.201778148Z" diff --git a/charts/latest/azurefile-csi-driver-1.34.1.tgz b/charts/latest/azurefile-csi-driver-1.34.1.tgz deleted file mode 100644 index da865446ec..0000000000 Binary files a/charts/latest/azurefile-csi-driver-1.34.1.tgz and /dev/null differ diff --git a/charts/latest/azurefile-csi-driver-1.35.0.tgz b/charts/latest/azurefile-csi-driver-1.35.0.tgz new file mode 100644 index 0000000000..66262f8f2e Binary files /dev/null and b/charts/latest/azurefile-csi-driver-1.35.0.tgz differ diff --git a/charts/latest/azurefile-csi-driver/Chart.yaml b/charts/latest/azurefile-csi-driver/Chart.yaml index d91717ef34..73cbf8d042 100644 --- a/charts/latest/azurefile-csi-driver/Chart.yaml +++ b/charts/latest/azurefile-csi-driver/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.34.1 +appVersion: 1.35.0 description: Azure File Container Storage Interface (CSI) Storage Plugin name: azurefile-csi-driver -version: 1.34.1 +version: 1.35.0 diff --git a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml index eddaacb6ae..f11e21c718 100644 --- a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml +++ b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -166,8 +166,8 @@ spec: - mountPath: "{{ .Values.linux.kubelet }}" mountPropagation: Bidirectional name: mountpoint-dir - - name: host-etc - mountPath: /etc + - name: azfilesauth + mountPath: /etc/azfilesauth - name: log-dir mountPath: /var/log/ resources: {{- toYaml .Values.linux.resources.azfilesrefresh | nindent 12 }} @@ -263,8 +263,8 @@ spec: {{- if .Values.node.enableManagedIdentityAuth }} - name: log-dir mountPath: /var/log/ - - name: host-etc - mountPath: /etc + - name: azfilesauth + mountPath: /etc/azfilesauth {{- end }} resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} volumes: @@ -274,6 +274,10 @@ spec: - name: host-etc hostPath: path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate - hostPath: path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} type: DirectoryOrCreate diff --git a/charts/latest/azurefile-csi-driver/values.yaml b/charts/latest/azurefile-csi-driver/values.yaml index 48c59bc29d..c33fc1c09e 100644 --- a/charts/latest/azurefile-csi-driver/values.yaml +++ b/charts/latest/azurefile-csi-driver/values.yaml @@ -2,15 +2,15 @@ image: baseRepo: mcr.microsoft.com azurefile: repository: /oss/v2/kubernetes-csi/azurefile-csi - tag: v1.34.1 + tag: v1.35.0 pullPolicy: IfNotPresent csiProvisioner: repository: /oss/v2/kubernetes-csi/csi-provisioner - tag: v5.3.0 + tag: v6.1.0 pullPolicy: IfNotPresent csiResizer: repository: /oss/v2/kubernetes-csi/csi-resizer - tag: v1.14.0 + tag: v2.0.0 pullPolicy: IfNotPresent livenessProbe: repository: /oss/v2/kubernetes-csi/livenessprobe @@ -142,11 +142,11 @@ snapshot: image: csiSnapshotter: repository: /oss/v2/kubernetes-csi/csi-snapshotter - tag: v8.3.0 + tag: v8.4.0 pullPolicy: IfNotPresent csiSnapshotController: repository: /oss/v2/kubernetes-csi/snapshot-controller - tag: v8.3.0 + tag: v8.4.0 pullPolicy: IfNotPresent snapshotController: name: csi-snapshot-controller diff --git a/charts/v1.31.8/azurefile-csi-driver-1.31.8.tgz b/charts/v1.31.8/azurefile-csi-driver-1.31.8.tgz new file mode 100644 index 0000000000..8b20df9cd5 Binary files /dev/null and b/charts/v1.31.8/azurefile-csi-driver-1.31.8.tgz differ diff --git a/charts/v1.31.8/azurefile-csi-driver/Chart.yaml b/charts/v1.31.8/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..89c63ff641 --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.31.8 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.31.8 diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.31.8/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.31.8/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..76df8af7e9 --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,840 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/665" + creationTimestamp: null + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested + by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required.' + properties: + source: + description: source specifies where a snapshot will be created from. + This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the + PersistentVolumeClaim object representing the volume from which + a snapshot should be created. This PVC is assumed to be in the + same namespace as the VolumeSnapshot object. This field should + be set if the snapshot does not exists, and needs to be created. + This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a + pre-existing VolumeSnapshotContent object representing an existing + volume snapshot. This field should be set if the snapshot already + exists and only needs a representation in Kubernetes. This field + is immutable. + type: string + type: object + oneOf: + - required: ["persistentVolumeClaimName"] + - required: ["volumeSnapshotContentName"] + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. VolumeSnapshotClassName may be + left nil to indicate that the default SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: + one default per CSI Driver. If a VolumeSnapshot does not specify + a SnapshotClass, VolumeSnapshotSource will be checked to figure + out what the associated CSI Driver is, and the default VolumeSnapshotClass + associated with that CSI Driver will be used. If more than one VolumeSnapshotClass + exist for a given CSI Driver and more than one have been marked + as default, CreateSnapshot will fail and generate an event. Empty + string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent + objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent + point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. If + not specified, it indicates that the VolumeSnapshot object has not + been successfully bound to a VolumeSnapshotContent object yet. NOTE: + To avoid possible security issues, consumers must verify binding + between VolumeSnapshot and VolumeSnapshotContent objects is successful + (by validating that both VolumeSnapshot and VolumeSnapshotContent + point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time + snapshot is taken by the underlying storage system. In dynamic snapshot + creation case, this field will be filled in by the snapshot controller + with the "creation_time" value returned from CSI "CreateSnapshot" + gRPC call. For a pre-existing snapshot, this field will be filled + with the "creation_time" value returned from the CSI "ListSnapshots" + gRPC call if the driver supports it. If not specified, it may indicate + that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, + if any. This field could be helpful to upper level controllers(i.e., + application controller) to decide whether they should continue on + waiting for the snapshot to be created based on the type of error + reported. The snapshot controller will keep retrying when an error + occurs during the snapshot creation. Upon success, this error field + will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error + during snapshot creation if specified. NOTE: message may be + logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used + to restore a volume. In dynamic snapshot creation case, this field + will be filled in by the snapshot controller with the "ready_to_use" + value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing + snapshot, this field will be filled with the "ready_to_use" value + returned from the CSI "ListSnapshots" gRPC call if the driver supports + it, otherwise, this field will be set to "True". If not specified, + it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required + to create a volume from this snapshot. In dynamic snapshot creation + case, this field will be filled in by the snapshot controller with + the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the + "size_bytes" value returned from the CSI "ListSnapshots" gRPC call + if the driver supports it. When restoring a volume from this snapshot, + the size of the volume MUST NOT be smaller than the restoreSize + if it is specified, otherwise the restoration will fail. If not + specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/665" + creationTimestamp: null + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage + system uses when creating a volume snapshot. A specific VolumeSnapshotClass + is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses + are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent + created through the VolumeSnapshotClass should be deleted when its bound + VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot + on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent + and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this + VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific + parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/665" + creationTimestamp: null + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot + object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created + by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent + and its physical snapshot on the underlying storage system should + be deleted when its bound VolumeSnapshot is deleted. Supported values + are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent + and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot + on underlying storage system are deleted. For dynamically provisioned + snapshots, this field will automatically be filled in by the CSI + snapshotter sidecar with the "DeletionPolicy" field defined in the + corresponding VolumeSnapshotClass. For pre-existing snapshots, users + MUST specify this field when creating the VolumeSnapshotContent + object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the + physical snapshot on the underlying storage system. This MUST be + the same as the name returned by the CSI GetPluginName() call for + that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) + dynamically provisioned or already exists, and just requires a Kubernetes + object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of + a pre-existing snapshot on the underlying storage system for + which a Kubernetes object representation was (or should be) + created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the + volume from which a snapshot should be dynamically taken from. + This field is immutable. + type: string + type: object + oneOf: + - required: ["snapshotHandle"] + - required: ["volumeHandle"] + sourceVolumeMode: + description: SourceVolumeMode is the mode of the volume whose snapshot + is taken. Can be either “Filesystem” or “Block”. If not specified, + it indicates the source volume's mode is unknown. This field is + immutable. This field is an alpha field. + type: string + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot + was (or will be) created. Note that after provisioning, the VolumeSnapshotClass + may be deleted or recreated with different set of values, and as + such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object + to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName + field must reference to this VolumeSnapshotContent's name for the + bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent + object, name and namespace of the VolumeSnapshot object MUST be + provided for binding to happen. This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time + snapshot is taken by the underlying storage system. In dynamic snapshot + creation case, this field will be filled in by the CSI snapshotter + sidecar with the "creation_time" value returned from CSI "CreateSnapshot" + gRPC call. For a pre-existing snapshot, this field will be filled + with the "creation_time" value returned from the CSI "ListSnapshots" + gRPC call if the driver supports it. If not specified, it indicates + the creation time is unknown. The format of this field is a Unix + nanoseconds time encoded as an int64. On Unix, the command `date + +%s%N` returns the current time in nanoseconds since 1970-01-01 + 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, + if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error + during snapshot creation if specified. NOTE: message may be + logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used + to restore a volume. In dynamic snapshot creation case, this field + will be filled in by the CSI snapshotter sidecar with the "ready_to_use" + value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing + snapshot, this field will be filled with the "ready_to_use" value + returned from the CSI "ListSnapshots" gRPC call if the driver supports + it, otherwise, this field will be set to "True". If not specified, + it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot + in bytes. In dynamic snapshot creation case, this field will be + filled in by the CSI snapshotter sidecar with the "size_bytes" value + returned from CSI "CreateSnapshot" gRPC call. For a pre-existing + snapshot, this field will be filled with the "size_bytes" value + returned from the CSI "ListSnapshots" gRPC call if the driver supports + it. When restoring a volume from this snapshot, the size of the + volume MUST NOT be smaller than the restoreSize if it is specified, + otherwise the restoration will fail. If not specified, it indicates + that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot + on the underlying storage system. If not specified, it indicates + that dynamic snapshot creation has either failed or it is still + in progress. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..c8af9e986a --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..b8f3bd0f3f --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,227 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} +{{- end -}} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..6392593235 --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,98 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..fc78df006c --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,61 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.31.8/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.31.8/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.31.8/azurefile-csi-driver/values.yaml b/charts/v1.31.8/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..5c239dcd9e --- /dev/null +++ b/charts/v1.31.8/azurefile-csi-driver/values.yaml @@ -0,0 +1,263 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.31.8 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/kubernetes-csi/csi-provisioner + tag: v5.2.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/kubernetes-csi/csi-resizer + tag: v1.13.2 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/kubernetes-csi/livenessprobe + tag: v2.15.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/kubernetes-csi/csi-node-driver-registrar + tag: v2.13.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/kubernetes-csi/csi-snapshotter + tag: v8.2.0 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/kubernetes-csi/snapshot-controller + tag: v8.2.0 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/charts/v1.32.7/azurefile-csi-driver-1.32.7.tgz b/charts/v1.32.7/azurefile-csi-driver-1.32.7.tgz new file mode 100644 index 0000000000..1f02123607 Binary files /dev/null and b/charts/v1.32.7/azurefile-csi-driver-1.32.7.tgz differ diff --git a/charts/v1.32.7/azurefile-csi-driver/Chart.yaml b/charts/v1.32.7/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..14b5acb02b --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.32.7 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.32.7 diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.32.7/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.32.7/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..3a66c45732 --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,953 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5083bc96a8 --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..b8f3bd0f3f --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,227 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} +{{- end -}} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..c671d5ba89 --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,99 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--retry-interval-max=30m" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..39790e1438 --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,64 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.32.7/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.32.7/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.32.7/azurefile-csi-driver/values.yaml b/charts/v1.32.7/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..d72c33683b --- /dev/null +++ b/charts/v1.32.7/azurefile-csi-driver/values.yaml @@ -0,0 +1,263 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.32.7 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/kubernetes-csi/csi-provisioner + tag: v5.2.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/v2/kubernetes-csi/csi-resizer + tag: v1.13.2 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/v2/kubernetes-csi/livenessprobe + tag: v2.15.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/v2/kubernetes-csi/csi-node-driver-registrar + tag: v2.13.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/kubernetes-csi/csi-snapshotter + tag: v8.2.1 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/kubernetes-csi/snapshot-controller + tag: v8.2.1 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/charts/v1.32.8/azurefile-csi-driver-1.32.8.tgz b/charts/v1.32.8/azurefile-csi-driver-1.32.8.tgz new file mode 100644 index 0000000000..6bb7ea7bf0 Binary files /dev/null and b/charts/v1.32.8/azurefile-csi-driver-1.32.8.tgz differ diff --git a/charts/v1.32.8/azurefile-csi-driver/Chart.yaml b/charts/v1.32.8/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..3e14f13371 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.32.8 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.32.8 diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.32.8/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.32.8/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..3a66c45732 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,953 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5083bc96a8 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..b8f3bd0f3f --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,227 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} +{{- end -}} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..c671d5ba89 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,99 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--retry-interval-max=30m" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..39790e1438 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,64 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.32.8/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.32.8/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.32.8/azurefile-csi-driver/values.yaml b/charts/v1.32.8/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..b29e1a615a --- /dev/null +++ b/charts/v1.32.8/azurefile-csi-driver/values.yaml @@ -0,0 +1,263 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.32.8 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/kubernetes-csi/csi-provisioner + tag: v5.2.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/v2/kubernetes-csi/csi-resizer + tag: v1.13.2 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/v2/kubernetes-csi/livenessprobe + tag: v2.15.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/v2/kubernetes-csi/csi-node-driver-registrar + tag: v2.13.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/kubernetes-csi/csi-snapshotter + tag: v8.2.1 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/kubernetes-csi/snapshot-controller + tag: v8.2.1 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/charts/v1.32.9/azurefile-csi-driver-1.32.9.tgz b/charts/v1.32.9/azurefile-csi-driver-1.32.9.tgz new file mode 100644 index 0000000000..fd66e2eb12 Binary files /dev/null and b/charts/v1.32.9/azurefile-csi-driver-1.32.9.tgz differ diff --git a/charts/v1.32.9/azurefile-csi-driver/Chart.yaml b/charts/v1.32.9/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..fdf7c52190 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.32.9 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.32.9 diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.32.9/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.32.9/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..3a66c45732 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,953 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5083bc96a8 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..b8f3bd0f3f --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,227 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} +{{- end -}} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..c671d5ba89 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,99 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--retry-interval-max=30m" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..39790e1438 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,64 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.32.9/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.32.9/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.32.9/azurefile-csi-driver/values.yaml b/charts/v1.32.9/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..ab42f03b68 --- /dev/null +++ b/charts/v1.32.9/azurefile-csi-driver/values.yaml @@ -0,0 +1,263 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.32.9 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/kubernetes-csi/csi-provisioner + tag: v5.2.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/v2/kubernetes-csi/csi-resizer + tag: v1.13.2 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/v2/kubernetes-csi/livenessprobe + tag: v2.15.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/v2/kubernetes-csi/csi-node-driver-registrar + tag: v2.13.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/kubernetes-csi/csi-snapshotter + tag: v8.2.1 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/kubernetes-csi/snapshot-controller + tag: v8.2.1 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/charts/v1.33.5/azurefile-csi-driver-1.33.5.tgz b/charts/v1.33.5/azurefile-csi-driver-1.33.5.tgz new file mode 100644 index 0000000000..bad2cf6cef Binary files /dev/null and b/charts/v1.33.5/azurefile-csi-driver-1.33.5.tgz differ diff --git a/charts/v1.33.5/azurefile-csi-driver/Chart.yaml b/charts/v1.33.5/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..33b3efb6f8 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.33.5 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.33.5 diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.33.5/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.33.5/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..3a66c45732 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,953 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5083bc96a8 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..44f8edf36b --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,273 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + {{- if .Values.node.azurefileProxy.enabled }} + hostPID: true + {{- end }} + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + initContainers: + - name: install-azurefile-proxy +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "{{ .Values.node.azurefileProxy.enabled }}" + - name: INSTALL_AZNFS_MOUNT + value: "{{ .Values.node.azurefileProxy.installAznfsMount }}" + - name: KUBELET_PATH + value: "{{ .Values.linux.kubelet }}" + - name: MIGRATE_K8S_REPO + value: "{{ .Values.node.azurefileProxy.migrateK8sRepo }}" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--enable-azurefile-proxy={{ .Values.node.azurefileProxy.enabled }}" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} +{{- end -}} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..c671d5ba89 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,99 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--retry-interval-max=30m" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..39790e1438 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,64 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.33.5/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.33.5/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.33.5/azurefile-csi-driver/values.yaml b/charts/v1.33.5/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..6ab3c56bfc --- /dev/null +++ b/charts/v1.33.5/azurefile-csi-driver/values.yaml @@ -0,0 +1,267 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.33.5 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/v2/kubernetes-csi/csi-provisioner + tag: v5.3.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/v2/kubernetes-csi/csi-resizer + tag: v1.14.0 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/v2/kubernetes-csi/livenessprobe + tag: v2.16.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/v2/kubernetes-csi/csi-node-driver-registrar + tag: v2.14.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + azurefileProxy: + enabled: true + installAznfsMount: true + migrateK8sRepo: false + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/v2/kubernetes-csi/csi-snapshotter + tag: v8.3.0 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/v2/kubernetes-csi/snapshot-controller + tag: v8.3.0 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/charts/v1.33.6/azurefile-csi-driver-1.33.6.tgz b/charts/v1.33.6/azurefile-csi-driver-1.33.6.tgz new file mode 100644 index 0000000000..d630a10080 Binary files /dev/null and b/charts/v1.33.6/azurefile-csi-driver-1.33.6.tgz differ diff --git a/charts/v1.33.6/azurefile-csi-driver/Chart.yaml b/charts/v1.33.6/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..0ced8bf6b6 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.33.6 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.33.6 diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.33.6/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.33.6/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..3a66c45732 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,953 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5083bc96a8 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..44f8edf36b --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,273 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + {{- if .Values.node.azurefileProxy.enabled }} + hostPID: true + {{- end }} + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + initContainers: + - name: install-azurefile-proxy +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "{{ .Values.node.azurefileProxy.enabled }}" + - name: INSTALL_AZNFS_MOUNT + value: "{{ .Values.node.azurefileProxy.installAznfsMount }}" + - name: KUBELET_PATH + value: "{{ .Values.linux.kubelet }}" + - name: MIGRATE_K8S_REPO + value: "{{ .Values.node.azurefileProxy.migrateK8sRepo }}" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--enable-azurefile-proxy={{ .Values.node.azurefileProxy.enabled }}" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} +{{- end -}} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..c671d5ba89 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,99 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--retry-interval-max=30m" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..39790e1438 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,64 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.33.6/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.33.6/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.33.6/azurefile-csi-driver/values.yaml b/charts/v1.33.6/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..53794783df --- /dev/null +++ b/charts/v1.33.6/azurefile-csi-driver/values.yaml @@ -0,0 +1,267 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.33.6 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/v2/kubernetes-csi/csi-provisioner + tag: v6.0.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/v2/kubernetes-csi/csi-resizer + tag: v2.0.0 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/v2/kubernetes-csi/livenessprobe + tag: v2.17.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/v2/kubernetes-csi/csi-node-driver-registrar + tag: v2.15.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + azurefileProxy: + enabled: true + installAznfsMount: true + migrateK8sRepo: false + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/v2/kubernetes-csi/csi-snapshotter + tag: v8.4.0 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/v2/kubernetes-csi/snapshot-controller + tag: v8.4.0 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/charts/v1.33.7/azurefile-csi-driver-1.33.7.tgz b/charts/v1.33.7/azurefile-csi-driver-1.33.7.tgz new file mode 100644 index 0000000000..4d79895b63 Binary files /dev/null and b/charts/v1.33.7/azurefile-csi-driver-1.33.7.tgz differ diff --git a/charts/v1.33.7/azurefile-csi-driver/Chart.yaml b/charts/v1.33.7/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..47f664d95c --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.33.7 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.33.7 diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.33.7/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.33.7/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..3a66c45732 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,953 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5083bc96a8 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..44f8edf36b --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,273 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + {{- if .Values.node.azurefileProxy.enabled }} + hostPID: true + {{- end }} + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + initContainers: + - name: install-azurefile-proxy +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "{{ .Values.node.azurefileProxy.enabled }}" + - name: INSTALL_AZNFS_MOUNT + value: "{{ .Values.node.azurefileProxy.installAznfsMount }}" + - name: KUBELET_PATH + value: "{{ .Values.linux.kubelet }}" + - name: MIGRATE_K8S_REPO + value: "{{ .Values.node.azurefileProxy.migrateK8sRepo }}" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--enable-azurefile-proxy={{ .Values.node.azurefileProxy.enabled }}" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} +{{- end -}} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..c671d5ba89 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,99 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--retry-interval-max=30m" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..39790e1438 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,64 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.33.7/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.33.7/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.33.7/azurefile-csi-driver/values.yaml b/charts/v1.33.7/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..0116d3aae9 --- /dev/null +++ b/charts/v1.33.7/azurefile-csi-driver/values.yaml @@ -0,0 +1,267 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.33.7 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/v2/kubernetes-csi/csi-provisioner + tag: v6.1.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/v2/kubernetes-csi/csi-resizer + tag: v2.0.0 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/v2/kubernetes-csi/livenessprobe + tag: v2.17.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/v2/kubernetes-csi/csi-node-driver-registrar + tag: v2.15.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + azurefileProxy: + enabled: true + installAznfsMount: true + migrateK8sRepo: false + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/v2/kubernetes-csi/csi-snapshotter + tag: v8.4.0 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/v2/kubernetes-csi/snapshot-controller + tag: v8.4.0 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/charts/v1.34.0/azurefile-csi-driver-1.34.0.tgz b/charts/v1.34.0/azurefile-csi-driver-1.34.0.tgz index c3ad02decb..3328925512 100644 Binary files a/charts/v1.34.0/azurefile-csi-driver-1.34.0.tgz and b/charts/v1.34.0/azurefile-csi-driver-1.34.0.tgz differ diff --git a/charts/v1.34.0/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.34.0/azurefile-csi-driver/templates/csi-azurefile-controller.yaml index 0e782b851b..668126b652 100644 --- a/charts/v1.34.0/azurefile-csi-driver/templates/csi-azurefile-controller.yaml +++ b/charts/v1.34.0/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -183,7 +183,7 @@ spec: - ALL - name: azurefile {{- if hasPrefix "/" .Values.image.azurefile.repository }} - image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-2" {{- else }} image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" {{- end }} diff --git a/charts/v1.34.0/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.34.0/azurefile-csi-driver/templates/csi-azurefile-node.yaml index c6a8c3e7c3..707fb6979d 100644 --- a/charts/v1.34.0/azurefile-csi-driver/templates/csi-azurefile-node.yaml +++ b/charts/v1.34.0/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -71,7 +71,7 @@ spec: initContainers: - name: install-azurefile-proxy {{- if hasPrefix "/" .Values.image.azurefile.repository }} - image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-2" {{- else }} image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" {{- end }} @@ -150,7 +150,7 @@ spec: {{- if .Values.node.enableManagedIdentityAuth }} - name: azfilesrefresh {{- if hasPrefix "/" .Values.image.azurefile.repository }} - image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-2" {{- else }} image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" {{- end }} @@ -174,7 +174,7 @@ spec: {{- end }} - name: azurefile {{- if hasPrefix "/" .Values.image.azurefile.repository }} - image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-2" {{- else }} image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" {{- end }} diff --git a/charts/v1.34.1/azurefile-csi-driver-1.34.1.tgz b/charts/v1.34.1/azurefile-csi-driver-1.34.1.tgz index 4485ee1dc0..7412f4f462 100644 Binary files a/charts/v1.34.1/azurefile-csi-driver-1.34.1.tgz and b/charts/v1.34.1/azurefile-csi-driver-1.34.1.tgz differ diff --git a/charts/v1.34.1/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.34.1/azurefile-csi-driver/templates/csi-azurefile-node.yaml index eddaacb6ae..f11e21c718 100644 --- a/charts/v1.34.1/azurefile-csi-driver/templates/csi-azurefile-node.yaml +++ b/charts/v1.34.1/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -166,8 +166,8 @@ spec: - mountPath: "{{ .Values.linux.kubelet }}" mountPropagation: Bidirectional name: mountpoint-dir - - name: host-etc - mountPath: /etc + - name: azfilesauth + mountPath: /etc/azfilesauth - name: log-dir mountPath: /var/log/ resources: {{- toYaml .Values.linux.resources.azfilesrefresh | nindent 12 }} @@ -263,8 +263,8 @@ spec: {{- if .Values.node.enableManagedIdentityAuth }} - name: log-dir mountPath: /var/log/ - - name: host-etc - mountPath: /etc + - name: azfilesauth + mountPath: /etc/azfilesauth {{- end }} resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} volumes: @@ -274,6 +274,10 @@ spec: - name: host-etc hostPath: path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate - hostPath: path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} type: DirectoryOrCreate diff --git a/charts/v1.34.2/azurefile-csi-driver-1.34.2.tgz b/charts/v1.34.2/azurefile-csi-driver-1.34.2.tgz new file mode 100644 index 0000000000..9a2cd96c0c Binary files /dev/null and b/charts/v1.34.2/azurefile-csi-driver-1.34.2.tgz differ diff --git a/charts/v1.34.2/azurefile-csi-driver/Chart.yaml b/charts/v1.34.2/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..0e1d80f13b --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.34.2 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.34.2 diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.34.2/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.34.2/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..3a66c45732 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,953 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5083bc96a8 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..f11e21c718 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,321 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + {{- if .Values.node.azurefileProxy.enabled }} + hostPID: true + {{- end }} + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + initContainers: + - name: install-azurefile-proxy +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "{{ .Values.node.azurefileProxy.enabled }}" + - name: INSTALL_AZNFS_MOUNT + value: "{{ .Values.node.azurefileProxy.installAznfsMount }}" + - name: KUBELET_PATH + value: "{{ .Values.linux.kubelet }}" + - name: MIGRATE_K8S_REPO + value: "{{ .Values.node.azurefileProxy.migrateK8sRepo }}" + - name: ENABLE_MI_AUTH + value: "{{ .Values.node.enableManagedIdentityAuth }}" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + {{- if .Values.node.enableManagedIdentityAuth }} + - name: mountpoint-dir + mountPath: "{{ .Values.linux.kubelet }}" + mountPropagation: Bidirectional + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} +{{- if .Values.node.enableManagedIdentityAuth }} + - name: azfilesrefresh +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + command: + - "azfilesrefresh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: "{{ .Values.linux.kubelet }}" + mountPropagation: Bidirectional + name: mountpoint-dir + - name: azfilesauth + mountPath: /etc/azfilesauth + - name: log-dir + mountPath: /var/log/ + resources: {{- toYaml .Values.linux.resources.azfilesrefresh | nindent 12 }} +{{- end }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--enable-azurefile-proxy={{ .Values.node.azurefileProxy.enabled }}" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + {{- if .Values.node.enableManagedIdentityAuth }} + - name: log-dir + mountPath: /var/log/ + - name: azfilesauth + mountPath: /etc/azfilesauth + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} + {{- if .Values.node.enableManagedIdentityAuth }} + - hostPath: + path: /var/log/ + type: DirectoryOrCreate + name: log-dir + {{- end }} +{{- end -}} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..c671d5ba89 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,99 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--retry-interval-max=30m" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..39790e1438 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,64 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.34.2/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.34.2/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.34.2/azurefile-csi-driver/values.yaml b/charts/v1.34.2/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..f94554aea8 --- /dev/null +++ b/charts/v1.34.2/azurefile-csi-driver/values.yaml @@ -0,0 +1,275 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.34.2 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/v2/kubernetes-csi/csi-provisioner + tag: v6.1.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/v2/kubernetes-csi/csi-resizer + tag: v2.0.0 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/v2/kubernetes-csi/livenessprobe + tag: v2.17.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/v2/kubernetes-csi/csi-node-driver-registrar + tag: v2.15.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azfilesrefresh: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + enableManagedIdentityAuth: true + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + azurefileProxy: + enabled: true + installAznfsMount: true + migrateK8sRepo: false + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/v2/kubernetes-csi/csi-snapshotter + tag: v8.4.0 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/v2/kubernetes-csi/snapshot-controller + tag: v8.4.0 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/charts/v1.34.3/azurefile-csi-driver-1.34.3.tgz b/charts/v1.34.3/azurefile-csi-driver-1.34.3.tgz new file mode 100644 index 0000000000..14bbd74fde Binary files /dev/null and b/charts/v1.34.3/azurefile-csi-driver-1.34.3.tgz differ diff --git a/charts/v1.34.3/azurefile-csi-driver/Chart.yaml b/charts/v1.34.3/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..832ea04011 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.34.3 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.34.3 diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.34.3/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.34.3/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..3a66c45732 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,953 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5083bc96a8 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..f11e21c718 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,321 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + {{- if .Values.node.azurefileProxy.enabled }} + hostPID: true + {{- end }} + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + initContainers: + - name: install-azurefile-proxy +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "{{ .Values.node.azurefileProxy.enabled }}" + - name: INSTALL_AZNFS_MOUNT + value: "{{ .Values.node.azurefileProxy.installAznfsMount }}" + - name: KUBELET_PATH + value: "{{ .Values.linux.kubelet }}" + - name: MIGRATE_K8S_REPO + value: "{{ .Values.node.azurefileProxy.migrateK8sRepo }}" + - name: ENABLE_MI_AUTH + value: "{{ .Values.node.enableManagedIdentityAuth }}" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + {{- if .Values.node.enableManagedIdentityAuth }} + - name: mountpoint-dir + mountPath: "{{ .Values.linux.kubelet }}" + mountPropagation: Bidirectional + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} +{{- if .Values.node.enableManagedIdentityAuth }} + - name: azfilesrefresh +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + command: + - "azfilesrefresh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: "{{ .Values.linux.kubelet }}" + mountPropagation: Bidirectional + name: mountpoint-dir + - name: azfilesauth + mountPath: /etc/azfilesauth + - name: log-dir + mountPath: /var/log/ + resources: {{- toYaml .Values.linux.resources.azfilesrefresh | nindent 12 }} +{{- end }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--enable-azurefile-proxy={{ .Values.node.azurefileProxy.enabled }}" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + {{- if .Values.node.enableManagedIdentityAuth }} + - name: log-dir + mountPath: /var/log/ + - name: azfilesauth + mountPath: /etc/azfilesauth + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} + {{- if .Values.node.enableManagedIdentityAuth }} + - hostPath: + path: /var/log/ + type: DirectoryOrCreate + name: log-dir + {{- end }} +{{- end -}} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..c671d5ba89 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,99 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--retry-interval-max=30m" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..39790e1438 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,64 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.34.3/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.34.3/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.34.3/azurefile-csi-driver/values.yaml b/charts/v1.34.3/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..8cb9541cfc --- /dev/null +++ b/charts/v1.34.3/azurefile-csi-driver/values.yaml @@ -0,0 +1,275 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.34.3 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/v2/kubernetes-csi/csi-provisioner + tag: v6.1.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/v2/kubernetes-csi/csi-resizer + tag: v2.0.0 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/v2/kubernetes-csi/livenessprobe + tag: v2.17.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/v2/kubernetes-csi/csi-node-driver-registrar + tag: v2.15.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azfilesrefresh: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + enableManagedIdentityAuth: true + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + azurefileProxy: + enabled: true + installAznfsMount: true + migrateK8sRepo: false + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/v2/kubernetes-csi/csi-snapshotter + tag: v8.4.0 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/v2/kubernetes-csi/snapshot-controller + tag: v8.4.0 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/charts/v1.35.0/azurefile-csi-driver-1.35.0.tgz b/charts/v1.35.0/azurefile-csi-driver-1.35.0.tgz new file mode 100644 index 0000000000..fdf255bb13 Binary files /dev/null and b/charts/v1.35.0/azurefile-csi-driver-1.35.0.tgz differ diff --git a/charts/v1.35.0/azurefile-csi-driver/Chart.yaml b/charts/v1.35.0/azurefile-csi-driver/Chart.yaml new file mode 100644 index 0000000000..73cbf8d042 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: 1.35.0 +description: Azure File Container Storage Interface (CSI) Storage Plugin +name: azurefile-csi-driver +version: 1.35.0 diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/NOTES.txt b/charts/v1.35.0/azurefile-csi-driver/templates/NOTES.txt new file mode 100644 index 0000000000..bea09b0829 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure File CSI Driver is getting deployed to your cluster. + +To check Azure File CSI Driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/_helpers.tpl b/charts/v1.35.0/azurefile-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000000..b1bf4dc1b6 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "azurefile.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "azurefile.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "azurefile.selectorLabels" -}} +app.kubernetes.io/name: {{ template "azurefile.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "azurefile.labels" -}} +{{- include "azurefile.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "azurefile.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "azurefile.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "azurefile.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/crd-csi-snapshot.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..3a66c45732 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/crd-csi-snapshot.yaml @@ -0,0 +1,953 @@ +{{- if .Values.snapshot.enabled -}} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..0e782b851b --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -0,0 +1,285 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.controller.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.controller.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "azurefile.selectorLabels" . | nindent 6 }} + app: {{ .Values.controller.name }} + strategy: + type: {{ .Values.controller.strategyType }} + template: + metadata: + labels: + {{- include "azurefile.labels" . | nindent 8 }} + app: {{ .Values.controller.name }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.controller.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.controller.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: {{ .Values.controller.hostNetwork }} + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "-v=2" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + - '-timeout=120s' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s +{{- if eq .Values.controller.hostNetwork true }} + - --http-endpoint=localhost:{{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + - --health-port={{ .Values.controller.livenessProbe.healthPort }} +{{- end }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--kubeconfig={{ .Values.controller.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP +{{- if ne .Values.controller.hostNetwork true }} + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP +{{- end }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz +{{- if eq .Values.controller.hostNetwork true }} + host: localhost + port: {{ .Values.controller.livenessProbe.healthPort }} +{{- else }} + port: healthz +{{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-driver.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..77df01e32d --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} + annotations: + csiDriver: "{{ .Values.image.azurefile.tag }}" + snapshot: "{{ .Values.snapshot.image.csiSnapshotter.tag }}" +spec: + attachRequired: {{ .Values.controller.attachRequired }} + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..30acee27fb --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,164 @@ +{{- if and .Values.windows.enabled .Values.windows.useHostProcessContainers }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + command: + - "csi-node-driver-registrar.exe" + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" +{{- end }} + command: + - "azurefileplugin.exe" + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--enable-windows-host-process=true" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5083bc96a8 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -0,0 +1,229 @@ +{{- if and .Values.windows.enabled (not .Values.windows.useHostProcessContainers) }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.windows.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.windows.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.windows.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.windows.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.windows.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.windows.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.node }} +{{- with .Values.windows.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + nodeSelector: + kubernetes.io/os: windows +{{- with .Values.windows.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.windows.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.windows.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--probe-timeout=3s" + - "--health-port={{ .Values.node.livenessProbe.healthPort }}" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=2" + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.windows.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.windows.kubelet }}\ + type: Directory + - name: plugin-dir + hostPath: + path: {{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: Directory +{{- end -}} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-node.yaml new file mode 100644 index 0000000000..f11e21c718 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -0,0 +1,321 @@ +{{- if .Values.linux.enabled}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.linux.dsName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.linux.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.linux.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: {{ .Values.node.strategyType }} + selector: + matchLabels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.linux.dsName }} + {{- include "azurefile.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} +{{- with .Values.linux.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.linux.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + hostNetwork: true + {{- if .Values.node.azurefileProxy.enabled }} + hostPID: true + {{- end }} + dnsPolicy: {{ .Values.linux.dnsPolicy }} + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.linux.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: +{{- with .Values.linux.affinity }} +{{ toYaml . | indent 8 }} +{{- end }} + nodeAffinity: +{{ toYaml .Values.linux.nodeAffinity | indent 10 }} + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.linux.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + initContainers: + - name: install-azurefile-proxy +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "{{ .Values.node.azurefileProxy.enabled }}" + - name: INSTALL_AZNFS_MOUNT + value: "{{ .Values.node.azurefileProxy.installAznfsMount }}" + - name: KUBELET_PATH + value: "{{ .Values.linux.kubelet }}" + - name: MIGRATE_K8S_REPO + value: "{{ .Values.node.azurefileProxy.migrateK8sRepo }}" + - name: ENABLE_MI_AUTH + value: "{{ .Values.node.enableManagedIdentityAuth }}" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + {{- if .Values.node.enableManagedIdentityAuth }} + - name: mountpoint-dir + mountPath: "{{ .Values.linux.kubelet }}" + mountPropagation: Bidirectional + {{- end }} + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=10s + - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} + - --v=2 + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} +{{- if .Values.node.enableManagedIdentityAuth }} + - name: azfilesrefresh +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + command: + - "azfilesrefresh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: "{{ .Values.linux.kubelet }}" + mountPropagation: Bidirectional + name: mountpoint-dir + - name: azfilesauth + mountPath: /etc/azfilesauth + - name: log-dir + mountPath: /var/log/ + resources: {{- toYaml .Values.linux.resources.azfilesrefresh | nindent 12 }} +{{- end }} + - name: azurefile +{{- if hasPrefix "/" .Values.image.azurefile.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- else }} + image: "{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--enable-azurefile-proxy={{ .Values.node.azurefileProxy.enabled }}" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--kubeconfig={{ .Values.linux.kubeconfig }}" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-volume-mount-group={{ .Values.feature.enableVolumeMountGroup }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--mount-permissions={{ .Values.linux.mountPermissions }}" + - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}" + - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: {{ .Values.node.livenessProbe.healthPort }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: {{ .Values.azureCredentialFileConfigMap }} + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + {{- end }} + {{- if .Values.node.enableManagedIdentityAuth }} + - name: log-dir + mountPath: /var/log/ + - name: azfilesauth + mountPath: /etc/azfilesauth + {{- end }} + resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }} + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.node.enableKataCCMount }} + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + {{- end }} + {{- if .Values.node.enableManagedIdentityAuth }} + - hostPath: + path: /var/log/ + type: DirectoryOrCreate + name: log-dir + {{- end }} +{{- end -}} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..c671d5ba89 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -0,0 +1,99 @@ +{{- if .Values.snapshot.enabled -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.snapshot.snapshotController.name}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 4 }} +{{- with .Values.snapshot.snapshotController.labels }} +{{ . | toYaml | indent 4 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.annotations }} + annotations: +{{ . | toYaml | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.snapshot.snapshotController.replicas }} + selector: + matchLabels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.selectorLabels" . | nindent 6 }} + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: {{ .Values.snapshot.snapshotController.strategyType }} + template: + metadata: + labels: + app: {{ .Values.snapshot.snapshotController.name}} + {{- include "azurefile.labels" . | nindent 8 }} +{{- with .Values.snapshot.snapshotController.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.snapshot.snapshotController.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ .Values.serviceAccount.snapshotController }} + nodeSelector: + kubernetes.io/os: linux + # runOnControlPlane=true or runOnMaster=true only takes effect if affinity is not set + {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- if .Values.controller.runOnControlPlane}} + - key: node-role.kubernetes.io/control-plane + operator: Exists + {{- end}} + {{- if .Values.controller.runOnMaster}} + - key: node-role.kubernetes.io/master + operator: Exists + {{- end}} + {{- end }} + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + containers: + - name: {{ .Values.snapshot.snapshotController.name}} +{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotController.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- else }} + image: "{{ .Values.snapshot.image.csiSnapshotController.repository }}:{{ .Values.snapshot.image.csiSnapshotController.tag }}" +{{- end }} + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--retry-interval-max=30m" + resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} + imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL +{{- end -}} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e0a2e14d95 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,207 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-attacher-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-attacher-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-snapshotter-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-snapshotter-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..39790e1438 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml @@ -0,0 +1,64 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +{{- if .Values.node.enableKataCCMount -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-katacc-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +{{ end }} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..853a9b4375 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.snapshot.enabled .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role + labels: + {{- include "azurefile.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding + labels: + {{- include "azurefile.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..71442b70dc --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml new file mode 100644 index 0000000000..ab2074429d --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/serviceaccount-csi-azurefile-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v1.35.0/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml b/charts/v1.35.0/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..e77ef8f991 --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.snapshot.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.snapshotController }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "azurefile.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/v1.35.0/azurefile-csi-driver/values.yaml b/charts/v1.35.0/azurefile-csi-driver/values.yaml new file mode 100644 index 0000000000..c33fc1c09e --- /dev/null +++ b/charts/v1.35.0/azurefile-csi-driver/values.yaml @@ -0,0 +1,275 @@ +image: + baseRepo: mcr.microsoft.com + azurefile: + repository: /oss/v2/kubernetes-csi/azurefile-csi + tag: v1.35.0 + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/v2/kubernetes-csi/csi-provisioner + tag: v6.1.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/v2/kubernetes-csi/csi-resizer + tag: v2.0.0 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/v2/kubernetes-csi/livenessprobe + tag: v2.17.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/v2/kubernetes-csi/csi-node-driver-registrar + tag: v2.15.0 + pullPolicy: IfNotPresent + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: azurefile-csi-driver + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-azurefile-controller-sa # Name of Service Account to be created or used + node: csi-azurefile-node-sa # Name of Service Account to be created or used + snapshotController: csi-snapshot-controller-sa # Name of Service Account to be created or used + +rbac: + create: true + name: azurefile + +controller: + name: csi-azurefile-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + replicas: 2 + strategyType: RollingUpdate + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29614 + livenessProbe: + healthPort: 29612 + runOnMaster: false + runOnControlPlane: false + attachRequired: false + logLevel: 5 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + csiProvisioner: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + csiSnapshotter: + limits: + cpu: 1 + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azfilesrefresh: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + cpu: 2 + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + kubeconfig: "" + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + +node: + strategyType: RollingUpdate + maxUnavailable: 1 + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + enableKataCCMount: false + enableManagedIdentityAuth: true + metricsPort: 29615 + livenessProbe: + healthPort: 29613 + logLevel: 5 + azurefileProxy: + enabled: true + installAznfsMount: true + migrateK8sRepo: false + +snapshot: + enabled: false + image: + csiSnapshotter: + repository: /oss/v2/kubernetes-csi/csi-snapshotter + tag: v8.4.0 + pullPolicy: IfNotPresent + csiSnapshotController: + repository: /oss/v2/kubernetes-csi/snapshot-controller + tag: v8.4.0 + pullPolicy: IfNotPresent + snapshotController: + name: csi-snapshot-controller + replicas: 2 + strategyType: RollingUpdate + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + +feature: + enableGetVolumeStats: true + enableVolumeMountGroup: true + fsGroupPolicy: ReadWriteOnceWithFSType + +driver: + name: file.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + enabled: true + dsName: csi-azurefile-node # daemonset name + dnsPolicy: Default # available values: Default, ClusterFirst, ClusterFirstWithHostNet, None + kubelet: /var/lib/kubelet + kubeconfig: "" + distro: debian # available values: debian, fedora + mountPermissions: 0777 + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + azurefile: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + tolerations: + - operator: "Exists" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +windows: + enabled: true + useHostProcessContainers: true + dsName: csi-azurefile-node-win # daemonset name + kubelet: 'C:\var\lib\kubelet' + kubeconfig: "" + enableRegistrationProbe: true + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + resources: + livenessProbe: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + nodeDriverRegistrar: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + azurefile: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: {} + affinity: {} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" + +azureCredentialFileConfigMap: azure-cred-file diff --git a/deploy/csi-azurefile-controller.yaml b/deploy/csi-azurefile-controller.yaml index 6b69aeda50..e317e3facd 100644 --- a/deploy/csi-azurefile-controller.yaml +++ b/deploy/csi-azurefile-controller.yaml @@ -37,7 +37,7 @@ spec: effect: "NoSchedule" containers: - name: csi-provisioner - image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-provisioner:v5.3.0 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-provisioner:v6.1.0 args: - "-v=2" - "--csi-address=$(ADDRESS)" @@ -66,7 +66,7 @@ spec: drop: - ALL - name: csi-snapshotter - image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-snapshotter:v8.3.0 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-snapshotter:v8.4.0 args: - "-v=2" - "-csi-address=$(ADDRESS)" @@ -90,7 +90,7 @@ spec: drop: - ALL - name: csi-resizer - image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v1.14.0 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v2.0.0 args: - "-csi-address=$(ADDRESS)" - "-v=2" @@ -137,7 +137,7 @@ spec: drop: - ALL - name: azurefile - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.1 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 imagePullPolicy: IfNotPresent args: - "--v=5" diff --git a/deploy/csi-azurefile-driver.yaml b/deploy/csi-azurefile-driver.yaml index 19f72f6ca0..2a309e30bf 100644 --- a/deploy/csi-azurefile-driver.yaml +++ b/deploy/csi-azurefile-driver.yaml @@ -4,7 +4,7 @@ kind: CSIDriver metadata: name: file.csi.azure.com annotations: - csiDriver: v1.34.0 + csiDriver: v1.35.0 snapshot: v6.2.2 spec: attachRequired: false @@ -13,5 +13,7 @@ spec: - Persistent - Ephemeral fsGroupPolicy: ReadWriteOnceWithFSType + requiresRepublish: true tokenRequests: - audience: api://AzureADTokenExchange + expirationSeconds: 3600 diff --git a/deploy/csi-azurefile-node-windows-hostprocess.yaml b/deploy/csi-azurefile-node-windows-hostprocess.yaml index b633ada13c..22bc7ab4e7 100644 --- a/deploy/csi-azurefile-node-windows-hostprocess.yaml +++ b/deploy/csi-azurefile-node-windows-hostprocess.yaml @@ -43,7 +43,7 @@ spec: hostNetwork: true initContainers: - name: init - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.1-windows-hp + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0-windows-hp imagePullPolicy: IfNotPresent command: - "powershell.exe" @@ -86,7 +86,7 @@ spec: drop: - ALL - name: azurefile - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.1-windows-hp + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0-windows-hp imagePullPolicy: IfNotPresent command: - "azurefileplugin.exe" diff --git a/deploy/csi-azurefile-node-windows.yaml b/deploy/csi-azurefile-node-windows.yaml index 504adbd035..778030ca54 100644 --- a/deploy/csi-azurefile-node-windows.yaml +++ b/deploy/csi-azurefile-node-windows.yaml @@ -94,7 +94,7 @@ spec: drop: - ALL - name: azurefile - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.1 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 imagePullPolicy: IfNotPresent args: - --v=5 diff --git a/deploy/csi-azurefile-node.yaml b/deploy/csi-azurefile-node.yaml index acc03e400f..11c9045b3e 100644 --- a/deploy/csi-azurefile-node.yaml +++ b/deploy/csi-azurefile-node.yaml @@ -40,7 +40,7 @@ spec: - operator: "Exists" initContainers: - name: install-azurefile-proxy - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.1 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 imagePullPolicy: IfNotPresent command: - "/azurefile-proxy/init.sh" @@ -116,7 +116,7 @@ spec: drop: - ALL - name: azurefile - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.1 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 imagePullPolicy: IfNotPresent args: - "--v=5" @@ -168,8 +168,8 @@ spec: name: device-dir - mountPath: /run/kata-containers/shared/direct-volumes name: kata-direct-volumes - - name: host-etc - mountPath: /etc + - name: azfilesauth + mountPath: /etc/azfilesauth - name: log-dir mountPath: /var/log/ resources: @@ -179,7 +179,7 @@ spec: cpu: 10m memory: 20Mi - name: azfilesrefresh - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.1 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 imagePullPolicy: IfNotPresent command: - "azfilesrefresh" @@ -192,8 +192,8 @@ spec: - mountPath: /var/lib/kubelet/ mountPropagation: Bidirectional name: mountpoint-dir - - name: host-etc - mountPath: /etc + - name: azfilesauth + mountPath: /etc/azfilesauth - name: log-dir mountPath: /var/log/ resources: @@ -209,6 +209,10 @@ spec: - name: host-etc hostPath: path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate - hostPath: path: /var/lib/kubelet/plugins/file.csi.azure.com type: DirectoryOrCreate diff --git a/deploy/csi-snapshot-controller.yaml b/deploy/csi-snapshot-controller.yaml index 1e08b79e46..4e34d50b38 100644 --- a/deploy/csi-snapshot-controller.yaml +++ b/deploy/csi-snapshot-controller.yaml @@ -45,7 +45,7 @@ spec: effect: "NoSchedule" containers: - name: csi-snapshot-controller - image: mcr.microsoft.com/oss/v2/kubernetes-csi/snapshot-controller:v8.3.0 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/snapshot-controller:v8.4.0 args: - "--v=2" - "--leader-election=true" diff --git a/deploy/example/cloning/README.md b/deploy/example/cloning/README.md index 8405e32949..59f557a14d 100644 --- a/deploy/example/cloning/README.md +++ b/deploy/example/cloning/README.md @@ -7,8 +7,8 @@ - ensure that you have granted the `Storage File Data Privileged Contributor` role to the CSI driver controller identity; otherwise, the driver will utilize an SAS key for volume cloning operations. ## Prerequisites -- make sure that the virtual network hosting the driver controller pod is added to the list of allowed virtual networks in the storage account's VNet settings - - if the driver controller pod is managed by AKS, you need to set `Enable from all networks` in the storage account's VNet settings +- Ensure that the virtual network hosting the driver controller pod is included in the allowed virtual networks list within the storage account's VNet settings. + - If the driver controller pod is managed by AKS, configure the storage account's VNet settings to `Enable from all networks`. ## Create a Source PVC diff --git a/deploy/example/metrics/README.md b/deploy/example/metrics/README.md index c3064d842b..c445198475 100644 --- a/deploy/example/metrics/README.md +++ b/deploy/example/metrics/README.md @@ -7,8 +7,8 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi 2. Get `EXTERNAL-IP` of service `csi-azurefile-controller` ```console $ kubectl get svc csi-azurefile-controller -n kube-system -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -csi-azurefile-controller ClusterIP 10.0.184.0 20.39.21.132 29614/TCP 47m +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +csi-azurefile-controller LoadBalancer 10.0.184.0 20.39.21.132 29614:30563/TCP 47m ``` 3. Run following command to get cloudprovider_azure operation metrics @@ -17,8 +17,58 @@ ip=`kubectl get svc csi-azurefile-controller -n kube-system | grep file | awk '{ curl http://$ip:29614/metrics | grep cloudprovider_azure | grep file | grep -e sum -e count ``` +4. Run following command to get CSI-specific operation metrics +```console +ip=`kubectl get svc csi-azurefile-controller -n kube-system | grep file | awk '{print $4}'` +curl http://$ip:29614/metrics | grep azurefile_csi_driver_operation | grep -e sum -e count +``` + + +## CSI Driver Metrics + +The Azure File CSI driver exposes the following custom metrics: + +### Controller Metrics (port 29614) + +| Metric | Type | Labels | Description | +|--------|------|--------|-------------| +| `azurefile_csi_driver_operation_duration_seconds` | Histogram | `operation`, `success` | Duration of CSI operations in seconds | +| `azurefile_csi_driver_operation_duration_seconds_labeled` | Histogram | `operation`, `success`, `protocol`, `storage_account_type` | Duration of CSI operations with additional labels | +| `azurefile_csi_driver_operations_total` | Counter | `operation`, `success` | Total number of CSI operations | + +**Label Values:** +- `operation`: `controller_create_volume`, `controller_delete_volume`, `controller_create_snapshot`, `controller_delete_snapshot`, `controller_expand_volume` +- `success`: `true`, `false` +- `protocol`: `SMB`, `NFS` +- `storage_account_type`: `Premium_LRS`, `Premium_ZRS`, `Standard_LRS`, `StandardV2_LRS`, `Standard_GRS`, `Standard_ZRS`, etc. + +### Node Metrics (port 29615) + +| Metric | Type | Labels | Description | +|--------|------|--------|-------------| +| `azurefile_csi_driver_operation_duration_seconds` | Histogram | `operation`, `success` | Duration of CSI operations in seconds | +| `azurefile_csi_driver_operations_total` | Counter | `operation`, `success` | Total number of CSI operations | + +**Label Values:** +- `operation`: `node_stage_volume`, `node_unstage_volume`, `node_publish_volume`, `node_unpublish_volume` +- `success`: `true`, `false` + +### Azure Cloud Provider Metrics + +The CSI driver also exposes Azure cloud provider metrics from the underlying Azure SDK operations: + +| Metric | Type | Labels | Description | +|--------|------|--------|-------------| +| `cloudprovider_azure_api_request_duration_seconds` | Histogram | `request`, `resource_group`, `subscription_id`, `source`, `result` | Latency of Azure API calls | +| `cloudprovider_azure_api_request_throttled_count` | Counter | `request`, `resource_group`, `subscription_id`, `source` | Number of throttled Azure API requests | +| `cloudprovider_azure_api_request_errors` | Counter | `request`, `resource_group`, `subscription_id`, `source` | Number of errors in Azure API requests | + +These metrics help monitor Azure API performance, throttling, and error rates for file share operations. + ## Get Prometheus metrics from CSI driver node pod ```console -kubectl get --raw /api/v1/namespaces/kube-system/pods/csi-azurefile-node-hfgrn:29615/proxy/metrics +kubectl get --raw /api/v1/namespaces/kube-system/pods/csi-azurefile-node-xxxxx:29615/proxy/metrics ``` + +> **Note:** Replace `csi-azurefile-node-xxxxx` with an actual pod name from `kubectl get pods -n kube-system -l app=csi-azurefile-node` diff --git a/deploy/example/nfs/README.md b/deploy/example/nfs/README.md index 03f043e5b0..f0b01cc933 100644 --- a/deploy/example/nfs/README.md +++ b/deploy/example/nfs/README.md @@ -2,7 +2,7 @@ [NFS 4.1 support for Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/files-nfs-protocol) is optimized for random access workloads with in-place data updates and provides full POSIX file system support. This page shows how to use NFS feature by Azure File CSI driver on Azure Kubernetes cluster. - [Compare access to Azure Files, Blob Storage, and Azure NetApp Files with NFS](https://docs.microsoft.com/en-us/azure/storage/common/nfs-comparison) - [Encrypt in Transit(EiT) for NFS (Preview)](https://learn.microsoft.com/en-us/azure/storage/files/encryption-in-transit-for-nfs-shares) is now supported from CSI driver v1.33.0, by setting `encryptInTransit: "true"` in the `parameters` of storage class or persistent volume, you can enable data encryption in transit for NFS Azure file volumes. Please ensure that you have registered Encrypt in Transit (EiT) feature before proceeding. - - Currently, Encrypt in Transit (EiT) feature doesn't support Azure Linux and ARM64 node. + - Currently, Encrypt in Transit (EiT) feature is not supported on Ubuntu 20.04, Azure Linux, and ARM64 nodes. - supported OS: Linux #### Prerequisite diff --git a/deploy/example/snapshot/README.md b/deploy/example/snapshot/README.md index ee63a7a5b1..57d71cb7f4 100644 --- a/deploy/example/snapshot/README.md +++ b/deploy/example/snapshot/README.md @@ -1,6 +1,10 @@ -# Azure File Snapshot feature +# Azure File Snapshot and Restore feature -> From v1.30.2, CSI driver now supports the restoration of an SMB file share snapshot, but does not support the restoration of an NFS file share snapshot. +> Restoring an NFS file share snapshot is supported starting from CSI driver version v1.33.4 or later. + +### Limitation of Azure file **restore** feature +- Ensure that the virtual network hosting the driver controller pod is included in the allowed virtual networks list within the storage account's VNet settings. + - If the driver controller pod is managed by AKS, configure the storage account's VNet settings to `Enable from all networks`. ## Install CSI Driver diff --git a/deploy/v1.31.8/crd-csi-snapshot.yaml b/deploy/v1.31.8/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..d4b90b266d --- /dev/null +++ b/deploy/v1.31.8/crd-csi-snapshot.yaml @@ -0,0 +1,838 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/665" + creationTimestamp: null + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested + by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required.' + properties: + source: + description: source specifies where a snapshot will be created from. + This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the + PersistentVolumeClaim object representing the volume from which + a snapshot should be created. This PVC is assumed to be in the + same namespace as the VolumeSnapshot object. This field should + be set if the snapshot does not exists, and needs to be created. + This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a + pre-existing VolumeSnapshotContent object representing an existing + volume snapshot. This field should be set if the snapshot already + exists and only needs a representation in Kubernetes. This field + is immutable. + type: string + type: object + oneOf: + - required: ["persistentVolumeClaimName"] + - required: ["volumeSnapshotContentName"] + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. VolumeSnapshotClassName may be + left nil to indicate that the default SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: + one default per CSI Driver. If a VolumeSnapshot does not specify + a SnapshotClass, VolumeSnapshotSource will be checked to figure + out what the associated CSI Driver is, and the default VolumeSnapshotClass + associated with that CSI Driver will be used. If more than one VolumeSnapshotClass + exist for a given CSI Driver and more than one have been marked + as default, CreateSnapshot will fail and generate an event. Empty + string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent + objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent + point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. If + not specified, it indicates that the VolumeSnapshot object has not + been successfully bound to a VolumeSnapshotContent object yet. NOTE: + To avoid possible security issues, consumers must verify binding + between VolumeSnapshot and VolumeSnapshotContent objects is successful + (by validating that both VolumeSnapshot and VolumeSnapshotContent + point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time + snapshot is taken by the underlying storage system. In dynamic snapshot + creation case, this field will be filled in by the snapshot controller + with the "creation_time" value returned from CSI "CreateSnapshot" + gRPC call. For a pre-existing snapshot, this field will be filled + with the "creation_time" value returned from the CSI "ListSnapshots" + gRPC call if the driver supports it. If not specified, it may indicate + that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, + if any. This field could be helpful to upper level controllers(i.e., + application controller) to decide whether they should continue on + waiting for the snapshot to be created based on the type of error + reported. The snapshot controller will keep retrying when an error + occurs during the snapshot creation. Upon success, this error field + will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error + during snapshot creation if specified. NOTE: message may be + logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used + to restore a volume. In dynamic snapshot creation case, this field + will be filled in by the snapshot controller with the "ready_to_use" + value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing + snapshot, this field will be filled with the "ready_to_use" value + returned from the CSI "ListSnapshots" gRPC call if the driver supports + it, otherwise, this field will be set to "True". If not specified, + it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required + to create a volume from this snapshot. In dynamic snapshot creation + case, this field will be filled in by the snapshot controller with + the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the + "size_bytes" value returned from the CSI "ListSnapshots" gRPC call + if the driver supports it. When restoring a volume from this snapshot, + the size of the volume MUST NOT be smaller than the restoreSize + if it is specified, otherwise the restoration will fail. If not + specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/665" + creationTimestamp: null + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage + system uses when creating a volume snapshot. A specific VolumeSnapshotClass + is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses + are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent + created through the VolumeSnapshotClass should be deleted when its bound + VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot + on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent + and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this + VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific + parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/665" + creationTimestamp: null + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot + object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created + by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent + and its physical snapshot on the underlying storage system should + be deleted when its bound VolumeSnapshot is deleted. Supported values + are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent + and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot + on underlying storage system are deleted. For dynamically provisioned + snapshots, this field will automatically be filled in by the CSI + snapshotter sidecar with the "DeletionPolicy" field defined in the + corresponding VolumeSnapshotClass. For pre-existing snapshots, users + MUST specify this field when creating the VolumeSnapshotContent + object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the + physical snapshot on the underlying storage system. This MUST be + the same as the name returned by the CSI GetPluginName() call for + that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) + dynamically provisioned or already exists, and just requires a Kubernetes + object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of + a pre-existing snapshot on the underlying storage system for + which a Kubernetes object representation was (or should be) + created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the + volume from which a snapshot should be dynamically taken from. + This field is immutable. + type: string + type: object + oneOf: + - required: ["snapshotHandle"] + - required: ["volumeHandle"] + sourceVolumeMode: + description: SourceVolumeMode is the mode of the volume whose snapshot + is taken. Can be either “Filesystem” or “Block”. If not specified, + it indicates the source volume's mode is unknown. This field is + immutable. This field is an alpha field. + type: string + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot + was (or will be) created. Note that after provisioning, the VolumeSnapshotClass + may be deleted or recreated with different set of values, and as + such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object + to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName + field must reference to this VolumeSnapshotContent's name for the + bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent + object, name and namespace of the VolumeSnapshot object MUST be + provided for binding to happen. This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time + snapshot is taken by the underlying storage system. In dynamic snapshot + creation case, this field will be filled in by the CSI snapshotter + sidecar with the "creation_time" value returned from CSI "CreateSnapshot" + gRPC call. For a pre-existing snapshot, this field will be filled + with the "creation_time" value returned from the CSI "ListSnapshots" + gRPC call if the driver supports it. If not specified, it indicates + the creation time is unknown. The format of this field is a Unix + nanoseconds time encoded as an int64. On Unix, the command `date + +%s%N` returns the current time in nanoseconds since 1970-01-01 + 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, + if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error + during snapshot creation if specified. NOTE: message may be + logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used + to restore a volume. In dynamic snapshot creation case, this field + will be filled in by the CSI snapshotter sidecar with the "ready_to_use" + value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing + snapshot, this field will be filled with the "ready_to_use" value + returned from the CSI "ListSnapshots" gRPC call if the driver supports + it, otherwise, this field will be set to "True". If not specified, + it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot + in bytes. In dynamic snapshot creation case, this field will be + filled in by the CSI snapshotter sidecar with the "size_bytes" value + returned from CSI "CreateSnapshot" gRPC call. For a pre-existing + snapshot, this field will be filled with the "size_bytes" value + returned from the CSI "ListSnapshots" gRPC call if the driver supports + it. When restoring a volume from this snapshot, the size of the + volume MUST NOT be smaller than the restoreSize if it is specified, + otherwise the restoration will fail. If not specified, it indicates + that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot + on the underlying storage system. If not specified, it indicates + that dynamic snapshot creation has either failed or it is still + in progress. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.31.8/csi-azurefile-controller.yaml b/deploy/v1.31.8/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..1ccb8e888e --- /dev/null +++ b/deploy/v1.31.8/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/kubernetes-csi/csi-provisioner:v5.2.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/kubernetes-csi/csi-snapshotter:v8.2.0 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v1.13.2 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.31.8 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.31.8/csi-azurefile-driver.yaml b/deploy/v1.31.8/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..fd241ea40f --- /dev/null +++ b/deploy/v1.31.8/csi-azurefile-driver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.31.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/deploy/v1.31.8/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.31.8/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..4b01d1954c --- /dev/null +++ b/deploy/v1.31.8/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.31.8-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.31.8-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.31.8/csi-azurefile-node-windows.yaml b/deploy/v1.31.8/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..450de41a4a --- /dev/null +++ b/deploy/v1.31.8/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.31.8 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.31.8/csi-azurefile-node.yaml b/deploy/v1.31.8/csi-azurefile-node.yaml new file mode 100644 index 0000000000..c768e1e875 --- /dev/null +++ b/deploy/v1.31.8/csi-azurefile-node.yaml @@ -0,0 +1,167 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.31.8 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate +--- diff --git a/deploy/v1.31.8/csi-snapshot-controller.yaml b/deploy/v1.31.8/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..ec40432827 --- /dev/null +++ b/deploy/v1.31.8/csi-snapshot-controller.yaml @@ -0,0 +1,62 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/kubernetes-csi/snapshot-controller:v8.2.0 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.31.8/rbac-csi-azurefile-controller.yaml b/deploy/v1.31.8/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.31.8/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.31.8/rbac-csi-azurefile-node.yaml b/deploy/v1.31.8/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..61f0f0c8a4 --- /dev/null +++ b/deploy/v1.31.8/rbac-csi-azurefile-node.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.31.8/rbac-csi-snapshot-controller.yaml b/deploy/v1.31.8/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.31.8/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/v1.32.7/crd-csi-snapshot.yaml b/deploy/v1.32.7/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..b82d729d5e --- /dev/null +++ b/deploy/v1.32.7/crd-csi-snapshot.yaml @@ -0,0 +1,951 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.32.7/csi-azurefile-controller.yaml b/deploy/v1.32.7/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..da15668b81 --- /dev/null +++ b/deploy/v1.32.7/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/kubernetes-csi/csi-provisioner:v5.2.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/kubernetes-csi/csi-snapshotter:v8.2.1 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v1.13.2 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.7 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.32.7/csi-azurefile-driver.yaml b/deploy/v1.32.7/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..18eee55996 --- /dev/null +++ b/deploy/v1.32.7/csi-azurefile-driver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.32.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/deploy/v1.32.7/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.32.7/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..1df5073c99 --- /dev/null +++ b/deploy/v1.32.7/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.7-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.7-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.32.7/csi-azurefile-node-windows.yaml b/deploy/v1.32.7/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..c280acdcc7 --- /dev/null +++ b/deploy/v1.32.7/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.32.7 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.32.7/csi-azurefile-node.yaml b/deploy/v1.32.7/csi-azurefile-node.yaml new file mode 100644 index 0000000000..2bbc51a0ab --- /dev/null +++ b/deploy/v1.32.7/csi-azurefile-node.yaml @@ -0,0 +1,167 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.7 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate +--- diff --git a/deploy/v1.32.7/csi-snapshot-controller.yaml b/deploy/v1.32.7/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..ac48f4365d --- /dev/null +++ b/deploy/v1.32.7/csi-snapshot-controller.yaml @@ -0,0 +1,63 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/kubernetes-csi/snapshot-controller:v8.2.1 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.32.7/rbac-csi-azurefile-controller.yaml b/deploy/v1.32.7/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.32.7/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.32.7/rbac-csi-azurefile-node.yaml b/deploy/v1.32.7/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..d7b10b2d7e --- /dev/null +++ b/deploy/v1.32.7/rbac-csi-azurefile-node.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.32.7/rbac-csi-snapshot-controller.yaml b/deploy/v1.32.7/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.32.7/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/v1.32.8/crd-csi-snapshot.yaml b/deploy/v1.32.8/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..b82d729d5e --- /dev/null +++ b/deploy/v1.32.8/crd-csi-snapshot.yaml @@ -0,0 +1,951 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.32.8/csi-azurefile-controller.yaml b/deploy/v1.32.8/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..c2b6be3deb --- /dev/null +++ b/deploy/v1.32.8/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/kubernetes-csi/csi-provisioner:v5.2.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/kubernetes-csi/csi-snapshotter:v8.2.1 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v1.13.2 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.8 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.32.8/csi-azurefile-driver.yaml b/deploy/v1.32.8/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..18eee55996 --- /dev/null +++ b/deploy/v1.32.8/csi-azurefile-driver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.32.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/deploy/v1.32.8/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.32.8/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..371503205a --- /dev/null +++ b/deploy/v1.32.8/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.8-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.8-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.32.8/csi-azurefile-node-windows.yaml b/deploy/v1.32.8/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..d8e46af3eb --- /dev/null +++ b/deploy/v1.32.8/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.32.8 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.32.8/csi-azurefile-node.yaml b/deploy/v1.32.8/csi-azurefile-node.yaml new file mode 100644 index 0000000000..472ef279a4 --- /dev/null +++ b/deploy/v1.32.8/csi-azurefile-node.yaml @@ -0,0 +1,167 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.8 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate +--- diff --git a/deploy/v1.32.8/csi-snapshot-controller.yaml b/deploy/v1.32.8/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..ac48f4365d --- /dev/null +++ b/deploy/v1.32.8/csi-snapshot-controller.yaml @@ -0,0 +1,63 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/kubernetes-csi/snapshot-controller:v8.2.1 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.32.8/rbac-csi-azurefile-controller.yaml b/deploy/v1.32.8/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.32.8/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.32.8/rbac-csi-azurefile-node.yaml b/deploy/v1.32.8/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..d7b10b2d7e --- /dev/null +++ b/deploy/v1.32.8/rbac-csi-azurefile-node.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.32.8/rbac-csi-snapshot-controller.yaml b/deploy/v1.32.8/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.32.8/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/v1.32.9/crd-csi-snapshot.yaml b/deploy/v1.32.9/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..b82d729d5e --- /dev/null +++ b/deploy/v1.32.9/crd-csi-snapshot.yaml @@ -0,0 +1,951 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.32.9/csi-azurefile-controller.yaml b/deploy/v1.32.9/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..c66dcf5394 --- /dev/null +++ b/deploy/v1.32.9/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/kubernetes-csi/csi-provisioner:v5.2.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/kubernetes-csi/csi-snapshotter:v8.2.1 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v1.13.2 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.9 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.32.9/csi-azurefile-driver.yaml b/deploy/v1.32.9/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..18eee55996 --- /dev/null +++ b/deploy/v1.32.9/csi-azurefile-driver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.32.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/deploy/v1.32.9/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.32.9/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..8db5cf770d --- /dev/null +++ b/deploy/v1.32.9/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.9-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.9-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.32.9/csi-azurefile-node-windows.yaml b/deploy/v1.32.9/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..d0480b1616 --- /dev/null +++ b/deploy/v1.32.9/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.32.9 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.32.9/csi-azurefile-node.yaml b/deploy/v1.32.9/csi-azurefile-node.yaml new file mode 100644 index 0000000000..2d48162b68 --- /dev/null +++ b/deploy/v1.32.9/csi-azurefile-node.yaml @@ -0,0 +1,167 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.32.9 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate +--- diff --git a/deploy/v1.32.9/csi-snapshot-controller.yaml b/deploy/v1.32.9/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..ac48f4365d --- /dev/null +++ b/deploy/v1.32.9/csi-snapshot-controller.yaml @@ -0,0 +1,63 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/kubernetes-csi/snapshot-controller:v8.2.1 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.32.9/rbac-csi-azurefile-controller.yaml b/deploy/v1.32.9/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.32.9/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.32.9/rbac-csi-azurefile-node.yaml b/deploy/v1.32.9/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..d7b10b2d7e --- /dev/null +++ b/deploy/v1.32.9/rbac-csi-azurefile-node.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.32.9/rbac-csi-snapshot-controller.yaml b/deploy/v1.32.9/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.32.9/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/v1.33.5/crd-csi-snapshot.yaml b/deploy/v1.33.5/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..b82d729d5e --- /dev/null +++ b/deploy/v1.33.5/crd-csi-snapshot.yaml @@ -0,0 +1,951 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.33.5/csi-azurefile-controller.yaml b/deploy/v1.33.5/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..6e18232463 --- /dev/null +++ b/deploy/v1.33.5/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-provisioner:v5.3.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-snapshotter:v8.3.0 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v1.14.0 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.16.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.5 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.33.5/csi-azurefile-driver.yaml b/deploy/v1.33.5/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..fef0d4b3ff --- /dev/null +++ b/deploy/v1.33.5/csi-azurefile-driver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.33.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/deploy/v1.33.5/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.33.5/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..fc9dd1b696 --- /dev/null +++ b/deploy/v1.33.5/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.5-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.14.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.5-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.33.5/csi-azurefile-node-windows.yaml b/deploy/v1.33.5/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..a8ae6ac951 --- /dev/null +++ b/deploy/v1.33.5/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.33.5 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.33.5/csi-azurefile-node.yaml b/deploy/v1.33.5/csi-azurefile-node.yaml new file mode 100644 index 0000000000..ba80402c83 --- /dev/null +++ b/deploy/v1.33.5/csi-azurefile-node.yaml @@ -0,0 +1,203 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + hostPID: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + initContainers: + - name: install-azurefile-proxy + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.5 + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "true" + - name: INSTALL_AZNFS_MOUNT + value: "true" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.16.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.14.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.5 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--enable-azurefile-proxy=true" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate +--- diff --git a/deploy/v1.33.5/csi-snapshot-controller.yaml b/deploy/v1.33.5/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..1e08b79e46 --- /dev/null +++ b/deploy/v1.33.5/csi-snapshot-controller.yaml @@ -0,0 +1,63 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/v2/kubernetes-csi/snapshot-controller:v8.3.0 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.33.5/rbac-csi-azurefile-controller.yaml b/deploy/v1.33.5/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.33.5/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.33.5/rbac-csi-azurefile-node.yaml b/deploy/v1.33.5/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..d7b10b2d7e --- /dev/null +++ b/deploy/v1.33.5/rbac-csi-azurefile-node.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.33.5/rbac-csi-snapshot-controller.yaml b/deploy/v1.33.5/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.33.5/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/v1.33.6/crd-csi-snapshot.yaml b/deploy/v1.33.6/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..b82d729d5e --- /dev/null +++ b/deploy/v1.33.6/crd-csi-snapshot.yaml @@ -0,0 +1,951 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.33.6/csi-azurefile-controller.yaml b/deploy/v1.33.6/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..f4d95059d8 --- /dev/null +++ b/deploy/v1.33.6/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-provisioner:v6.0.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-snapshotter:v8.4.0 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v2.0.0 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.6 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.33.6/csi-azurefile-driver.yaml b/deploy/v1.33.6/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..fef0d4b3ff --- /dev/null +++ b/deploy/v1.33.6/csi-azurefile-driver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.33.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/deploy/v1.33.6/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.33.6/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..eb65689f91 --- /dev/null +++ b/deploy/v1.33.6/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.6-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.6-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.33.6/csi-azurefile-node-windows.yaml b/deploy/v1.33.6/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..586f159622 --- /dev/null +++ b/deploy/v1.33.6/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.33.6 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.33.6/csi-azurefile-node.yaml b/deploy/v1.33.6/csi-azurefile-node.yaml new file mode 100644 index 0000000000..2b14790eea --- /dev/null +++ b/deploy/v1.33.6/csi-azurefile-node.yaml @@ -0,0 +1,203 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + hostPID: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + initContainers: + - name: install-azurefile-proxy + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.6 + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "true" + - name: INSTALL_AZNFS_MOUNT + value: "true" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.6 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--enable-azurefile-proxy=true" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate +--- diff --git a/deploy/v1.33.6/csi-snapshot-controller.yaml b/deploy/v1.33.6/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..4e34d50b38 --- /dev/null +++ b/deploy/v1.33.6/csi-snapshot-controller.yaml @@ -0,0 +1,63 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/v2/kubernetes-csi/snapshot-controller:v8.4.0 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.33.6/rbac-csi-azurefile-controller.yaml b/deploy/v1.33.6/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.33.6/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.33.6/rbac-csi-azurefile-node.yaml b/deploy/v1.33.6/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..d7b10b2d7e --- /dev/null +++ b/deploy/v1.33.6/rbac-csi-azurefile-node.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.33.6/rbac-csi-snapshot-controller.yaml b/deploy/v1.33.6/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.33.6/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/v1.33.7/crd-csi-snapshot.yaml b/deploy/v1.33.7/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..b82d729d5e --- /dev/null +++ b/deploy/v1.33.7/crd-csi-snapshot.yaml @@ -0,0 +1,951 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.33.7/csi-azurefile-controller.yaml b/deploy/v1.33.7/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b8ced6f44b --- /dev/null +++ b/deploy/v1.33.7/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-provisioner:v6.1.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-snapshotter:v8.4.0 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v2.0.0 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.7 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.33.7/csi-azurefile-driver.yaml b/deploy/v1.33.7/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..fef0d4b3ff --- /dev/null +++ b/deploy/v1.33.7/csi-azurefile-driver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.33.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/deploy/v1.33.7/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.33.7/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..d1efe636e6 --- /dev/null +++ b/deploy/v1.33.7/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.7-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.7-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.33.7/csi-azurefile-node-windows.yaml b/deploy/v1.33.7/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..5eb0f953ff --- /dev/null +++ b/deploy/v1.33.7/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.33.7 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.33.7/csi-azurefile-node.yaml b/deploy/v1.33.7/csi-azurefile-node.yaml new file mode 100644 index 0000000000..da0d3e2621 --- /dev/null +++ b/deploy/v1.33.7/csi-azurefile-node.yaml @@ -0,0 +1,203 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + hostPID: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + initContainers: + - name: install-azurefile-proxy + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.7 + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "true" + - name: INSTALL_AZNFS_MOUNT + value: "true" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.33.7 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--enable-azurefile-proxy=true" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate +--- diff --git a/deploy/v1.33.7/csi-snapshot-controller.yaml b/deploy/v1.33.7/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..4e34d50b38 --- /dev/null +++ b/deploy/v1.33.7/csi-snapshot-controller.yaml @@ -0,0 +1,63 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/v2/kubernetes-csi/snapshot-controller:v8.4.0 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.33.7/rbac-csi-azurefile-controller.yaml b/deploy/v1.33.7/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.33.7/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.33.7/rbac-csi-azurefile-node.yaml b/deploy/v1.33.7/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..d7b10b2d7e --- /dev/null +++ b/deploy/v1.33.7/rbac-csi-azurefile-node.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.33.7/rbac-csi-snapshot-controller.yaml b/deploy/v1.33.7/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.33.7/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/v1.34.0/csi-azurefile-controller.yaml b/deploy/v1.34.0/csi-azurefile-controller.yaml index 5104e97b96..e949a18e27 100644 --- a/deploy/v1.34.0/csi-azurefile-controller.yaml +++ b/deploy/v1.34.0/csi-azurefile-controller.yaml @@ -137,7 +137,7 @@ spec: drop: - ALL - name: azurefile - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.0 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.0-2 imagePullPolicy: IfNotPresent args: - "--v=5" diff --git a/deploy/v1.34.0/csi-azurefile-node.yaml b/deploy/v1.34.0/csi-azurefile-node.yaml index 9e931e4152..1c04bcbb0e 100644 --- a/deploy/v1.34.0/csi-azurefile-node.yaml +++ b/deploy/v1.34.0/csi-azurefile-node.yaml @@ -40,7 +40,7 @@ spec: - operator: "Exists" initContainers: - name: install-azurefile-proxy - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.0 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.0-2 imagePullPolicy: IfNotPresent command: - "/azurefile-proxy/init.sh" @@ -116,7 +116,7 @@ spec: drop: - ALL - name: azurefile - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.0 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.0-2 imagePullPolicy: IfNotPresent args: - "--v=5" @@ -179,7 +179,7 @@ spec: cpu: 10m memory: 20Mi - name: azfilesrefresh - image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.0 + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.0-2 imagePullPolicy: IfNotPresent command: - "azfilesrefresh" diff --git a/deploy/v1.34.1/csi-azurefile-node.yaml b/deploy/v1.34.1/csi-azurefile-node.yaml index acc03e400f..b4b824e8e7 100644 --- a/deploy/v1.34.1/csi-azurefile-node.yaml +++ b/deploy/v1.34.1/csi-azurefile-node.yaml @@ -168,8 +168,8 @@ spec: name: device-dir - mountPath: /run/kata-containers/shared/direct-volumes name: kata-direct-volumes - - name: host-etc - mountPath: /etc + - name: azfilesauth + mountPath: /etc/azfilesauth - name: log-dir mountPath: /var/log/ resources: @@ -192,8 +192,8 @@ spec: - mountPath: /var/lib/kubelet/ mountPropagation: Bidirectional name: mountpoint-dir - - name: host-etc - mountPath: /etc + - name: azfilesauth + mountPath: /etc/azfilesauth - name: log-dir mountPath: /var/log/ resources: @@ -209,6 +209,10 @@ spec: - name: host-etc hostPath: path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate - hostPath: path: /var/lib/kubelet/plugins/file.csi.azure.com type: DirectoryOrCreate diff --git a/deploy/v1.34.2/crd-csi-snapshot.yaml b/deploy/v1.34.2/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..b82d729d5e --- /dev/null +++ b/deploy/v1.34.2/crd-csi-snapshot.yaml @@ -0,0 +1,951 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.34.2/csi-azurefile-controller.yaml b/deploy/v1.34.2/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..ebed00375f --- /dev/null +++ b/deploy/v1.34.2/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-provisioner:v6.1.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-snapshotter:v8.4.0 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v2.0.0 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.2 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.34.2/csi-azurefile-driver.yaml b/deploy/v1.34.2/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..19f72f6ca0 --- /dev/null +++ b/deploy/v1.34.2/csi-azurefile-driver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.34.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/deploy/v1.34.2/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.34.2/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..a5869a8836 --- /dev/null +++ b/deploy/v1.34.2/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.2-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.2-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.34.2/csi-azurefile-node-windows.yaml b/deploy/v1.34.2/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..668bc862d0 --- /dev/null +++ b/deploy/v1.34.2/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.2 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.34.2/csi-azurefile-node.yaml b/deploy/v1.34.2/csi-azurefile-node.yaml new file mode 100644 index 0000000000..3985fa3e06 --- /dev/null +++ b/deploy/v1.34.2/csi-azurefile-node.yaml @@ -0,0 +1,244 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + hostPID: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + initContainers: + - name: install-azurefile-proxy + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.2 + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "true" + - name: INSTALL_AZNFS_MOUNT + value: "true" + - name: ENABLE_MI_AUTH + value: "true" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + - name: mountpoint-dir + mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.2 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--enable-azurefile-proxy=true" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + - name: azfilesauth + mountPath: /etc/azfilesauth + - name: log-dir + mountPath: /var/log/ + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + - name: azfilesrefresh + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.2 + imagePullPolicy: IfNotPresent + command: + - "azfilesrefresh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - name: azfilesauth + mountPath: /etc/azfilesauth + - name: log-dir + mountPath: /var/log/ + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + - hostPath: + path: /var/log/ + type: DirectoryOrCreate + name: log-dir +--- diff --git a/deploy/v1.34.2/csi-snapshot-controller.yaml b/deploy/v1.34.2/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..4e34d50b38 --- /dev/null +++ b/deploy/v1.34.2/csi-snapshot-controller.yaml @@ -0,0 +1,63 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/v2/kubernetes-csi/snapshot-controller:v8.4.0 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.34.2/rbac-csi-azurefile-controller.yaml b/deploy/v1.34.2/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.34.2/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.34.2/rbac-csi-azurefile-node.yaml b/deploy/v1.34.2/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..d7b10b2d7e --- /dev/null +++ b/deploy/v1.34.2/rbac-csi-azurefile-node.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.34.2/rbac-csi-snapshot-controller.yaml b/deploy/v1.34.2/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.34.2/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/v1.34.3/crd-csi-snapshot.yaml b/deploy/v1.34.3/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..b82d729d5e --- /dev/null +++ b/deploy/v1.34.3/crd-csi-snapshot.yaml @@ -0,0 +1,951 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.34.3/csi-azurefile-controller.yaml b/deploy/v1.34.3/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..ca44aa25a2 --- /dev/null +++ b/deploy/v1.34.3/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-provisioner:v6.1.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-snapshotter:v8.4.0 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v2.0.0 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.3 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.34.3/csi-azurefile-driver.yaml b/deploy/v1.34.3/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..19f72f6ca0 --- /dev/null +++ b/deploy/v1.34.3/csi-azurefile-driver.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.34.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + tokenRequests: + - audience: api://AzureADTokenExchange diff --git a/deploy/v1.34.3/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.34.3/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..35fd4150cd --- /dev/null +++ b/deploy/v1.34.3/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.3-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.3-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.34.3/csi-azurefile-node-windows.yaml b/deploy/v1.34.3/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..6220a27a62 --- /dev/null +++ b/deploy/v1.34.3/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.3 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.34.3/csi-azurefile-node.yaml b/deploy/v1.34.3/csi-azurefile-node.yaml new file mode 100644 index 0000000000..7a294d8352 --- /dev/null +++ b/deploy/v1.34.3/csi-azurefile-node.yaml @@ -0,0 +1,244 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + hostPID: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + initContainers: + - name: install-azurefile-proxy + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.3 + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "true" + - name: INSTALL_AZNFS_MOUNT + value: "true" + - name: ENABLE_MI_AUTH + value: "true" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + - name: mountpoint-dir + mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.3 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--enable-azurefile-proxy=true" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + - name: azfilesauth + mountPath: /etc/azfilesauth + - name: log-dir + mountPath: /var/log/ + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + - name: azfilesrefresh + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.34.3 + imagePullPolicy: IfNotPresent + command: + - "azfilesrefresh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - name: azfilesauth + mountPath: /etc/azfilesauth + - name: log-dir + mountPath: /var/log/ + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + - hostPath: + path: /var/log/ + type: DirectoryOrCreate + name: log-dir +--- diff --git a/deploy/v1.34.3/csi-snapshot-controller.yaml b/deploy/v1.34.3/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..4e34d50b38 --- /dev/null +++ b/deploy/v1.34.3/csi-snapshot-controller.yaml @@ -0,0 +1,63 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/v2/kubernetes-csi/snapshot-controller:v8.4.0 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.34.3/rbac-csi-azurefile-controller.yaml b/deploy/v1.34.3/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.34.3/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.34.3/rbac-csi-azurefile-node.yaml b/deploy/v1.34.3/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..d7b10b2d7e --- /dev/null +++ b/deploy/v1.34.3/rbac-csi-azurefile-node.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.34.3/rbac-csi-snapshot-controller.yaml b/deploy/v1.34.3/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.34.3/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/v1.35.0/crd-csi-snapshot.yaml b/deploy/v1.35.0/crd-csi-snapshot.yaml new file mode 100644 index 0000000000..b82d729d5e --- /dev/null +++ b/deploy/v1.35.0/crd-csi-snapshot.yaml @@ -0,0 +1,951 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either "Filesystem" or "Block". + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/v1.35.0/csi-azurefile-controller.yaml b/deploy/v1.35.0/csi-azurefile-controller.yaml new file mode 100644 index 0000000000..e317e3facd --- /dev/null +++ b/deploy/v1.35.0/csi-azurefile-controller.yaml @@ -0,0 +1,200 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-azurefile-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-azurefile-controller + template: + metadata: + labels: + app: csi-azurefile-controller + spec: + hostNetwork: true # only required for MSI enabled cluster + serviceAccountName: csi-azurefile-controller-sa + nodeSelector: + kubernetes.io/os: linux # add "kubernetes.io/role: master" to run controller on master node + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: csi-provisioner + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-provisioner:v6.1.0 + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--timeout=1200s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + - "--feature-gates=HonorPVReclaimPolicy=true" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-snapshotter + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-snapshotter:v8.4.0 + args: + - "-v=2" + - "-csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: csi-resizer + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-resizer:v2.0.0 + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "--leader-election" + - "--leader-election-namespace=kube-system" + - '-handle-volume-inuse-error=false' + - '-feature-gates=RecoverVolumeExpansionFailure=true' + - '-timeout=120s' + - "--retry-interval-max=30m" + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: liveness-probe + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29612 + - --v=2 + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:29614" + - "--user-agent-suffix=OSS-kubectl" + ports: + - containerPort: 29614 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29612 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZCOPY_CONCURRENCY_VALUE + value: "10" + - name: AZCOPY_CONCURRENT_FILES + value: "20" + - name: AZCOPY_BUFFER_GB + value: "1" + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /root/.azcopy + name: azcopy-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + resources: + limits: + memory: 800Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: socket-dir + emptyDir: {} + - name: azcopy-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate diff --git a/deploy/v1.35.0/csi-azurefile-driver.yaml b/deploy/v1.35.0/csi-azurefile-driver.yaml new file mode 100644 index 0000000000..2a309e30bf --- /dev/null +++ b/deploy/v1.35.0/csi-azurefile-driver.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: file.csi.azure.com + annotations: + csiDriver: v1.35.0 + snapshot: v6.2.2 +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: ReadWriteOnceWithFSType + requiresRepublish: true + tokenRequests: + - audience: api://AzureADTokenExchange + expirationSeconds: 3600 diff --git a/deploy/v1.35.0/csi-azurefile-node-windows-hostprocess.yaml b/deploy/v1.35.0/csi-azurefile-node-windows-hostprocess.yaml new file mode 100644 index 0000000000..22bc7ab4e7 --- /dev/null +++ b/deploy/v1.35.0/csi-azurefile-node-windows-hostprocess.yaml @@ -0,0 +1,122 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + initContainers: + - name: init + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0-windows-hp + imagePullPolicy: IfNotPresent + command: + - "powershell.exe" + - "-c" + - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL + containers: + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + imagePullPolicy: IfNotPresent + command: + - "csi-node-driver-registrar.exe" + args: + - "--v=2" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--plugin-registration-path=$(PLUGIN_REG_DIR)" + env: + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0-windows-hp + imagePullPolicy: IfNotPresent + command: + - "azurefileplugin.exe" + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --enable-windows-host-process=true + - --metrics-address="0.0.0.0:29615" + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + limits: + memory: 600Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.35.0/csi-azurefile-node-windows.yaml b/deploy/v1.35.0/csi-azurefile-node-windows.yaml new file mode 100644 index 0000000000..778030ca54 --- /dev/null +++ b/deploy/v1.35.0/csi-azurefile-node-windows.yaml @@ -0,0 +1,187 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node-win + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node-win + template: + metadata: + labels: + app: csi-azurefile-node-win + spec: + serviceAccountName: csi-azurefile-node-sa + tolerations: + - key: "node.kubernetes.io/os" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: windows + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: liveness-probe + volumeMounts: + - mountPath: C:\csi + name: plugin-dir + image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.15.0 + args: + - --csi-address=$(CSI_ENDPOINT) + - --probe-timeout=3s + - --health-port=29613 + - --v=2 + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + resources: + limits: + memory: 150Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.13.0 + args: + - --v=2 + - --csi-address=$(CSI_ENDPOINT) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + resources: + limits: + memory: 150Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 + imagePullPolicy: IfNotPresent + args: + - --v=5 + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --metrics-address="0.0.0.0:29615" + ports: + - containerPort: 29613 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 60 + timeoutSeconds: 60 + periodSeconds: 60 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path-windows + optional: true + - name: CSI_ENDPOINT + value: unix://C:\\csi\\csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: "C:\\var\\lib\\kubelet" + - name: plugin-dir + mountPath: C:\csi + - name: azure-config + mountPath: C:\k + - name: csi-proxy-fs-pipe-v1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + mountPath: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + mountPath: \\.\pipe\csi-proxy-smb-v1beta1 + resources: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + capabilities: + drop: + - ALL + volumes: + - name: csi-proxy-fs-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1 + - name: csi-proxy-smb-pipe-v1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1 + # these paths are still included for compatibility, they're used + # only if the node has still the beta version of the CSI proxy + - name: csi-proxy-fs-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + - name: csi-proxy-smb-pipe-v1beta1 + hostPath: + path: \\.\pipe\csi-proxy-smb-v1beta1 + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry\ + type: Directory + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet\ + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\file.csi.azure.com\ + type: DirectoryOrCreate + - name: azure-config + hostPath: + path: C:\k + type: DirectoryOrCreate diff --git a/deploy/v1.35.0/csi-azurefile-node.yaml b/deploy/v1.35.0/csi-azurefile-node.yaml new file mode 100644 index 0000000000..11c9045b3e --- /dev/null +++ b/deploy/v1.35.0/csi-azurefile-node.yaml @@ -0,0 +1,244 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-azurefile-node + namespace: kube-system +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: csi-azurefile-node + template: + metadata: + labels: + app: csi-azurefile-node + spec: + hostNetwork: true + hostPID: true + dnsPolicy: Default + serviceAccountName: csi-azurefile-node-sa + nodeSelector: + kubernetes.io/os: linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - operator: "Exists" + initContainers: + - name: install-azurefile-proxy + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 + imagePullPolicy: IfNotPresent + command: + - "/azurefile-proxy/init.sh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: AZNFS_NONINTERACTIVE_INSTALL + value: "1" + - name: INSTALL_AZUREFILE_PROXY + value: "true" + - name: INSTALL_AZNFS_MOUNT + value: "true" + - name: ENABLE_MI_AUTH + value: "true" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc + - name: mountpoint-dir + mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + containers: + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: mcr.microsoft.com/oss/v2/kubernetes-csi/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=localhost:29613 + - --v=2 + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: node-driver-registrar + image: mcr.microsoft.com/oss/v2/kubernetes-csi/csi-node-driver-registrar:v2.15.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/file.csi.azure.com/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL + - name: azurefile + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 + imagePullPolicy: IfNotPresent + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--enable-azurefile-proxy=true" + - "--azurefile-proxy-endpoint=$(AZUREFILE_PROXY_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--metrics-address=0.0.0.0:29615" + - "--enable-kata-cc-mount=true" + livenessProbe: + failureThreshold: 5 + httpGet: + host: localhost + path: /healthz + port: 29613 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: AZUREFILE_PROXY_ENDPOINT + value: unix:///csi/azurefile-proxy.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /dev + name: device-dir + - mountPath: /run/kata-containers/shared/direct-volumes + name: kata-direct-volumes + - name: azfilesauth + mountPath: /etc/azfilesauth + - name: log-dir + mountPath: /var/log/ + resources: + limits: + memory: 400Mi + requests: + cpu: 10m + memory: 20Mi + - name: azfilesrefresh + image: mcr.microsoft.com/oss/v2/kubernetes-csi/azurefile-csi:v1.35.0 + imagePullPolicy: IfNotPresent + command: + - "azfilesrefresh" + securityContext: + privileged: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /var/lib/kubelet/ + mountPropagation: Bidirectional + name: mountpoint-dir + - name: azfilesauth + mountPath: /etc/azfilesauth + - name: log-dir + mountPath: /var/log/ + resources: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + volumes: + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc + - name: azfilesauth + hostPath: + path: /etc/azfilesauth + type: DirectoryOrCreate + - hostPath: + path: /var/lib/kubelet/plugins/file.csi.azure.com + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: /dev + type: Directory + name: device-dir + - name: kata-direct-volumes + hostPath: + path: /run/kata-containers/shared/direct-volumes/ + type: DirectoryOrCreate + - hostPath: + path: /var/log/ + type: DirectoryOrCreate + name: log-dir +--- diff --git a/deploy/v1.35.0/csi-snapshot-controller.yaml b/deploy/v1.35.0/csi-snapshot-controller.yaml new file mode 100644 index 0000000000..4e34d50b38 --- /dev/null +++ b/deploy/v1.35.0/csi-snapshot-controller.yaml @@ -0,0 +1,63 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-snapshot-controller + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: csi-snapshot-controller + # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable + # in #504 the snapshot-controller will exit after around 7.5 seconds if it + # can't find the v1 CRDs so this value should be greater than that + minReadySeconds: 15 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: csi-snapshot-controller + spec: + serviceAccountName: csi-snapshot-controller-sa + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "true" + effect: "NoSchedule" + containers: + - name: csi-snapshot-controller + image: mcr.microsoft.com/oss/v2/kubernetes-csi/snapshot-controller:v8.4.0 + args: + - "--v=2" + - "--leader-election=true" + - "--leader-election-namespace=kube-system" + - "--retry-interval-max=30m" + resources: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v1.35.0/rbac-csi-azurefile-controller.yaml b/deploy/v1.35.0/rbac-csi-azurefile-controller.yaml new file mode 100644 index 0000000000..b3baefcf04 --- /dev/null +++ b/deploy/v1.35.0/rbac-csi-azurefile-controller.yaml @@ -0,0 +1,195 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-external-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azurefile-csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: azurefile-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-controller-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-controller-secret-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.35.0/rbac-csi-azurefile-node.yaml b/deploy/v1.35.0/rbac-csi-azurefile-node.yaml new file mode 100644 index 0000000000..d7b10b2d7e --- /dev/null +++ b/deploy/v1.35.0/rbac-csi-azurefile-node.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-azurefile-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-secret-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-secret-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-azurefile-node-katacc-binding +subjects: + - kind: ServiceAccount + name: csi-azurefile-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-azurefile-node-katacc-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/deploy/v1.35.0/rbac-csi-snapshot-controller.yaml b/deploy/v1.35.0/rbac-csi-snapshot-controller.yaml new file mode 100644 index 0000000000..8ef9352476 --- /dev/null +++ b/deploy/v1.35.0/rbac-csi-snapshot-controller.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshot-controller-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-role +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshot-controller-leaderelection-binding +subjects: + - kind: ServiceAccount + name: csi-snapshot-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-snapshot-controller-leaderelection-role + apiGroup: rbac.authorization.k8s.io diff --git a/docs/csi-debug.md b/docs/csi-debug.md index 10a6b94fb6..7dd90a8028 100644 --- a/docs/csi-debug.md +++ b/docs/csi-debug.md @@ -144,10 +144,16 @@ Get SMBClient events from Event Viewer under following path: #### NFS - + - nfs mount without EncrptionInTransit ```console mkdir /tmp/test mount -v -t nfs -o vers=4,minorversion=1,sec=sys accountname.file.core.windows.net:/accountname/filesharename /tmp/test +``` + + - nfs mount with EncrptionInTransit +```console +mkdir /tmp/test +mount -v -t aznfs -o vers=4,minorversion=1,sec=sys accountname.file.core.windows.net:/accountname/filesharename /tmp/test ``` - [Troubleshoot Azure File mount issues on AKS](http://aka.ms/filemounterror) diff --git a/docs/driver-parameters.md b/docs/driver-parameters.md index b5eeaabcc2..66e67f9107 100644 --- a/docs/driver-parameters.md +++ b/docs/driver-parameters.md @@ -4,11 +4,10 @@
required permissions for CSI driver controller 
- # To grant permissions for following actions, you need to assign both "Storage Account Contributor" role to the CSI driver controller.
+ # To grant permissions for following actions, you need to assign "Storage Account Contributor" role to the CSI driver controller.
 Microsoft.Storage/storageAccounts/read
 Microsoft.Storage/storageAccounts/write
 Microsoft.Storage/storageAccounts/listKeys/action
-Microsoft.Storage/operations/read
 # this is only necessary if the driver creates the storage account with a private endpoint:
 Microsoft.Network/virtualNetworks/join/action
 Microsoft.Network/virtualNetworks/subnets/join/action
@@ -65,12 +64,13 @@ accountQuota | to limit the quota for an account, you can specify a maximum quot
 provisionedIOPS | provisioned IOPS for [file share v2](https://learn.microsoft.com/en-us/azure/storage/files/understanding-billing#provisioned-v2-provisioning-detail) (supported from v1.33.4) | | No | 
 provisionedBandwidth | provisioned throughput (MB/s) for [file share v2](https://learn.microsoft.com/en-us/azure/storage/files/understanding-billing#provisioned-v2-provisioning-detail)  (supported from v1.33.4)  | | No | 
 --- | **Following parameters are only for SMB protocol** | --- | --- |
-storeAccountKey | Should the storage account key be stored in a Kubernetes secret 
 (Note:  if set to `false`, the driver will use the kubelet identity to obtain the account key) | `true`,`false` | No | `true`
+storeAccountKey | Should the storage account key be stored in a Kubernetes secret 
 (Note:  if set to `false`, the driver will use the kubelet identity to retrieve the account key during volume mount) | `true`,`false` | No | `true`
 getLatestAccountKey | whether getting the latest account key based on the creation time, this driver would get the first key by default | `true`,`false` | No | `false`
 secretName | specify secret name to store account key | | No |
 secretNamespace | specify the namespace of secret to store account key | `default`,`kube-system`, etc | No | pvc namespace (`csi.storage.k8s.io/pvc/namespace`)
 useDataPlaneAPI | specify whether use [data plane API](https://github.com/Azure/azure-sdk-for-go/blob/master/storage/share.go) for file share create/delete/resize, this could solve the SRP API throttling issue since data plane API has almost no limit, while it would fail when there is firewall or vnet setting on storage account | `true`,`false` | No | `false`
 enableMultichannel | specify whether enable [SMB multi-channel](https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol?tabs=azure-portal#smb-multichannel) for **Premium** storage account 
 Note: this feature is used with `max_channels=4` (or 2,3) mount option | `true`,`false` | No | `false`
+clientID | Specify the Azure client ID that will be used to create the Azure file share | Azure client ID | No | If left empty, the kubelet managed identity will be used when mounting without an account key
 --- | **Following parameters are only for NFS protocol** | --- | --- |
 allowSharedKeyAccess | Allow or disallow shared key access for storage account created by driver | `true`,`false` | No | `true`
 rootSquashType | specify root squashing behavior on the share. The default is `NoRootSquash` | `AllSquash`, `NoRootSquash`, `RootSquash` | No |
@@ -91,9 +91,9 @@ k8s-azure-created-by: azure
 
  - VolumeID(`volumeHandle`) is the identifier of the volume handled by the driver, format of VolumeID: 
 ```
-{resource-group-name}#{account-name}#{file-share-name}#{placeholder}#{uuid}#{secret-namespace}
+{resource-group-name}#{account-name}#{file-share-name}#{placeholder}#{uuid}#{secret-namespace}#{subscription-id}
 ```
- > `placeholder`, `uuid`, `secret-namespace` are optional
+ > `placeholder`, `uuid`, `secret-namespace`, `subscription-id` are optional
 
  - file share name format created by dynamic provisioning(example)
 ```
@@ -120,6 +120,7 @@ volumeAttributes.storageEndpointSuffix | specify Azure storage endpoint suffix |
 volumeAttributes.secretName | secret name that stores storage account name and key | | No |
 volumeAttributes.secretNamespace | secret namespace | `default`,`kube-system`, etc | No | pvc namespace (`csi.storage.k8s.io/pvc/namespace`)
 volumeAttributes.getLatestAccountKey | whether getting the latest account key based on the creation time, this driver would get the first key by default | `true`,`false` | No | `false`
+volumeAttributes.clientID | Specify the Azure client ID that will be used to create the Azure file share | Azure client ID | No | If left empty, the kubelet managed identity will be used when mounting without an account key
 nodeStageSecretRef.name | secret name that stores storage account name and key | existing secret name |  Yes  |
 nodeStageSecretRef.namespace | secret namespace | k8s namespace  |  Yes  |
 --- | **Following parameters are only for NFS protocol** | --- | --- |
@@ -140,9 +141,9 @@ useDataPlaneAPI | specify whether use [data plane API](https://github.com/Azure/
 
 ### Tips
   - mounting Azure SMB File share requires account key
-    - If you set `storeAccountKey: "false"` in the storage class, the driver will not store the account key as a Kubernetes secret,  the driver will not store the account key as a Kubernetes secret. Instead, it will use the kubelet identity to obtain the account key.
+    - If you set `storeAccountKey: "false"` in the storage class, the driver will not store the account key as a Kubernetes secret,  the driver will not store the account key as a Kubernetes secret. Instead, the driver will use the kubelet identity to retrieve the account key during volume mount (make sure kubelet identity has reader access to the storage account).
     - if the `nodeStageSecretRef` field is not specified in the persistent volume (PV) configuration, the driver will attempt to retrieve the `azure-storage-account-{accountname}-secret` in the pod namespace.
-    - If `azure-storage-account-{accountname}-secret` in the pod namespace does not exist, the driver will use the kubelet identity to retrieve the account key directly from the Azure storage account API, provided that the kubelet identity has reader access to the storage account.
+    - If `azure-storage-account-{accountname}-secret` in the pod namespace does not exist, the driver will use the kubelet identity to obtain the account key during volume mount (make sure kubelet identity has reader access to the storage account).
     > If you have recently rotated the account key, it is important to update the account key stored in the Kubernetes secret. Additionally, the application pods that reference the Azure file volume should be restarted after the secret has been updated. In cases where two pods share the same PVC on the same node, it is necessary to reschedule the pods to a different node without that PVC mounted to ensure that remounting occurs successfully. To safely rotate the account key without experiencing downtime, you can follow the steps outlined [here](https://github.com/kubernetes-sigs/azurefile-csi-driver/issues/1218#issuecomment-1851996062).
   - mounting Azure NFS File share does not require account key, NFS mount access is configured by either of the following settings:
     - `Firewalls and virtual networks`: select `Enabled from selected virtual networks and IP addresses` with same vnet as agent node
@@ -150,6 +151,8 @@ useDataPlaneAPI | specify whether use [data plane API](https://github.com/Azure/
   - In case a storage account is full, the driver will add a `skip-matching` tag to the account to prevent the creation of new file shares. This tag will remain for 30 minutes after a file share is deleted from the account. If the user wants to use the account immediately, they can manually remove the tag.
   - The default NFS mount options in this driver are `vers=4,minorversion=1,sec=sys`. It is not supported to specify these NFS mount options, including `nfsvers`.
   - when there is a large number of files inside an NFS volume, the process of setting volume ownership can slow down the NFS volume mount when `securityContext.fsGroup` is different from group ownership of volume. By configuring `fsGroupChangePolicy: None` in the `parameters` of storage class or persistent volume, you can bypass the volume ownership setting step, resulting in faster NFS volume mounts.
+       > when the issue is related to setting the volume ownership, the CSI driver logs will display the message: volume_linux.go:128] "Expected group ownership of volume did not match with Gid".
+  - If there are CVEs in the `livenessprobe` and `csi-node-driver-registrar` sidecar images, you can run `kubectl edit ds -n kube-system csi-azurefile-node` to change the `imagePullPolicy` to `Always` for both sidecar containers. This will cause the CSI driver to restart and pull the latest patched images, thereby resolving the CVEs in these sidecar components.
 
 #### `shareName` parameter supports following pv/pvc metadata conversion
 > if `shareName` value contains following strings, it would be converted into corresponding pv/pvc name or namespace
diff --git a/docs/install-azurefile-csi-driver.md b/docs/install-azurefile-csi-driver.md
index 0334128564..68be514b7b 100644
--- a/docs/install-azurefile-csi-driver.md
+++ b/docs/install-azurefile-csi-driver.md
@@ -4,6 +4,6 @@
 >  - please use helm install method for more customization, e.g. Azure Stack, RedHat OpenShift support.
 
  - [install CSI driver master version](./install-csi-driver-master.md)(only for testing purpose)
- - [install v1.34.0 CSI driver](./install-csi-driver-v1.34.0.md)
- - [install v1.33.4 CSI driver](./install-csi-driver-v1.33.4.md)
- - [install v1.32.6 CSI driver](./install-csi-driver-v1.32.6.md)
+ - [install v1.35.0 CSI driver](./install-csi-driver-v1.35.0.md)
+ - [install v1.34.3 CSI driver](./install-csi-driver-v1.34.3.md)
+ - [install v1.33.7 CSI driver](./install-csi-driver-v1.33.7.md)
diff --git a/docs/install-csi-driver-v1.31.8.md b/docs/install-csi-driver-v1.31.8.md
new file mode 100644
index 0000000000..eeeb9c27a0
--- /dev/null
+++ b/docs/install-csi-driver-v1.31.8.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.31.8 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.31.8/deploy/install-driver.sh | bash -s v1.31.8 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.31.8
+./deploy/install-driver.sh v1.31.8 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.31.8/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.31.8
+./deploy/install-driver.sh v1.31.8 local
+```
diff --git a/docs/install-csi-driver-v1.32.7.md b/docs/install-csi-driver-v1.32.7.md
new file mode 100644
index 0000000000..6b4c5cbc9d
--- /dev/null
+++ b/docs/install-csi-driver-v1.32.7.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.32.7 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.32.7/deploy/install-driver.sh | bash -s v1.32.7 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.32.7
+./deploy/install-driver.sh v1.32.7 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.32.7/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.32.7
+./deploy/uninstall-driver.sh v1.32.7 local
+```
diff --git a/docs/install-csi-driver-v1.32.8.md b/docs/install-csi-driver-v1.32.8.md
new file mode 100644
index 0000000000..bf2e01ef48
--- /dev/null
+++ b/docs/install-csi-driver-v1.32.8.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.32.8 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.32.8/deploy/install-driver.sh | bash -s v1.32.8 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.32.8
+./deploy/install-driver.sh v1.32.8 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.32.8/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.32.8
+./deploy/uninstall-driver.sh v1.32.8 local
+```
diff --git a/docs/install-csi-driver-v1.32.9.md b/docs/install-csi-driver-v1.32.9.md
new file mode 100644
index 0000000000..20a30e08ec
--- /dev/null
+++ b/docs/install-csi-driver-v1.32.9.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.32.9 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.32.9/deploy/install-driver.sh | bash -s v1.32.9 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.32.9
+./deploy/install-driver.sh v1.32.9 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.32.9/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.32.9
+./deploy/uninstall-driver.sh v1.32.9 local
+```
diff --git a/docs/install-csi-driver-v1.33.5.md b/docs/install-csi-driver-v1.33.5.md
new file mode 100644
index 0000000000..2f83f5f85e
--- /dev/null
+++ b/docs/install-csi-driver-v1.33.5.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.33.5 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.33.5/deploy/install-driver.sh | bash -s v1.33.5 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.33.5
+./deploy/install-driver.sh v1.33.5 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.33.5/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.33.5
+./deploy/uninstall-driver.sh v1.33.5 local
+```
diff --git a/docs/install-csi-driver-v1.33.6.md b/docs/install-csi-driver-v1.33.6.md
new file mode 100644
index 0000000000..670211bfe1
--- /dev/null
+++ b/docs/install-csi-driver-v1.33.6.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.33.6 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.33.6/deploy/install-driver.sh | bash -s v1.33.6 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.33.6
+./deploy/install-driver.sh v1.33.6 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.33.6/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.33.6
+./deploy/uninstall-driver.sh v1.33.6 local
+```
diff --git a/docs/install-csi-driver-v1.33.7.md b/docs/install-csi-driver-v1.33.7.md
new file mode 100644
index 0000000000..58db2e24c9
--- /dev/null
+++ b/docs/install-csi-driver-v1.33.7.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.33.7 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.33.7/deploy/install-driver.sh | bash -s v1.33.7 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.33.7
+./deploy/install-driver.sh v1.33.7 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.33.7/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.33.7
+./deploy/uninstall-driver.sh v1.33.7 local
+```
diff --git a/docs/install-csi-driver-v1.34.2.md b/docs/install-csi-driver-v1.34.2.md
new file mode 100644
index 0000000000..5fa6d16167
--- /dev/null
+++ b/docs/install-csi-driver-v1.34.2.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.34.2 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.34.2/deploy/install-driver.sh | bash -s v1.34.2 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.34.2
+./deploy/install-driver.sh v1.34.2 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.34.2/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.34.2
+./deploy/uninstall-driver.sh v1.34.2 local
+```
diff --git a/docs/install-csi-driver-v1.34.3.md b/docs/install-csi-driver-v1.34.3.md
new file mode 100644
index 0000000000..7340c59a92
--- /dev/null
+++ b/docs/install-csi-driver-v1.34.3.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.34.3 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.34.3/deploy/install-driver.sh | bash -s v1.34.3 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.34.3
+./deploy/install-driver.sh v1.34.3 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.34.3/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.34.3
+./deploy/uninstall-driver.sh v1.34.3 local
+```
diff --git a/docs/install-csi-driver-v1.35.0.md b/docs/install-csi-driver-v1.35.0.md
new file mode 100644
index 0000000000..af26bf133f
--- /dev/null
+++ b/docs/install-csi-driver-v1.35.0.md
@@ -0,0 +1,45 @@
+## Install azurefile CSI driver v1.35.0 version on a Kubernetes cluster
+If you have already installed Helm, you can also use it to install this driver. Please check [Installation with Helm](../charts/README.md).
+
+### Install by kubectl
+ - Option#1. remote install
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.35.0/deploy/install-driver.sh | bash -s v1.35.0 --
+```
+
+ - Option#2. local install
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.35.0
+./deploy/install-driver.sh v1.35.0 local
+```
+
+ - check pods status:
+```console
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-controller
+kubectl -n kube-system get pod -o wide --watch -l app=csi-azurefile-node
+```
+
+example output:
+
+```
+NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE
+csi-azurefile-controller-56bfddd689-dh5tk       6/6     Running   0          35s     10.240.0.19    k8s-agentpool-22533604-0
+csi-azurefile-node-cvgbs                        3/3     Running   0          7m4s    10.240.0.35    k8s-agentpool-22533604-1
+csi-azurefile-node-dr4s4                        3/3     Running   0          7m4s    10.240.0.4     k8s-agentpool-22533604-0
+```
+
+### clean up CSI driver
+ - Option#1. remote uninstall
+```console
+curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/v1.35.0/deploy/uninstall-driver.sh | bash -s --
+```
+
+ - Option#2. local uninstall
+```console
+git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
+cd azurefile-csi-driver
+git checkout v1.35.0
+./deploy/uninstall-driver.sh v1.35.0 local
+```
diff --git a/docs/managed-identity-mount.md b/docs/managed-identity-mount.md
new file mode 100644
index 0000000000..2bdf33d47e
--- /dev/null
+++ b/docs/managed-identity-mount.md
@@ -0,0 +1,112 @@
+# Mount Azure SMB file share with managed identity
+ - Feature status: Preview
+ - supported from CSI driver v1.34.0 on Linux node
+
+This article demonstrates the process of mounting smb file share with user-assigned managed identity authentication only, without relying on account key authentication.
+> by default you could leverage the built-in user assigned managed identity(kubelet identity) bound to the AKS agent node pool(with naming rule [`AKS Cluster Name-agentpool`](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#summary-of-managed-identities))
+
+> if you have created your own managed identity, make sure the managed identity is associated with the agent node pool. You could use following command to bind the managed identity to the VMSS node pool:
+
+    > `az vmss identity assign --name  --resource-group  --identities `
+
+## Before you begin
+ - Make sure the managed identity is granted the `Storage File Data SMB MI Admin` role on the storage account.
+ > here is an example that uses Azure CLI commands to assign the `Storage File Data SMB MI Admin` role to the managed identity for the storage account. If the storage account is created by the driver(dynamic provisioning), you need to grant `Storage File Data SMB MI Admin` role on the resource group where the storage account is located
+
+```bash
+mid="$(az identity list -g "$resourcegroup" --query "[?name == 'managedIdentityName'].principalId" -o tsv)"
+said="$(az storage account list -g "$resourcegroup" --query "[?name == '$storageaccountname'].id" -o tsv)"
+az role assignment create --assignee-object-id "$mid" --role "Storage File Data SMB MI Admin" --scope "$said"
+```
+
+ - Retrieve the clientID of managed identity
+ > skip this step if you are going to use kubelet identity since CSI driver will default to using the kubelet identity if `clientID` parameter is not provided in storage class or persisent volume.
+```bash
+clientID=`az identity list -g "$resourcegroup" --query "[?name == '$identityname'].clientId" -o tsv`
+```
+    
+## Dynamic Provisioning
+- Ensure that the identity of your CSI driver control plane is assigned the `Storage Account Contributor role` for the storage account.
+ > if the storage account is created by the driver, then you need to grant `Storage Account Contributor` role to the resource group where the storage account is located.
+ > 
+ > AKS cluster control plane identity is assigned the `Storage Account Contributor role` on the node resource group for the storage account by default.
+
+1. Create a storage class
+    ```yml
+    apiVersion: storage.k8s.io/v1
+    kind: StorageClass
+    metadata:
+      name: azurefile-csi
+    provisioner: file.csi.azure.com
+    parameters:
+      resourceGroup: EXISTING_RESOURCE_GROUP_NAME   # optional, node resource group by default if it's not provided
+      storageAccount: EXISTING_STORAGE_ACCOUNT_NAME # optional, a new account will be created if it's not provided
+      mountWithManagedIdentity: "true"
+      # optional, clientID of the managed identity, kubelet identity would be used by default if it's not provided
+      clientID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
+    reclaimPolicy: Delete
+    volumeBindingMode: Immediate
+    allowVolumeExpansion: true
+    mountOptions:
+      - dir_mode=0777  # modify this permission if you want to enhance the security
+      - file_mode=0777
+      - uid=0
+      - gid=0
+      - mfsymlinks
+      - cache=strict  # https://linux.die.net/man/8/mount.cifs
+      - nosharesock  # reduce probability of reconnect race
+      - actimeo=30  # reduce latency for metadata-heavy workload
+      - nobrl  # disable sending byte range lock requests to the server
+    ```
+
+1. create a statefulset with volume mount
+```bash
+kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/statefulset.yaml
+```
+
+## Static Provisioning
+
+> If you are using your own storage account, please ensure that the `SMBOauth` property is enabled for that account by running following command:
+>
+> `az storage account update --name  --resource-group  --enable-smb-oauth true`
+
+1. create PV with your own account
+    ```yml
+    apiVersion: v1
+    kind: PersistentVolume
+    metadata:
+      name: pv-azurefile
+    spec:
+      capacity:
+        storage: 100Gi
+      accessModes:
+        - ReadWriteMany
+      persistentVolumeReclaimPolicy: Retain
+      storageClassName: azurefile-csi
+      mountOptions:
+        - dir_mode=0777  # modify this permission if you want to enhance the security
+        - file_mode=0777
+        - uid=0
+        - gid=0
+        - mfsymlinks
+        - cache=strict  # https://linux.die.net/man/8/mount.cifs
+        - nosharesock  # reduce probability of reconnect race
+        - actimeo=30  # reduce latency for metadata-heavy workload
+        - nobrl  # disable sending byte range lock requests to the server
+      csi:
+        driver: file.csi.azure.com
+        # make sure volumeHandle is unique for every identical share in the cluster
+        volumeHandle: "{resource-group-name}#{account-name}#{file-share-name}"
+        volumeAttributes:
+          resourceGroup: EXISTING_RESOURCE_GROUP_NAME   # optional, node resource group by default if it's not provided
+          storageAccount: EXISTING_STORAGE_ACCOUNT_NAME # ensure that the `SMBOauth` property is enabled on this account
+          shareName: EXISTING_FILE_SHARE_NAME
+          mountWithManagedIdentity: "true"
+          # optional, clientID of the managed identity, kubelet identity would be used by default if it's empty
+          clientID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
+    ```
+
+1. create a pvc and a deployment with volume mount
+    ```console
+    kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/deployment.yaml
+    ```
diff --git a/docs/workload-identity-static-pv-mount.md b/docs/workload-identity-static-pv-mount.md
index 73c20c96b3..9398103bf2 100644
--- a/docs/workload-identity-static-pv-mount.md
+++ b/docs/workload-identity-static-pv-mount.md
@@ -6,37 +6,36 @@
  - This feature would still retrieve storage account key using federated identity credentials and mount Azure File share using key-based authentication.
 
 ## Prerequisites
-### 1. Create a cluster with oidc-issuer enabled and get the credential
-Following the [documentation](https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer#create-an-aks-cluster-with-oidc-issuer) to create an AKS cluster with the `--enable-oidc-issuer` parameter and get the AKS credentials. And export following environment variables:
-```
+### 1. Create a cluster with oidc-issuer enabled and get the AKS cluster credential
+Refer to the [documentation](https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer#create-an-aks-cluster-with-oidc-issuer) for instructions on creating a new AKS cluster with the `--enable-oidc-issuer` parameter and get the AKS credentials. And export following environment variables:
+```console
 export RESOURCE_GROUP=
 export CLUSTER_NAME=
 export REGION=
 ```
 
-### 2. Bring your own storage account and Azure file share
-Following the [documentation](https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-portal?tabs=azure-cli) to create a new storage account and fileshare or use your own. And export following environment variables:
-```
+### 2. Bring your own storage account
+Refer to the [documentation](https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-portal?tabs=azure-cli) for instructions on creating a new storage account and file share, or alternatively, utilize your existing storage account and file share. And export following environment variables:
+```console
 export STORAGE_RESOURCE_GROUP=
 export ACCOUNT=
-export SHARE=
+export SHARE= # optional
 ```
 
-### 3. Create managed identity and role assignment
-```
+### 3. Create or bring your own managed identity and grant role to the managed identity
+> you could leverage the built-in user assigned managed identity bound to the AKS agent node pool(with name [`AKS Cluster Name-agentpool`](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#summary-of-managed-identities)) in node resource group
+```console
 export UAMI=
 az identity create --name $UAMI --resource-group $RESOURCE_GROUP
 
 export USER_ASSIGNED_CLIENT_ID="$(az identity show -g $RESOURCE_GROUP --name $UAMI --query 'clientId' -o tsv)"
 export IDENTITY_TENANT=$(az aks show --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --query identity.tenantId -o tsv)
 export ACCOUNT_SCOPE=$(az storage account show --name $ACCOUNT --query id -o tsv)
-
-# please retry if you meet `Cannot find user or service principal in graph database` error, it may take a while for the identity to propagate
 az role assignment create --role "Storage Account Contributor" --assignee $USER_ASSIGNED_CLIENT_ID --scope $ACCOUNT_SCOPE
 ```
 
-### 4. Create service account on AKS
-```
+### 4. Create a service account on AKS
+```console
 export SERVICE_ACCOUNT_NAME=
 export SERVICE_ACCOUNT_NAMESPACE=
 
@@ -50,7 +49,7 @@ EOF
 ```
 
 ### 5. Create the federated identity credential between the managed identity, service account issuer, and subject using the `az identity federated-credential create` command.
-```
+```console
 export FEDERATED_IDENTITY_NAME=
 export AKS_OIDC_ISSUER="$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "oidcIssuerProfile.issuerUrl" -o tsv)"
 
@@ -61,8 +60,82 @@ az identity federated-credential create --name $FEDERATED_IDENTITY_NAME \
 --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}
 ```
 
-## option#1: static provision with PV
+## option#1: dynamic provisioning with storage class
+- Ensure that the identity of your CSI driver control plane is assigned the `Storage Account Contributor role` for the storage account.
+ > if the storage account is created by the driver, then you need to grant `Storage Account Contributor` role to the resource group where the storage account is located.
+ > 
+ > AKS cluster control plane identity is assigned the `Storage Account Contributor role` on the node resource group for the storage account by default.
+
+```yaml
+cat <> /mnt/azurefile/outfile; sleep 1; done
+          volumeMounts:
+            - name: persistent-storage
+              mountPath: /mnt/azurefile
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: nginx
+  volumeClaimTemplates:
+    - metadata:
+        name: persistent-storage
+      spec:
+        storageClassName: azurefile-csi
+        accessModes: ["ReadWriteMany"]
+        resources:
+          requests:
+            storage: 100Gi
+EOF
 ```
+
+## option#2: static provision with PV
+```yaml
 cat <> /mnt/azurefile/outfile; sleep 1; done
+            - while true; do echo $(date) >> /mnt/azurefile/outfile; sleep 1; done
           volumeMounts:
             - name: azurefile
               mountPath: "/mnt/azurefile"
-              readOnly: false
       volumes:
         - name: azurefile
           persistentVolumeClaim:
@@ -152,38 +224,3 @@ spec:
     type: RollingUpdate
 EOF
 ```
-
-## option#2: Pod with ephemeral inline volume
-```
-cat <> /mnt/azurefile/outfile; sleep 1; done
-      volumeMounts:
-        - name: persistent-storage
-          mountPath: "/mnt/azurefile"
-  volumes:
-    - name: persistent-storage
-      csi:
-        driver: file.csi.azure.com
-        volumeAttributes:
-          storageaccount: $ACCOUNT # required
-          shareName: $SHARE  # required
-          clientID: $USER_ASSIGNED_CLIENT_ID # required
-          resourcegroup: $STORAGE_RESOURCE_GROUP # optional, specified when the storage account is not under AKS node resource group(which is prefixed with "MC_")
-          # tenantID: $IDENTITY_TENANT  # optional, only specified when workload identity and AKS cluster are in different tenant
-          # subscriptionid: $SUBSCRIPTION # optional, only specified when workload identity and AKS cluster are in different subscription
-EOF
-```
diff --git a/go.mod b/go.mod
index 38f053c912..4ca2d3f822 100644
--- a/go.mod
+++ b/go.mod
@@ -4,15 +4,12 @@ go 1.24.6
 
 toolchain go1.24.7
 
-godebug winsymlink=0
-
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.4.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage/v2 v2.0.0
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.2
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.4
 	github.com/container-storage-interface/spec v1.10.0
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/go-ole/go-ole v1.3.0
@@ -23,25 +20,25 @@ require (
 	github.com/kubernetes-csi/csi-lib-utils v0.14.1
 	github.com/kubernetes-csi/csi-proxy/client v1.0.1
 	github.com/kubernetes-csi/external-snapshotter/client/v4 v4.2.0
-	github.com/microsoft/wmi v0.37.0
-	github.com/onsi/ginkgo/v2 v2.25.3
-	github.com/onsi/gomega v1.38.2
+	github.com/microsoft/wmi v0.38.3
+	github.com/onsi/ginkgo/v2 v2.28.0
+	github.com/onsi/gomega v1.39.1
 	github.com/pkg/errors v0.9.1
 	github.com/rubiojr/go-vhd v0.0.0-20200706105327-02e210299021
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/goleak v1.3.0
 	go.uber.org/mock v0.6.0
-	golang.org/x/net v0.44.0
-	golang.org/x/sys v0.36.0
-	google.golang.org/grpc v1.75.1
-	google.golang.org/protobuf v1.36.9
+	golang.org/x/net v0.49.0
+	golang.org/x/sys v0.40.0
+	google.golang.org/grpc v1.78.0
+	google.golang.org/protobuf v1.36.11
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1
 	k8s.io/client-go v0.34.1
 	k8s.io/cloud-provider v0.34.1
 	k8s.io/component-base v0.34.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kubernetes v1.34.1
+	k8s.io/kubernetes v1.34.3
 	k8s.io/mount-utils v0.34.1
 	k8s.io/pod-security-admission v0.34.1
 	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
@@ -53,9 +50,11 @@ require (
 
 require (
 	cel.dev/expr v0.24.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 // indirect
+	cyphar.com/go-pathrs v0.2.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.4.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerregistry/armcontainerregistry v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.6.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.5.0 // indirect
@@ -64,7 +63,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect
 	github.com/Azure/msi-dataplane v0.4.3 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
@@ -72,6 +71,7 @@ require (
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
@@ -88,7 +88,7 @@ require (
 	github.com/google/cel-go v0.26.1 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect
+	github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.0 // indirect
@@ -105,7 +105,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/selinux v1.11.1 // indirect
+	github.com/opencontainers/selinux v1.13.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.23.2 // indirect
@@ -118,7 +118,7 @@ require (
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
 	go.opentelemetry.io/otel v1.38.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
@@ -129,19 +129,19 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/crypto v0.47.0 // indirect
 	golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/mod v0.32.0 // indirect
+	golang.org/x/oauth2 v0.32.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/term v0.39.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
 	golang.org/x/time v0.13.0 // indirect
-	golang.org/x/tools v0.37.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 // indirect
+	golang.org/x/tools v0.41.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251029180050-ab9386a59fda // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/go.sum b/go.sum
index 60dcc430fb..8b4a155dcc 100644
--- a/go.sum
+++ b/go.sum
@@ -3,10 +3,12 @@ cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 h1:5YTBM8QDVIBN3sxBil89WfdAAqDZbyJTgh688DSxX5w=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 h1:wL5IEG5zb7BVv1Kv0Xm92orq+5hB5Nipn3B5tn4Rqfk=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I=
+cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8=
+cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
@@ -45,16 +47,16 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0 h1:/g8S
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0/go.mod h1:gpl+q95AzZlKVI3xSoseF9QPrypk0hQqBiJYeB/cR/I=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfgcSyHZXJI8J0IWE5MsCGlb2xp9fJiXyxWgmOFg4=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 h1:lhZdRq7TIx0GJQvSyX2Si406vrYsov2FXGp/RnSEtcs=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1/go.mod h1:8cl44BDmi+effbARHMQjgOKA2AYvcohNm7KEt42mSV8=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.2 h1:l3SabZmNuXCMCbQUIeR4W6/N4j8SeH/lwX+a6leZhHo=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.2/go.mod h1:k+mEZ4f1pVqZTRqtSDW2AhZ/3wT5qLpsUA75C/k7dtE=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3 h1:ZJJNFaQ86GVKQ9ehwqyAFE6pIfyicpuJ8IkVaPBc6/4=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3/go.mod h1:URuDvhmATVKqHBH9/0nOiNKk0+YcwfQ3WkK5PqHKxc8=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.4 h1:tZh20RjgfMxKBxJiIS75iTVAKIUxrST5X2dVHMTptL4=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.4/go.mod h1:vGYAk36rhMVCfTP7v+RVruCR0zmPe6S+36KRpDCLySw=
 github.com/Azure/msi-dataplane v0.4.3 h1:dWPWzY4b54tLIR9T1Q014Xxd/1DxOsMIp6EjRFAJlQY=
 github.com/Azure/msi-dataplane v0.4.3/go.mod h1:yAfxdJyvcnvSDfSyOFV9qm4fReEQDl+nZLGeH2ZWSmw=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
@@ -94,6 +96,8 @@ github.com/container-storage-interface/spec v1.10.0 h1:YkzWPV39x+ZMTa6Ax2czJLLwp
 github.com/container-storage-interface/spec v1.10.0/go.mod h1:DtUvaQszPml1YJfIK7c00mlv6/g4wNMLanLgiUbKFRI=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is=
+github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -118,6 +122,12 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
+github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
+github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M=
+github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk=
+github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE=
+github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc=
 github.com/go-faker/faker/v4 v4.6.1 h1:xUyVpAjEtB04l6XFY0V/29oR332rOSPWV4lU8RwDt4k=
 github.com/go-faker/faker/v4 v4.6.1/go.mod h1:arSdxNCSt7mOhdk8tEolvHeIJ7eX4OX80wXjKKvkKBY=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
@@ -166,6 +176,8 @@ github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZ
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
@@ -210,8 +222,8 @@ github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwg
 github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
-github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY=
-github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U=
+github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc=
+github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
@@ -233,6 +245,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE=
+github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@@ -273,8 +287,12 @@ github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
 github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
-github.com/microsoft/wmi v0.37.0 h1:TQ0+JHz8ogtl6twPOOQXA2ON2ErUS8WyInSq+yY4AT4=
-github.com/microsoft/wmi v0.37.0/go.mod h1:XF+cfluA15xGnSCYkJIYuj2vWzdm2YrNuvqlC+baWY0=
+github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=
+github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
+github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE=
+github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A=
+github.com/microsoft/wmi v0.38.3 h1:RVbn+m2jlPRsB2fLADXqabJj/EhMXQbvKM7OYS8VOv0=
+github.com/microsoft/wmi v0.38.3/go.mod h1:XF+cfluA15xGnSCYkJIYuj2vWzdm2YrNuvqlC+baWY0=
 github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
 github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
@@ -318,8 +336,8 @@ github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/
 github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
 github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI=
 github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/onsi/ginkgo/v2 v2.25.3 h1:Ty8+Yi/ayDAGtk4XxmmfUy4GabvM+MegeB4cDLRi6nw=
-github.com/onsi/ginkgo/v2 v2.25.3/go.mod h1:43uiyQC4Ed2tkOzLsEYm7hnrb7UJTWHYNsuy3bG/snE=
+github.com/onsi/ginkgo/v2 v2.28.0 h1:Rrf+lVLmtlBIKv6KrIGJCjyY8N36vDVcutbGJkyqjJc=
+github.com/onsi/ginkgo/v2 v2.28.0/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@@ -344,12 +362,12 @@ github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16A
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
 github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
-github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
+github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
-github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+LGaWfbL84=
+github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
@@ -360,8 +378,6 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -375,8 +391,9 @@ github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7D
 github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rubiojr/go-vhd v0.0.0-20200706105327-02e210299021 h1:if3/24+h9Sq6eDx8UUz1SO9cT9tizyIsATfB7b4D3tc=
 github.com/rubiojr/go-vhd v0.0.0-20200706105327-02e210299021/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -413,14 +430,22 @@ github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
+github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
 go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
@@ -441,8 +466,6 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr
 go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
 go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
-go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
-go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
@@ -477,8 +500,8 @@ golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/
 golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
 golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
+golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/exp v0.0.0-20250911091902-df9299821621 h1:2id6c1/gto0kaHYyrixvknJ8tUK/Qs5IsmBtrc+FtgU=
@@ -503,6 +526,8 @@ golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -547,13 +572,13 @@ golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
-golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -570,8 +595,8 @@ golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -620,8 +645,8 @@ golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -648,8 +673,8 @@ golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
 golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
 golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -670,8 +695,8 @@ golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI=
@@ -708,8 +733,8 @@ golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c
 golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
 golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
 golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
-golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
-golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -721,15 +746,15 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1 h1:APHvLLYBhtZvsbnpkfknDZ7NyH4z5+ub/I0u8L3Oz6g=
-google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1/go.mod h1:xUjFWUnWDpZ/C0Gu0qloASKFb6f8/QXiiXhSPFsD668=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 h1:pmJpJEvT846VzausCQ5d7KreSROcDqmO388w5YbnltA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1/go.mod h1:GmFNa4BdJZ2a8G+wCe9Bg3wwThLrJun751XstdJt5Og=
+google.golang.org/genproto/googleapis/api v0.0.0-20251029180050-ab9386a59fda h1:+2XxjfsAu6vqFxwGBRcHiMaDCuZiqXGDUDVWVtrFAnE=
+google.golang.org/genproto/googleapis/api v0.0.0-20251029180050-ab9386a59fda/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda h1:i/Q+bfisr7gq6feoJnS/DlpdwEL4ihp41fvRiM3Ork0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI=
-google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
+google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
+google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -746,8 +771,8 @@ google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHh
 google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
-google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
-google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -810,8 +835,8 @@ k8s.io/kubectl v0.34.1 h1:1qP1oqT5Xc93K+H8J7ecpBjaz511gan89KO9Vbsh/OI=
 k8s.io/kubectl v0.34.1/go.mod h1:JRYlhJpGPyk3dEmJ+BuBiOB9/dAvnrALJEiY/C5qa6A=
 k8s.io/kubelet v0.32.2 h1:WFTSYdt3BB1aTApDuKNI16x/4MYqqX8WBBBBh3KupDg=
 k8s.io/kubelet v0.32.2/go.mod h1:cC1ms5RS+lu0ckVr6AviCQXHLSPKEBC3D5oaCBdTGkI=
-k8s.io/kubernetes v1.34.1 h1:F3p8dtpv+i8zQoebZeK5zBqM1g9x1aIdnA5vthvcuUk=
-k8s.io/kubernetes v1.34.1/go.mod h1:iu+FhII+Oc/1gGWLJcer6wpyih441aNFHl7Pvm8yPto=
+k8s.io/kubernetes v1.34.3 h1:0TfljWbhEF5DBks+WFMSrvKfxBLo4vnZuqORjLMiyT4=
+k8s.io/kubernetes v1.34.3/go.mod h1:m6pZk6a179pRo2wsTiCPORJ86iOEQmfIzUvtyEF8BwA=
 k8s.io/mount-utils v0.34.1 h1:zMBEFav8Rxwm54S8srzy5FxAc4KQ3X4ZcjnqTCzHmZk=
 k8s.io/mount-utils v0.34.1/go.mod h1:MIjjYlqJ0ziYQg0MO09kc9S96GIcMkhF/ay9MncF0GA=
 k8s.io/pod-security-admission v0.34.1 h1:XsP5eh8qCj69hK0a5TBMU4Ed7Ckn8JEmmbk/iepj+XM=
diff --git a/hack/verify-helm-chart-index.sh b/hack/verify-helm-chart-index.sh
index b02a62a2a7..01d632f2a8 100755
--- a/hack/verify-helm-chart-index.sh
+++ b/hack/verify-helm-chart-index.sh
@@ -44,7 +44,7 @@ function check_url() {
 			echo "ignore $url"
 			return
 		fi
-		#exit 1
+		exit 1
 	fi
     fi
 }
diff --git a/pkg/azurefile-proxy/install-proxy.sh b/pkg/azurefile-proxy/install-proxy.sh
index b8a37e9d77..d1d770c2dd 100644
--- a/pkg/azurefile-proxy/install-proxy.sh
+++ b/pkg/azurefile-proxy/install-proxy.sh
@@ -27,18 +27,22 @@ fi
 if [ "${INSTALL_AZNFS_MOUNT}" = "true" ];then
   # install aznfs-mount on ubuntu
   if [ "$DISTRIBUTION" = "ubuntu" ];then
-    AZNFS_VERSION="0.3.15"
-    echo "install aznfs v$AZNFS_VERSION...."
+    if [ -z "${AZNFS_UBUNTU_VERSION}" ]; then
+      AZNFS_UBUNTU_VERSION="3.0.10"
+    fi
+    echo "install aznfs v$AZNFS_UBUNTU_VERSION...."
     # shellcheck disable=SC1091
     $HOST_CMD curl -sSL -O "https://packages.microsoft.com/config/$(. /host/etc/os-release && echo "$ID/$VERSION_ID")/packages-microsoft-prod.deb"
     yes | $HOST_CMD dpkg -i packages-microsoft-prod.deb && $HOST_CMD apt-get update
     $HOST_CMD rm packages-microsoft-prod.deb
-    $HOST_CMD apt-get install -y aznfs="$AZNFS_VERSION"
+    $HOST_CMD apt-get install -y aznfs="$AZNFS_UBUNTU_VERSION" --allow-downgrades
     echo "aznfs-mount installed"
   elif [ "$DISTRIBUTION" = "azurelinux" ];then # install aznfs-mount on azure linux 3.0
-    AZNFS_VERSION="0.1.548"
-    echo "install aznfs v$AZNFS_VERSION...."
-    $HOST_CMD curl -fsSL https://github.com/Azure/AZNFS-mount/releases/download/$AZNFS_VERSION/aznfs_install.sh | $HOST_CMD bash
+    if [ -z "${AZNFS_AZURELINUX_VERSION}" ]; then
+      AZNFS_AZURELINUX_VERSION="0.1.548"
+    fi
+    echo "install aznfs v$AZNFS_AZURELINUX_VERSION...."
+    $HOST_CMD curl -fsSL https://github.com/Azure/AZNFS-mount/releases/download/$AZNFS_AZURELINUX_VERSION/aznfs_install.sh | $HOST_CMD bash
   else
     echo "aznfs-mount is not supported on Linux distribution: $DISTRIBUTION"
     exit 0
@@ -64,8 +68,12 @@ if [ "${INSTALL_AZUREFILE_PROXY}" = "true" ];then
   fi
   if [ "$updateAzurefileProxy" = "true" ];then
     echo "copy azurefile-proxy...."
+    # if it reports "Read-only file system" error here, return as success
+    if ! cp /azurefile-proxy/azurefile-proxy /host/usr/bin/azurefile-proxy --force; then
+      echo "Warning: failed to copy azurefile-proxy, possibly due to read-only file system, continue..."
+      exit 0
+    fi
     rm -rf /host/"$KUBELET_PATH"/plugins/file.csi.azure.com/azurefile-proxy.sock
-    cp /azurefile-proxy/azurefile-proxy /host/usr/bin/azurefile-proxy --force
     chmod 755 /host/usr/bin/azurefile-proxy
   fi
 
@@ -81,7 +89,12 @@ if [ "${INSTALL_AZUREFILE_PROXY}" = "true" ];then
   if [ "$updateService" = "true" ];then
     echo "copy azurefile-proxy.service...."
     mkdir -p /host/usr/lib/systemd/system
-    cp /azurefile-proxy/azurefile-proxy.service /host/usr/lib/systemd/system/azurefile-proxy.service
+
+    # if it reports "Read-only file system" error here, return as success
+    if ! cp /azurefile-proxy/azurefile-proxy.service /host/usr/lib/systemd/system/azurefile-proxy.service; then
+      echo "Warning: failed to copy azurefile-proxy.service, possibly due to read-only file system, continue..."
+      exit 0
+    fi
   fi
 
   $HOST_CMD systemctl daemon-reload
diff --git a/pkg/azurefile-proxy/server/server.go b/pkg/azurefile-proxy/server/server.go
index 74dd94f5e1..c8221a3e1f 100644
--- a/pkg/azurefile-proxy/server/server.go
+++ b/pkg/azurefile-proxy/server/server.go
@@ -21,17 +21,15 @@ import (
 	"fmt"
 	"net"
 	"strings"
-	"sync"
+	"time"
 
 	grpcprom "github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus"
 	"google.golang.org/grpc"
 	"k8s.io/klog/v2"
 	mount_utils "k8s.io/mount-utils"
+	"sigs.k8s.io/azurefile-csi-driver/pkg/azurefile"
 	mount_azurefile "sigs.k8s.io/azurefile-csi-driver/pkg/azurefile-proxy/pb"
-)
-
-var (
-	mutex sync.Mutex
+	volumehelper "sigs.k8s.io/azurefile-csi-driver/pkg/util"
 )
 
 type MountServer struct {
@@ -52,8 +50,6 @@ func NewMountServiceServer() *MountServer {
 func (server *MountServer) MountAzureFile(_ context.Context,
 	req *mount_azurefile.MountAzureFileRequest,
 ) (resp *mount_azurefile.MountAzureFileResponse, err error) {
-	mutex.Lock()
-	defer mutex.Unlock()
 
 	source := req.GetSource()
 	target := req.GetTarget()
@@ -62,8 +58,16 @@ func (server *MountServer) MountAzureFile(_ context.Context,
 	sensitiveOptions := req.GetSensitiveOptions()
 	klog.V(2).Infof("received mount request: source: %s, target: %s, fstype: %s, options: %s", source, target, fstype, strings.Join(options, ","))
 
-	err = server.mounter.MountSensitive(source, target, fstype, options, sensitiveOptions)
-	if err != nil {
+	execFunc := func() error {
+		return server.mounter.MountSensitive(source, target, fstype, options, sensitiveOptions)
+	}
+
+	mountTimeoutInSec := azurefile.MountTimeoutInSec - 2
+	timeoutFunc := func() error {
+		return fmt.Errorf("mount operation timed out after %d seconds: source=%s, target=%s", mountTimeoutInSec, source, target)
+	}
+
+	if err = volumehelper.WaitUntilTimeout(time.Duration(mountTimeoutInSec)*time.Second, execFunc, timeoutFunc); err != nil {
 		klog.Error("azurefile mount failed: with error:", err.Error())
 		return nil, fmt.Errorf("azurefile mount failed: %v", err)
 	}
diff --git a/pkg/azurefile/azurefile.go b/pkg/azurefile/azurefile.go
index cf4d289167..8451f33aa8 100644
--- a/pkg/azurefile/azurefile.go
+++ b/pkg/azurefile/azurefile.go
@@ -20,10 +20,13 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
@@ -88,6 +91,7 @@ const (
 	defaultAzureFileQuota = 100
 	minimumAccountQuota   = 100 // GB
 
+	DefaultTokenAudience = "api://AzureADTokenExchange/.default"
 	// key of snapshot name in metadata
 	snapshotNameKey = "initiator"
 
@@ -168,6 +172,7 @@ const (
 	runtimeClassHandlerField          = "runtimeclasshandler"
 	defaultRuntimeClassHandler        = "kata-cc"
 	mountWithManagedIdentityField     = "mountwithmanagedidentity"
+	mountWithWITokenField             = "mountwithworkloadidentitytoken"
 
 	accountNotProvisioned = "StorageAccountIsNotProvisioned"
 	// this is a workaround fix for 429 throttling issue, will update cloud provider for better fix later
@@ -213,6 +218,8 @@ const (
 
 	standardv2 = "standardv2"
 	premiumv2  = "premiumv2"
+
+	MountTimeoutInSec = 90
 )
 
 var (
@@ -227,6 +234,8 @@ var (
 	azcopyCloneVolumeOptions = []string{"--recursive", "--check-length=false", "--log-level=ERROR"}
 	// azcopySnapshotRestoreOptions used in smb snapshot restore and set --check-length to true because snapshot data is changeless
 	azcopySnapshotRestoreOptions = []string{"--recursive", "--check-length=true", "--log-level=ERROR"}
+
+	defaultAzureOAuthTokenDir = "/var/lib/kubelet/plugins/" + DefaultDriverName
 )
 
 // Driver implements all interfaces of CSI drivers
@@ -305,11 +314,12 @@ type Driver struct {
 	// azcopy for provide exec mock for ut
 	azcopy *fileutil.Azcopy
 
-	kubeconfig   string
-	endpoint     string
-	resolver     Resolver
-	directVolume DirectVolume
-	isKataNode   bool
+	kubeconfig            string
+	endpoint              string
+	resolver              Resolver
+	directVolume          DirectVolume
+	isKataNode            bool
+	requiredAzCopyToTrust bool
 }
 
 // NewDriver Creates a NewCSIDriver object. Assumes vendor version is equal to driver version &
@@ -427,7 +437,14 @@ func (d *Driver) Run(ctx context.Context) error {
 	if err != nil {
 		klog.Fatalf("failed to get Azure Cloud Provider, error: %v", err)
 	}
+	// pass if the storageEndpointSuffix must be trusted by azCopy by checking if it is not in azcopyTrustedSuffixesAAD
+	requiredAzCopyToTrust := d.getStorageEndPointSuffix() != "" && !strings.Contains(azcopyTrustedSuffixesAAD, d.getStorageEndPointSuffix())
+
 	klog.V(2).Infof("cloud: %s, location: %s, rg: %s, VnetName: %s, VnetResourceGroup: %s, SubnetName: %s", d.cloud.Cloud, d.cloud.Location, d.cloud.ResourceGroup, d.cloud.VnetName, d.cloud.VnetResourceGroup, d.cloud.SubnetName)
+	if requiredAzCopyToTrust {
+		klog.V(2).Infof("storage endpoint suffix %s is not in azcopy trusted suffixes, azcopy will trust it temporarily during volume clone and snapshot restore", d.getStorageEndPointSuffix())
+	}
+	d.requiredAzCopyToTrust = requiredAzCopyToTrust
 
 	d.mounter, err = mounter.NewSafeMounter(d.enableWindowsHostProcess, d.useWinCIMAPI)
 	if err != nil {
@@ -794,8 +811,8 @@ func IsCorruptedDir(dir string) bool {
 }
 
 // GetAccountInfo get account info
-// return 
-func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, reqContext map[string]string) (string, string, string, string, string, string, error) {
+// return 
+func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, reqContext map[string]string) (string, string, string, string, string, string, string, string, error) {
 	rgName, accountName, fileShareName, diskName, secretNamespace, subsID, err := GetFileShareInfo(volumeID)
 	if err != nil {
 		// ignore volumeID parsing error
@@ -805,8 +822,8 @@ func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, r
 
 	var protocol, accountKey, secretName, pvcNamespace string
 	// getAccountKeyFromSecret indicates whether get account key only from k8s secret
-	var getAccountKeyFromSecret, getLatestAccountKey, mountWithManagedIdentity bool
-	var clientID, tenantID, serviceAccountToken string
+	var getAccountKeyFromSecret, getLatestAccountKey, mountWithManagedIdentity, mountWithWIToken bool
+	var clientID, tenantID, tokenFilePath, serviceAccountToken string
 
 	for k, v := range reqContext {
 		switch strings.ToLower(k) {
@@ -834,13 +851,17 @@ func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, r
 			pvcNamespace = v
 		case getLatestAccountKeyField:
 			if getLatestAccountKey, err = strconv.ParseBool(v); err != nil {
-				return rgName, accountName, accountKey, fileShareName, diskName, subsID, fmt.Errorf("invalid %s: %s in volume context", getLatestAccountKeyField, v)
+				return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, fmt.Errorf("invalid %s: %s in volume context", getLatestAccountKeyField, v)
 			}
 		case clientIDField:
 			clientID = v
 		case mountWithManagedIdentityField:
 			if mountWithManagedIdentity, err = strconv.ParseBool(v); err != nil {
-				return rgName, accountName, accountKey, fileShareName, diskName, subsID, fmt.Errorf("invalid %s: %s in volume context", mountWithManagedIdentityField, v)
+				return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, fmt.Errorf("invalid %s: %s in volume context", mountWithManagedIdentityField, v)
+			}
+		case mountWithWITokenField:
+			if mountWithWIToken, err = strconv.ParseBool(v); err != nil {
+				return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, fmt.Errorf("invalid %s: %s in volume context", mountWithWITokenField, v)
 			}
 		case tenantIDField:
 			tenantID = v
@@ -860,7 +881,7 @@ func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, r
 	}
 	if protocol == nfs && fileShareName != "" {
 		// nfs protocol does not need account key, return directly
-		return rgName, accountName, accountKey, fileShareName, diskName, subsID, err
+		return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, err
 	}
 
 	if secretNamespace == "" {
@@ -873,13 +894,43 @@ func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, r
 
 	if mountWithManagedIdentity {
 		klog.V(2).Infof("mountWithManagedIdentity is true, use managed identity auth")
-		return rgName, accountName, accountKey, fileShareName, diskName, subsID, nil
+		return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, nil
+	}
+
+	if mountWithWIToken {
+		if clientID == "" {
+			clientID = d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID
+			if clientID == "" {
+				return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, fmt.Errorf("clientID is empty for workload identity auth")
+			}
+		}
+		klog.V(2).Infof("mountWithWorkloadIdentityToken is specified, use workload identity auth for mount, clientID: %s, tenantID: %s", clientID, tenantID)
+		token, err := parseServiceAccountToken(serviceAccountToken)
+		if err != nil {
+			return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, fmt.Errorf("failed to parse service account token: %v", err)
+		}
+		tokenFileName := clientID + "-" + accountName
+		if !isValidTokenFileName(tokenFileName) {
+			return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, fmt.Errorf("invalid token file name(%s) generated for clientID(%s) and accountName(%s)", tokenFileName, clientID, accountName)
+		}
+		tokenFilePath = filepath.Join(defaultAzureOAuthTokenDir, tokenFileName)
+		// check whether token value is the same as the one in the token file
+		existingToken, readErr := os.ReadFile(tokenFilePath)
+		if readErr == nil && string(existingToken) == token {
+			klog.V(4).Infof("the token file(%s) already exists and the token value is the same, no need to rewrite the token file", tokenFilePath)
+			return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, "", nil
+		}
+		// write token to a file
+		if err := os.WriteFile(tokenFilePath, []byte(token), 0600); err != nil {
+			return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, fmt.Errorf("failed to write azure oAuth token file(%s): %v", tokenFilePath, err)
+		}
+		return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, err
 	}
 
 	if clientID != "" {
 		klog.V(2).Infof("clientID(%s) is specified, use service account token to get account key", clientID)
 		accountKey, err := d.cloud.GetStorageAccesskeyFromServiceAccountToken(ctx, subsID, accountName, rgName, clientID, tenantID, serviceAccountToken)
-		return rgName, accountName, accountKey, fileShareName, diskName, subsID, err
+		return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, "", err
 	}
 
 	if len(secrets) == 0 {
@@ -887,7 +938,7 @@ func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, r
 		// 1. get account key from cache first
 		cache, errCache := d.accountCacheMap.Get(ctx, accountName, azcache.CacheReadTypeDefault)
 		if errCache != nil {
-			return rgName, accountName, accountKey, fileShareName, diskName, subsID, errCache
+			return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, errCache
 		}
 		if cache != nil {
 			accountKey = cache.(string)
@@ -929,7 +980,7 @@ func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, r
 	if err == nil && accountKey != "" {
 		d.accountCacheMap.Set(accountName, accountKey)
 	}
-	return rgName, accountName, accountKey, fileShareName, diskName, subsID, err
+	return rgName, accountName, accountKey, fileShareName, diskName, subsID, tenantID, tokenFilePath, err
 }
 
 func isSupportedProtocol(protocol string) bool {
@@ -1479,3 +1530,28 @@ func (d *Driver) createFolderIfNotExists(ctx context.Context, accountName, accou
 	klog.V(2).Infof("Successfully ensured folder path %s exists in share %s", folderName, fileShareName)
 	return nil
 }
+
+// serviceAccountToken represents the service account token sent from NodePublishVolume Request.
+// ref: https://kubernetes-csi.github.io/docs/token-requests.html
+type serviceAccountToken struct {
+	APIAzureADTokenExchange struct {
+		Token               string    `json:"token"`
+		ExpirationTimestamp time.Time `json:"expirationTimestamp"`
+	} `json:"api://AzureADTokenExchange"`
+}
+
+// parseServiceAccountToken parses the bound service account token from the token passed from NodePublishVolume Request.
+// ref: https://kubernetes-csi.github.io/docs/token-requests.html
+func parseServiceAccountToken(tokenStr string) (string, error) {
+	if len(tokenStr) == 0 {
+		return "", fmt.Errorf("service account token is empty")
+	}
+	token := serviceAccountToken{}
+	if err := json.Unmarshal([]byte(tokenStr), &token); err != nil {
+		return "", fmt.Errorf("failed to unmarshal service account tokens, error: %w", err)
+	}
+	if token.APIAzureADTokenExchange.Token == "" {
+		return "", fmt.Errorf("token for audience %s not found", DefaultTokenAudience)
+	}
+	return token.APIAzureADTokenExchange.Token, nil
+}
diff --git a/pkg/azurefile/azurefile_test.go b/pkg/azurefile/azurefile_test.go
index a74de1a983..8873b2cbba 100644
--- a/pkg/azurefile/azurefile_test.go
+++ b/pkg/azurefile/azurefile_test.go
@@ -838,6 +838,20 @@ func TestGetAccountInfo(t *testing.T) {
 			expectFileShareName: "test_sharename",
 			expectDiskName:      "test_diskname",
 		},
+		{
+			volumeID: "invalid_mountWithWITokenField_value##",
+			rgName:   "vol_2",
+			secrets:  emptySecret,
+			reqContext: map[string]string{
+				shareNameField:        "test_sharename",
+				mountWithWITokenField: "invalid",
+			},
+			expectErr:           true,
+			err:                 fmt.Errorf("invalid %s: %s in volume context", mountWithWITokenField, "invalid"),
+			expectAccountName:   "",
+			expectFileShareName: "test_sharename",
+			expectDiskName:      "test_diskname",
+		},
 	}
 
 	for _, test := range tests {
@@ -847,7 +861,7 @@ func TestGetAccountInfo(t *testing.T) {
 		d.kubeClient = clientSet
 		d.cloud.Environment = &azclient.Environment{StorageEndpointSuffix: "abc"}
 		mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), test.rgName).Return(key, nil).AnyTimes()
-		rgName, accountName, _, fileShareName, diskName, _, err := d.GetAccountInfo(context.Background(), test.volumeID, test.secrets, test.reqContext)
+		rgName, accountName, _, fileShareName, diskName, _, _, _, err := d.GetAccountInfo(context.Background(), test.volumeID, test.secrets, test.reqContext)
 		if test.expectErr && err == nil {
 			t.Errorf("Unexpected non-error")
 			continue
@@ -2055,3 +2069,88 @@ func TestGetInfoFromSnapshotID(t *testing.T) {
 		})
 	}
 }
+
+func TestParseServiceAccountToken(t *testing.T) {
+	tests := []struct {
+		name          string
+		tokenStr      string
+		expectedToken string
+		expectedError string
+	}{
+		{
+			name:          "Empty token string",
+			tokenStr:      "",
+			expectedToken: "",
+			expectedError: "service account token is empty",
+		},
+		{
+			name:          "Invalid JSON",
+			tokenStr:      "invalid-json",
+			expectedToken: "",
+			expectedError: "failed to unmarshal service account tokens",
+		},
+		{
+			name:          "Valid token with audience",
+			tokenStr:      `{"api://AzureADTokenExchange":{"token":"test-token-value","expirationTimestamp":"2025-01-01T00:00:00Z"}}`,
+			expectedToken: "test-token-value",
+			expectedError: "",
+		},
+		{
+			name:          "Token with empty token value",
+			tokenStr:      `{"api://AzureADTokenExchange":{"token":"","expirationTimestamp":"2025-01-01T00:00:00Z"}}`,
+			expectedToken: "",
+			expectedError: "token for audience api://AzureADTokenExchange/.default not found",
+		},
+		{
+			name:          "Token with missing api://AzureADTokenExchange field",
+			tokenStr:      `{"someOtherField":{"token":"test-token","expirationTimestamp":"2025-01-01T00:00:00Z"}}`,
+			expectedToken: "",
+			expectedError: "token for audience api://AzureADTokenExchange/.default not found",
+		},
+		{
+			name:          "Token with partial JSON structure",
+			tokenStr:      `{"api://AzureADTokenExchange":{}}`,
+			expectedToken: "",
+			expectedError: "token for audience api://AzureADTokenExchange/.default not found",
+		},
+		{
+			name:          "Malformed JSON with extra characters",
+			tokenStr:      `{"api://AzureADTokenExchange":{"token":"test-token"}}extra`,
+			expectedToken: "",
+			expectedError: "failed to unmarshal service account tokens",
+		},
+		{
+			name:          "Token with special characters",
+			tokenStr:      `{"api://AzureADTokenExchange":{"token":"eyJhbGciOiJSUzI1NiIsImtpZCI6InRlc3QifQ.eyJzdWIiOiIxMjM0NTY3ODkwIn0.test","expirationTimestamp":"2025-01-01T00:00:00Z"}}`,
+			expectedToken: "eyJhbGciOiJSUzI1NiIsImtpZCI6InRlc3QifQ.eyJzdWIiOiIxMjM0NTY3ODkwIn0.test",
+			expectedError: "",
+		},
+		{
+			name:          "Token with unicode characters",
+			tokenStr:      `{"api://AzureADTokenExchange":{"token":"test-token-.","expirationTimestamp":"2025-01-01T00:00:00Z"}}`,
+			expectedToken: "test-token-.",
+			expectedError: "",
+		},
+		{
+			name:          "Token with whitespace in value",
+			tokenStr:      `{"api://AzureADTokenExchange":{"token":"  test-token  ","expirationTimestamp":"2025-01-01T00:00:00Z"}}`,
+			expectedToken: "  test-token  ",
+			expectedError: "",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			token, err := parseServiceAccountToken(test.tokenStr)
+
+			if test.expectedError != "" {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), test.expectedError)
+				assert.Equal(t, "", token)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.expectedToken, token)
+			}
+		})
+	}
+}
diff --git a/pkg/azurefile/controllerserver.go b/pkg/azurefile/controllerserver.go
index fbe2c6374f..2130c18d8b 100644
--- a/pkg/azurefile/controllerserver.go
+++ b/pkg/azurefile/controllerserver.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
+	csiMetrics "sigs.k8s.io/azurefile-csi-driver/pkg/metrics"
 	azcache "sigs.k8s.io/cloud-provider-azure/pkg/cache"
 	"sigs.k8s.io/cloud-provider-azure/pkg/metrics"
 	"sigs.k8s.io/cloud-provider-azure/pkg/provider/storage"
@@ -63,6 +64,9 @@ const (
 	authorizationPermissionMismatch = "AuthorizationPermissionMismatch"
 
 	createdByMetadata = "createdBy"
+
+	// refer https://github.com/Azure/azure-storage-azcopy/wiki/azcopy
+	azcopyTrustedSuffixesAAD = "*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net"
 )
 
 var (
@@ -117,9 +121,9 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	}
 	var sku, subsID, resourceGroup, location, account, fileShareName, diskName, fsType, secretName string
 	var secretNamespace, pvcNamespace, protocol, customTags, storageEndpointSuffix, networkEndpointType, shareAccessTier, accountAccessTier, rootSquashType, tagValueDelimiter string
-	var createAccount, useSeretCache, matchTags, selectRandomMatchingAccount, getLatestAccountKey, encryptInTransit bool
+	var createAccount, useSeretCache, matchTags, selectRandomMatchingAccount, getLatestAccountKey, encryptInTransit, mountWithManagedIdentity, mountWithWIToken bool
 	var vnetResourceGroup, vnetName, vnetLinkName, publicNetworkAccess, subnetName, shareNamePrefix, fsGroupChangePolicy, useDataPlaneAPI string
-	var requireInfraEncryption, disableDeleteRetentionPolicy, enableLFS, isMultichannelEnabled, allowSharedKeyAccess, mountWithManagedIdentity *bool
+	var requireInfraEncryption, disableDeleteRetentionPolicy, enableLFS, isMultichannelEnabled, allowSharedKeyAccess *bool
 	var provisionedBandwidthMibps, provisionedIops *int32
 	// set allowBlobPublicAccess as false by default
 	allowBlobPublicAccess := ptr.To(false)
@@ -128,6 +132,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	// store account key to k8s secret by default
 	storeAccountKey := true
 
+	var err error
 	var accountQuota int32
 	// Apply ProvisionerParameters (case-insensitive). We leave validation of
 	// the values to the cloud provider.
@@ -228,6 +233,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case serverNameField:
 		case folderNameField:
 		case clientIDField:
+		case tenantIDField:
 		case confidentialContainerLabelField:
 		case runtimeClassHandlerField:
 		case createFolderIfNotExistField:
@@ -294,16 +300,24 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			}
 			provisionedIops = to.Ptr(int32(value))
 		case mountWithManagedIdentityField:
-			value, err := strconv.ParseBool(v)
+			mountWithManagedIdentity, err = strconv.ParseBool(v)
 			if err != nil {
 				return nil, status.Errorf(codes.InvalidArgument, "invalid %s: %s in storage class", mountWithManagedIdentityField, v)
 			}
-			mountWithManagedIdentity = &value
+		case mountWithWITokenField:
+			mountWithWIToken, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, status.Errorf(codes.InvalidArgument, "invalid %s: %s in storage class", mountWithWITokenField, v)
+			}
 		default:
 			return nil, status.Errorf(codes.InvalidArgument, "invalid parameter %q in storage class", k)
 		}
 	}
 
+	if mountWithManagedIdentity && mountWithWIToken {
+		return nil, status.Error(codes.InvalidArgument, "mountwithmanagedidentity and mountwithworkloadidentitytoken cannot be both true in storage class")
+	}
+
 	if matchTags && account != "" {
 		return nil, status.Errorf(codes.InvalidArgument, "matchTags must set as false when storageAccount(%s) is provided", account)
 	}
@@ -431,11 +445,11 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			return nil, status.Errorf(codes.Internal, "failed to get account client for subscription %s: %v", subsID, err)
 		}
 		accountProperties, err := client.GetProperties(ctx, resourceGroup, account, nil)
-		if err != nil {
+		if err != nil || accountProperties == nil {
 			klog.Warningf("failed to get properties on storage account account(%s) rg(%s), error: %v", account, resourceGroup, err)
-		}
-		if accountProperties.SKU != nil {
+		} else if accountProperties.SKU != nil && accountProperties.SKU.Name != nil {
 			sku = string(*accountProperties.SKU.Name)
+			klog.V(2).Infof("storage account(%s) rg(%s) sku is %s", account, resourceGroup, sku)
 		}
 	}
 
@@ -512,6 +526,15 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			requestName = "controller_create_volume_from_volume"
 		}
 	}
+
+	csiMC := csiMetrics.NewCSIMetricContext(requestName)
+	isOperationSucceeded := false
+	defer func() {
+		csiMC.ObserveWithLabels(isOperationSucceeded,
+			"protocol", string(shareProtocol),
+			"storage_account_type", sku)
+	}()
+
 	if sourceID != "" {
 		_, srcAccountName, _, _, _, _, err = GetFileShareInfo(sourceID) //nolint:dogsled
 		if err != nil {
@@ -521,6 +544,12 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		}
 	}
 
+	var requiresSmbOAuth *bool
+	if mountWithManagedIdentity || mountWithWIToken {
+		klog.V(2).Info("enabling smb oauth for managed identity or work identity token based mount")
+		requiresSmbOAuth = to.Ptr(true)
+	}
+
 	accountOptions := &storage.AccountOptions{
 		Name:                                    account,
 		Type:                                    sku,
@@ -548,14 +577,13 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		StorageType:                             storage.StorageTypeFile,
 		StorageEndpointSuffix:                   storageEndpointSuffix,
 		IsMultichannelEnabled:                   isMultichannelEnabled,
-		IsSmbOAuthEnabled:                       mountWithManagedIdentity,
+		IsSmbOAuthEnabled:                       requiresSmbOAuth,
 		PickRandomMatchingAccount:               selectRandomMatchingAccount,
 		GetLatestAccountKey:                     getLatestAccountKey,
 		SourceAccountName:                       srcAccountName,
 	}
 
 	mc := metrics.NewMetricContext(azureFileCSIDriverName, requestName, d.cloud.ResourceGroup, subsID, d.Name)
-	isOperationSucceeded := false
 	defer func() {
 		mc.ObserveOperationWithResult(isOperationSucceeded, VolumeID, volumeID)
 	}()
@@ -618,7 +646,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 
 	accountOptions.Name = accountName
 	secret := req.GetSecrets()
-	if len(secret) == 0 && (strings.EqualFold(useDataPlaneAPI, trueValue) || secretName != "") {
+	if len(secret) == 0 && strings.EqualFold(useDataPlaneAPI, trueValue) {
 		if accountKey == "" {
 			if accountKey, err = d.GetStorageAccesskey(ctx, accountOptions, secret, secretName, secretNamespace); err != nil {
 				return nil, status.Errorf(codes.Internal, "failed to GetStorageAccesskey on account(%s) rg(%s), error: %v", accountOptions.Name, accountOptions.ResourceGroup, err)
@@ -778,7 +806,13 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 }
 
 // DeleteVolume delete an azure file
-func (d *Driver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error) {
+func (d *Driver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest) (resp *csi.DeleteVolumeResponse, returnedErr error) {
+	requestName := "controller_delete_volume"
+	csiMC := csiMetrics.NewCSIMetricContext(requestName)
+	defer func() {
+		csiMC.Observe(returnedErr == nil)
+	}()
+
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID missing in request")
@@ -816,17 +850,16 @@ func (d *Driver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest)
 		}
 
 		// use data plane api, get account key first
-		_, _, accountKey, _, _, _, err := d.GetAccountInfo(ctx, volumeID, req.GetSecrets(), reqContext)
+		_, _, accountKey, _, _, _, _, _, err := d.GetAccountInfo(ctx, volumeID, req.GetSecrets(), reqContext)
 		if err != nil {
 			return nil, status.Errorf(codes.NotFound, "get account info from(%s) failed with error: %v", volumeID, err)
 		}
 		secret = createStorageAccountSecret(accountName, accountKey)
 	}
 
-	mc := metrics.NewMetricContext(azureFileCSIDriverName, "controller_delete_volume", resourceGroupName, subsID, d.Name)
-	isOperationSucceeded := false
+	mc := metrics.NewMetricContext(azureFileCSIDriverName, requestName, resourceGroupName, subsID, d.Name)
 	defer func() {
-		mc.ObserveOperationWithResult(isOperationSucceeded, VolumeID, volumeID)
+		mc.ObserveOperationWithResult(returnedErr == nil, VolumeID, volumeID)
 	}()
 
 	if err := d.DeleteFileShare(ctx, subsID, resourceGroupName, accountName, fileShareName, secret, useDataPlaneAPI); err != nil {
@@ -837,7 +870,6 @@ func (d *Driver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest)
 		klog.Warningf("RemoveStorageAccountTag(%s) under rg(%s) account(%s) failed with %v", storage.SkipMatchingTag, resourceGroupName, accountName, err)
 	}
 
-	isOperationSucceeded = true
 	return &csi.DeleteVolumeResponse{}, nil
 }
 
@@ -870,7 +902,7 @@ func (d *Driver) ValidateVolumeCapabilities(ctx context.Context, req *csi.Valida
 		return nil, status.Error(codes.InvalidArgument, "Volume capabilities not provided")
 	}
 
-	resourceGroupName, accountName, _, fileShareName, diskName, subsID, err := d.GetAccountInfo(ctx, volumeID, req.GetSecrets(), req.GetVolumeContext())
+	resourceGroupName, accountName, _, fileShareName, diskName, subsID, _, _, err := d.GetAccountInfo(ctx, volumeID, req.GetSecrets(), req.GetVolumeContext()) //nolint:dogsled
 	if err != nil || accountName == "" || fileShareName == "" {
 		return nil, status.Errorf(codes.NotFound, "get account info from(%s) failed with error: %v", volumeID, err)
 	}
@@ -933,7 +965,13 @@ func (d *Driver) ControllerUnpublishVolume(_ context.Context, _ *csi.ControllerU
 }
 
 // CreateSnapshot create a snapshot
-func (d *Driver) CreateSnapshot(ctx context.Context, req *csi.CreateSnapshotRequest) (*csi.CreateSnapshotResponse, error) {
+func (d *Driver) CreateSnapshot(ctx context.Context, req *csi.CreateSnapshotRequest) (resp *csi.CreateSnapshotResponse, returnedErr error) {
+	requestName := "controller_create_snapshot"
+	csiMC := csiMetrics.NewCSIMetricContext(requestName)
+	defer func() {
+		csiMC.Observe(returnedErr == nil)
+	}()
+
 	sourceVolumeID := req.GetSourceVolumeId()
 	snapshotName := req.Name
 	if len(snapshotName) == 0 {
@@ -971,10 +1009,9 @@ func (d *Driver) CreateSnapshot(ctx context.Context, req *csi.CreateSnapshotRequ
 		useDataPlaneAPI = d.useDataPlaneAPI(ctx, sourceVolumeID, accountName)
 	}
 
-	mc := metrics.NewMetricContext(azureFileCSIDriverName, "controller_create_snapshot", rgName, subsID, d.Name)
-	isOperationSucceeded := false
+	mc := metrics.NewMetricContext(azureFileCSIDriverName, requestName, rgName, subsID, d.Name)
 	defer func() {
-		mc.ObserveOperationWithResult(isOperationSucceeded, SourceResourceID, sourceVolumeID, SnapshotName, snapshotName)
+		mc.ObserveOperationWithResult(returnedErr == nil, SourceResourceID, sourceVolumeID, SnapshotName, snapshotName)
 	}()
 
 	exists, itemSnapshot, itemSnapshotTime, itemSnapshotQuota, err := d.snapshotExists(ctx, sourceVolumeID, snapshotName, req.GetSecrets(), useDataPlaneAPI)
@@ -1068,7 +1105,7 @@ func (d *Driver) CreateSnapshot(ctx context.Context, req *csi.CreateSnapshotRequ
 		}
 	}
 
-	createResp := &csi.CreateSnapshotResponse{
+	resp = &csi.CreateSnapshotResponse{
 		Snapshot: &csi.Snapshot{
 			SizeBytes:      util.GiBToBytes(int64(itemSnapshotQuota)),
 			SnapshotId:     sourceVolumeID + "#" + itemSnapshot + "#" + subsID,
@@ -1079,12 +1116,18 @@ func (d *Driver) CreateSnapshot(ctx context.Context, req *csi.CreateSnapshotRequ
 		},
 	}
 
-	isOperationSucceeded = true
-	return createResp, nil
+	return resp, nil
 }
 
 // DeleteSnapshot delete a snapshot (todo)
 func (d *Driver) DeleteSnapshot(ctx context.Context, req *csi.DeleteSnapshotRequest) (*csi.DeleteSnapshotResponse, error) {
+	requestName := "controller_delete_snapshot"
+	csiMC := csiMetrics.NewCSIMetricContext(requestName)
+	isOperationSucceeded := false
+	defer func() {
+		csiMC.Observe(isOperationSucceeded)
+	}()
+
 	if len(req.SnapshotId) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Snapshot ID must be provided")
 	}
@@ -1106,8 +1149,7 @@ func (d *Driver) DeleteSnapshot(ctx context.Context, req *csi.DeleteSnapshotRequ
 		subsID = d.cloud.SubscriptionID
 	}
 
-	mc := metrics.NewMetricContext(azureFileCSIDriverName, "controller_delete_snapshot", rgName, subsID, d.Name)
-	isOperationSucceeded := false
+	mc := metrics.NewMetricContext(azureFileCSIDriverName, requestName, rgName, subsID, d.Name)
 	defer func() {
 		mc.ObserveOperationWithResult(isOperationSucceeded, SnapshotID, req.SnapshotId)
 	}()
@@ -1261,6 +1303,12 @@ func (d *Driver) copyFileShareByAzcopy(ctx context.Context, srcFileShareName, ds
 
 // execAzcopyCopy exec azcopy copy command
 func (d *Driver) execAzcopyCopy(srcPath, dstPath string, azcopyCopyOptions, authAzcopyEnv []string) ([]byte, error) {
+
+	// Use --trusted-microsoft-suffixes option to avoid failure caused by
+	if d.requiredAzCopyToTrust {
+		azcopyCopyOptions = append(azcopyCopyOptions, fmt.Sprintf("--trusted-microsoft-suffixes=%s", d.getStorageEndPointSuffix()))
+	}
+
 	cmd := exec.Command("azcopy", "copy", srcPath, dstPath)
 	cmd.Args = append(cmd.Args, azcopyCopyOptions...)
 	if len(authAzcopyEnv) > 0 {
@@ -1271,6 +1319,13 @@ func (d *Driver) execAzcopyCopy(srcPath, dstPath string, azcopyCopyOptions, auth
 
 // ControllerExpandVolume controller expand volume
 func (d *Driver) ControllerExpandVolume(ctx context.Context, req *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error) {
+	requestName := "controller_expand_volume"
+	csiMC := csiMetrics.NewCSIMetricContext(requestName)
+	isOperationSucceeded := false
+	defer func() {
+		csiMC.Observe(isOperationSucceeded)
+	}()
+
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID missing in request")
@@ -1309,8 +1364,7 @@ func (d *Driver) ControllerExpandVolume(ctx context.Context, req *csi.Controller
 		}
 	}
 
-	mc := metrics.NewMetricContext(azureFileCSIDriverName, "controller_expand_volume", resourceGroupName, subsID, d.Name)
-	isOperationSucceeded := false
+	mc := metrics.NewMetricContext(azureFileCSIDriverName, requestName, resourceGroupName, subsID, d.Name)
 	defer func() {
 		mc.ObserveOperationWithResult(isOperationSucceeded, VolumeID, volumeID)
 	}()
@@ -1323,7 +1377,7 @@ func (d *Driver) ControllerExpandVolume(ctx context.Context, req *csi.Controller
 			setKeyValueInMap(reqContext, secretNamespaceField, secretNamespace)
 		}
 		// use data plane api, get account key first
-		_, _, accountKey, _, _, _, err := d.GetAccountInfo(ctx, volumeID, secrets, reqContext)
+		_, _, accountKey, _, _, _, _, _, err := d.GetAccountInfo(ctx, volumeID, secrets, reqContext)
 		if err != nil {
 			return nil, status.Errorf(codes.NotFound, "get account info from(%s) failed with error: %v", volumeID, err)
 		}
@@ -1356,7 +1410,7 @@ func (d *Driver) getShareClient(ctx context.Context, sourceVolumeID string, secr
 }
 
 func (d *Driver) getServiceClient(ctx context.Context, sourceVolumeID string, secrets map[string]string, useDataPlaneAPI string) (*service.Client, string, error) {
-	_, accountName, accountKey, fileShareName, _, _, err := d.GetAccountInfo(ctx, sourceVolumeID, secrets, map[string]string{}) //nolint:dogsled
+	_, accountName, accountKey, fileShareName, _, _, _, _, err := d.GetAccountInfo(ctx, sourceVolumeID, secrets, map[string]string{}) //nolint:dogsled
 	if err != nil {
 		return nil, fileShareName, err
 	}
@@ -1393,9 +1447,6 @@ func (d *Driver) snapshotExists(ctx context.Context, sourceVolumeID, snapshotNam
 
 		// List share snapshots.
 		listSnapshot := serviceURL.NewListSharesPager(&service.ListSharesOptions{Include: service.ListSharesInclude{Metadata: true, Snapshots: true}})
-		if err != nil {
-			return false, "", time.Time{}, 0, err
-		}
 		for listSnapshot.More() {
 			response, err := listSnapshot.NextPage(ctx)
 			if err != nil {
diff --git a/pkg/azurefile/controllerserver_test.go b/pkg/azurefile/controllerserver_test.go
index f983b23c8b..382673e050 100644
--- a/pkg/azurefile/controllerserver_test.go
+++ b/pkg/azurefile/controllerserver_test.go
@@ -926,6 +926,7 @@ var _ = ginkgo.Describe("TestCreateVolume", func() {
 					createFolderIfNotExistField:     "true",
 					confidentialContainerLabelField: "confidential-container-label",
 					mountWithManagedIdentityField:   "true",
+					mountWithWITokenField:           "false",
 				}
 
 				req := &csi.CreateVolumeRequest{
@@ -1077,6 +1078,41 @@ var _ = ginkgo.Describe("TestCreateVolume", func() {
 			})
 		})
 
+		ginkgo.When("invalid mountWithWIToken", func() {
+			ginkgo.It("should fail", func(ctx context.Context) {
+				req := &csi.CreateVolumeRequest{
+					Name:               "random-vol-name-valid-request",
+					VolumeCapabilities: stdVolCap,
+					CapacityRange:      lessThanPremCapRange,
+					Parameters: map[string]string{
+						mountWithWITokenField: "invalid",
+					},
+				}
+
+				expectedErr := status.Errorf(codes.InvalidArgument, "invalid %s: %s in storage class", mountWithWITokenField, "invalid")
+				_, err := d.CreateVolume(ctx, req)
+				gomega.Expect(err).To(gomega.Equal(expectedErr))
+			})
+		})
+
+		ginkgo.When("mountWithManagedIdentity and mountWithWIToken cannot be both true", func() {
+			ginkgo.It("should fail", func(ctx context.Context) {
+				req := &csi.CreateVolumeRequest{
+					Name:               "random-vol-name-valid-request",
+					VolumeCapabilities: stdVolCap,
+					CapacityRange:      lessThanPremCapRange,
+					Parameters: map[string]string{
+						mountWithManagedIdentityField: "true",
+						mountWithWITokenField:         "true",
+					},
+				}
+
+				expectedErr := status.Errorf(codes.InvalidArgument, "%s and %s cannot be both true in storage class", mountWithManagedIdentityField, mountWithWITokenField)
+				_, err := d.CreateVolume(ctx, req)
+				gomega.Expect(err).To(gomega.Equal(expectedErr))
+			})
+		})
+
 		ginkgo.When("invalid parameter", func() {
 			ginkgo.It("should fail", func(ctx context.Context) {
 				name := "baz"
diff --git a/pkg/azurefile/nodeserver.go b/pkg/azurefile/nodeserver.go
index 55c4e9c730..367c8c9de5 100644
--- a/pkg/azurefile/nodeserver.go
+++ b/pkg/azurefile/nodeserver.go
@@ -19,6 +19,7 @@ package azurefile
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -39,6 +40,7 @@ import (
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 	mount_azurefile "sigs.k8s.io/azurefile-csi-driver/pkg/azurefile-proxy/pb"
+	csiMetrics "sigs.k8s.io/azurefile-csi-driver/pkg/metrics"
 	volumehelper "sigs.k8s.io/azurefile-csi-driver/pkg/util"
 	azcache "sigs.k8s.io/cloud-provider-azure/pkg/cache"
 	"sigs.k8s.io/cloud-provider-azure/pkg/metrics"
@@ -58,7 +60,12 @@ func NewMountClient(cc *grpc.ClientConn) *MountClient {
 }
 
 // NodePublishVolume mount the volume from staging to target path
-func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
+func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (resp *csi.NodePublishVolumeResponse, returnedErr error) {
+	csiMC := csiMetrics.NewCSIMetricContext("node_publish_volume")
+	defer func() {
+		csiMC.Observe(returnedErr == nil)
+	}()
+
 	volCap := req.GetVolumeCapability()
 	if volCap == nil {
 		return nil, status.Error(codes.InvalidArgument, "Volume capability missing in request")
@@ -76,8 +83,8 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 	mountPermissions := d.mountPermissions
 	context := req.GetVolumeContext()
 	if context != nil {
-		if !strings.EqualFold(getValueInMap(context, mountWithManagedIdentityField), trueValue) && getValueInMap(context, serviceAccountTokenField) != "" && getValueInMap(context, clientIDField) != "" {
-			klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with service account token, clientID: %s", volumeID, target, getValueInMap(context, clientIDField))
+		if getValueInMap(context, serviceAccountTokenField) != "" && shouldUseServiceAccountToken(context) {
+			klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with service account token, clientID: %s, mountWithWIToken: %s", volumeID, target, getValueInMap(context, clientIDField), getValueInMap(context, mountWithWITokenField))
 			_, err := d.NodeStageVolume(ctx, &csi.NodeStageVolumeRequest{
 				StagingTargetPath: target,
 				VolumeContext:     context,
@@ -197,7 +204,12 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 }
 
 // NodeUnpublishVolume unmount the volume from the target path
-func (d *Driver) NodeUnpublishVolume(_ context.Context, req *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error) {
+func (d *Driver) NodeUnpublishVolume(_ context.Context, req *csi.NodeUnpublishVolumeRequest) (resp *csi.NodeUnpublishVolumeResponse, returnedErr error) {
+	csiMC := csiMetrics.NewCSIMetricContext("node_unpublish_volume")
+	defer func() {
+		csiMC.Observe(returnedErr == nil)
+	}()
+
 	if len(req.GetVolumeId()) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID missing in request")
 	}
@@ -224,14 +236,19 @@ func (d *Driver) NodeUnpublishVolume(_ context.Context, req *csi.NodeUnpublishVo
 			return nil, status.Errorf(codes.Internal, "failed to direct volume remove mount info %s: %v", targetPath, err)
 		}
 	}
-
 	klog.V(2).Infof("NodeUnpublishVolume: unmount volume %s on %s successfully", volumeID, targetPath)
 
 	return &csi.NodeUnpublishVolumeResponse{}, nil
 }
 
 // NodeStageVolume mount the volume to a staging path
-func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error) {
+func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRequest) (resp *csi.NodeStageVolumeResponse, returnedErr error) {
+	requestName := "node_stage_volume"
+	csiMC := csiMetrics.NewCSIMetricContext(requestName)
+	defer func() {
+		csiMC.Observe(returnedErr == nil)
+	}()
+
 	if len(req.GetVolumeId()) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID missing in request")
 	}
@@ -247,8 +264,8 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	volumeID := req.GetVolumeId()
 	context := req.GetVolumeContext()
 
-	if getValueInMap(context, clientIDField) != "" && !strings.EqualFold(getValueInMap(context, mountWithManagedIdentityField), trueValue) && getValueInMap(context, serviceAccountTokenField) == "" {
-		klog.V(2).Infof("Skip NodeStageVolume for volume(%s) since clientID %s is provided but service account token is empty", volumeID, getValueInMap(context, clientIDField))
+	if getValueInMap(context, serviceAccountTokenField) == "" && shouldUseServiceAccountToken(context) {
+		klog.V(2).Infof("Skip NodeStageVolume for volume(%s) since clientID(%s) or mountWithWIToken(%s) is provided but service account token is empty", volumeID, getValueInMap(context, clientIDField), getValueInMap(context, mountWithWITokenField))
 		return &csi.NodeStageVolumeResponse{}, nil
 	}
 
@@ -261,13 +278,12 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 		klog.V(2).Infof("CSI volume is read-only, mounting with extra option ro")
 	}
 
-	mc := metrics.NewMetricContext(azureFileCSIDriverName, "node_stage_volume", d.cloud.ResourceGroup, "", d.Name)
-	isOperationSucceeded := false
+	mc := metrics.NewMetricContext(azureFileCSIDriverName, requestName, d.cloud.ResourceGroup, "", d.Name)
 	defer func() {
-		mc.ObserveOperationWithResult(isOperationSucceeded, VolumeID, volumeID)
+		mc.ObserveOperationWithResult(returnedErr == nil, VolumeID, volumeID)
 	}()
 
-	_, accountName, accountKey, fileShareName, diskName, _, err := d.GetAccountInfo(ctx, volumeID, req.GetSecrets(), context)
+	_, accountName, accountKey, fileShareName, diskName, _, tenantID, tokenFilePath, err := d.GetAccountInfo(ctx, volumeID, req.GetSecrets(), context)
 	if err != nil {
 		return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("GetAccountInfo(%s) failed with error: %v", volumeID, err))
 	}
@@ -277,7 +293,7 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	// don't respect fsType from req.GetVolumeCapability().GetMount().GetFsType()
 	// since it's ext4 by default on Linux
 	var fsType, server, protocol, ephemeralVolMountOptions, storageEndpointSuffix, folderName, clientID string
-	var ephemeralVol, createFolderIfNotExist, encryptInTransit, mountWithManagedIdentity bool
+	var ephemeralVol, createFolderIfNotExist, encryptInTransit, mountWithManagedIdentity, mountWithWIToken bool
 	fileShareNameReplaceMap := map[string]string{}
 
 	mountPermissions := d.mountPermissions
@@ -333,6 +349,11 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 			if err != nil {
 				return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Volume context property %q must be a boolean value: %v", k, err))
 			}
+		case mountWithWITokenField:
+			mountWithWIToken, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Volume context property %q must be a boolean value: %v", k, err))
+			}
 		case clientIDField:
 			clientID = v
 		}
@@ -354,6 +375,10 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 		return nil, status.Errorf(codes.InvalidArgument, "fsGroupChangePolicy(%s) is not supported, supported fsGroupChangePolicy list: %v", fsGroupChangePolicy, supportedFSGroupChangePolicyList)
 	}
 
+	if mountWithManagedIdentity && mountWithWIToken {
+		return nil, status.Error(codes.InvalidArgument, "mountWithManagedIdentity and mountWithWIToken cannot be both true")
+	}
+
 	lockKey := fmt.Sprintf("%s-%s", volumeID, targetPath)
 	if acquired := d.volumeLocks.TryAcquire(lockKey); !acquired {
 		return nil, status.Errorf(codes.Aborted, volumeOperationAlreadyExistsFmt, volumeID)
@@ -405,12 +430,22 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 		mountOptions = util.JoinMountOptions(mountFlags, []string{"vers=4,minorversion=1,sec=sys"})
 		mountOptions = appendDefaultNfsMountOptions(mountOptions, d.appendNoResvPortOption, d.appendActimeoOption)
 	} else {
+		if (mountWithManagedIdentity || mountWithWIToken) && clientID == "" {
+			clientID = d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID
+		}
+
 		if mountWithManagedIdentity && runtime.GOOS != "windows" {
-			if clientID == "" {
-				clientID = d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID
-			}
 			sensitiveMountOptions = []string{"sec=krb5,cruid=0,upcall_target=mount", fmt.Sprintf("username=%s", clientID)}
 			klog.V(2).Infof("using managed identity %s for volume %s with mount options: %v", clientID, volumeID, sensitiveMountOptions)
+		} else if mountWithWIToken && runtime.GOOS != "windows" {
+			sensitiveMountOptions = []string{"sec=krb5,cruid=0,upcall_target=mount"}
+			klog.V(2).Infof("using workload identity token for volume %s with mount options: %v", volumeID, sensitiveMountOptions)
+			if tokenFilePath != "" {
+				// always set credential cache when token file is provided even mount does not happen
+				if out, err := setCredentialCache(server, clientID, tenantID, tokenFilePath); err != nil {
+					return nil, status.Errorf(codes.Internal, "setCredentialCache failed for %s with error: %v, output: %s", server, err, out)
+				}
+			}
 		} else {
 			if accountName == "" || accountKey == "" {
 				return nil, status.Errorf(codes.Internal, "accountName(%s) or accountKey is empty", accountName)
@@ -472,14 +507,16 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 		} else {
 			execFunc := func() error {
 				if mountWithManagedIdentity && protocol != nfs && runtime.GOOS != "windows" {
-					if out, err := setCredentialCache(server, clientID); err != nil {
+					if out, err := setCredentialCache(server, clientID, tenantID, tokenFilePath); err != nil {
 						return fmt.Errorf("setCredentialCache failed for %s with error: %v, output: %s", server, err, out)
 					}
 				}
 				return SMBMount(d.mounter, source, cifsMountPath, mountFsType, mountOptions, sensitiveMountOptions)
 			}
-			timeoutFunc := func() error { return fmt.Errorf("time out") }
-			if err := volumehelper.WaitUntilTimeout(90*time.Second, execFunc, timeoutFunc); err != nil {
+			timeoutFunc := func() error {
+				return fmt.Errorf("mount operation timed out after %d seconds: source=%s, target=%s", MountTimeoutInSec, source, cifsMountPath)
+			}
+			if err := volumehelper.WaitUntilTimeout(MountTimeoutInSec*time.Second, execFunc, timeoutFunc); err != nil {
 				var helpLinkMsg string
 				if d.appendMountErrorHelpLink {
 					helpLinkMsg = "\nPlease refer to http://aka.ms/filemounterror for possible causes and solutions for mount errors."
@@ -571,12 +608,18 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 		}
 	}
 
-	isOperationSucceeded = true
 	return &csi.NodeStageVolumeResponse{}, nil
 }
 
 // NodeUnstageVolume unmount the volume from the staging path
 func (d *Driver) NodeUnstageVolume(_ context.Context, req *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error) {
+	requestName := "node_unstage_volume"
+	csiMC := csiMetrics.NewCSIMetricContext(requestName)
+	isOperationSucceeded := false
+	defer func() {
+		csiMC.Observe(isOperationSucceeded)
+	}()
+
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID missing in request")
@@ -592,8 +635,7 @@ func (d *Driver) NodeUnstageVolume(_ context.Context, req *csi.NodeUnstageVolume
 	}
 	defer d.volumeLocks.Release(lockKey)
 
-	mc := metrics.NewMetricContext(azureFileCSIDriverName, "node_unstage_volume", d.cloud.ResourceGroup, "", d.Name)
-	isOperationSucceeded := false
+	mc := metrics.NewMetricContext(azureFileCSIDriverName, requestName, d.cloud.ResourceGroup, "", d.Name)
 	defer func() {
 		mc.ObserveOperationWithResult(isOperationSucceeded, VolumeID, volumeID)
 	}()
@@ -759,7 +801,16 @@ func (d *Driver) ensureMountPoint(target string, perm os.FileMode) (bool, error)
 
 	if !notMnt {
 		// testing original mount point, make sure the mount link is valid
-		_, err := os.ReadDir(target)
+		// Use ReadDir(1) instead of full os.ReadDir to avoid expensive directory listing
+		f, err := os.Open(target)
+		if err == nil {
+			defer f.Close()
+			_, err = f.ReadDir(1)
+			// EOF means empty directory, which is valid
+			if err == io.EOF {
+				err = nil
+			}
+		}
 		if err == nil {
 			klog.V(2).Infof("already mounted to target %s", target)
 			return !notMnt, nil
@@ -781,7 +832,6 @@ func (d *Driver) ensureMountPoint(target string, perm os.FileMode) (bool, error)
 }
 
 func (d *Driver) mountWithProxy(ctx context.Context, source, target, fsType string, options, sensitiveMountOptions []string) error {
-	klog.V(2).Infof("start connecting to azurefile proxy")
 	conn, err := grpc.NewClient(d.azurefileProxyEndpoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
 	if err != nil {
 		klog.Error("failed to connect to azurefile proxy:", err)
@@ -792,7 +842,6 @@ func (d *Driver) mountWithProxy(ctx context.Context, source, target, fsType stri
 			klog.Error("failed to close connection to azurefile proxy:", err)
 		}
 	}()
-	klog.V(2).Infof("connected to azurefile proxy successfully")
 
 	mountClient := NewMountClient(conn)
 	mountreq := mount_azurefile.MountAzureFileRequest{
@@ -803,12 +852,20 @@ func (d *Driver) mountWithProxy(ctx context.Context, source, target, fsType stri
 		SensitiveOptions: sensitiveMountOptions,
 	}
 	klog.V(2).Infof("begin to mount with azurefile proxy, source: %s, target: %s, fstype: %s, mountOptions: %v", source, target, fsType, options)
-	_, err = mountClient.service.MountAzureFile(ctx, &mountreq)
-	if err != nil {
-		klog.Error("GRPC call returned with an error:", err)
+	newCtx, cancel := context.WithTimeout(ctx, MountTimeoutInSec*time.Second)
+	defer cancel()
+	execFunc := func() error {
+		_, err := mountClient.service.MountAzureFile(newCtx, &mountreq)
 		return err
 	}
+	timeoutFunc := func() error {
+		return fmt.Errorf("mount with azurefile proxy timed out after %d seconds: source=%s, target=%s", MountTimeoutInSec, source, target)
+	}
 
+	if err = volumehelper.WaitUntilTimeout(MountTimeoutInSec*time.Second, execFunc, timeoutFunc); err != nil {
+		klog.Error("GRPC call returned with an error:", err)
+	}
+	klog.V(2).Infof("mount %s on %s with azurefile proxy completed with error: %v", source, target, err)
 	return err
 }
 
@@ -830,3 +887,14 @@ func checkGidPresentInMountFlags(mountFlags []string) bool {
 	}
 	return false
 }
+
+// shouldUseServiceAccountToken determines whether a service account token should be used for authentication based on the volume context attributes.
+func shouldUseServiceAccountToken(attrib map[string]string) bool {
+	if getValueInMap(attrib, mountWithWITokenField) == trueValue {
+		return true
+	}
+	if getValueInMap(attrib, clientIDField) != "" && !strings.EqualFold(getValueInMap(attrib, mountWithManagedIdentityField), trueValue) {
+		return true
+	}
+	return false
+}
diff --git a/pkg/azurefile/nodeserver_test.go b/pkg/azurefile/nodeserver_test.go
index ddeeba34cd..d7b85c1bd3 100644
--- a/pkg/azurefile/nodeserver_test.go
+++ b/pkg/azurefile/nodeserver_test.go
@@ -761,6 +761,22 @@ func TestNodeStageVolume(t *testing.T) {
 				DefaultError: status.Error(codes.InvalidArgument, fmt.Sprintf("invalid mountPermissions %s", "07ab")),
 			},
 		},
+		{
+			desc: "[Error] mountWithManagedIdentity and mountWithWIToken cannot be both true",
+			req: &csi.NodeStageVolumeRequest{VolumeId: "vol_1##", StagingTargetPath: sourceTest,
+				VolumeCapability: &stdVolCap,
+				VolumeContext: map[string]string{
+					shareNameField:                "test_sharename",
+					storageAccountField:           "test_accountname",
+					serviceAccountTokenField:      "token",
+					mountWithManagedIdentityField: "true",
+					mountWithWITokenField:         "true",
+				},
+				Secrets: secrets},
+			expectedErr: testutil.TestError{
+				DefaultError: status.Error(codes.InvalidArgument, "mountWithManagedIdentity and mountWithWIToken cannot be both true"),
+			},
+		},
 		{
 			desc: "[Success] Valid request with Kata CC Mount enabled",
 			setup: func() {
@@ -1177,6 +1193,50 @@ func TestNodePublishVolumeIdempotentMount(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestShouldUseServiceAccountToken(t *testing.T) {
+	tests := []struct {
+		name   string
+		attrib map[string]string
+		expect bool
+	}{
+		{
+			name:   "witoken true",
+			attrib: map[string]string{mountWithWITokenField: trueValue},
+			expect: true,
+		},
+		{
+			name: "clientID without managed identity",
+			attrib: map[string]string{
+				clientIDField:                 "client-id",
+				mountWithManagedIdentityField: "",
+			},
+			expect: true,
+		},
+		{
+			name: "clientID with managed identity true",
+			attrib: map[string]string{
+				clientIDField:                 "client-id",
+				mountWithManagedIdentityField: "True",
+			},
+			expect: false,
+		},
+		{
+			name:   "no wi configuration",
+			attrib: map[string]string{},
+			expect: false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			result := shouldUseServiceAccountToken(test.attrib)
+			if result != test.expect {
+				t.Fatalf("shouldUseServiceAccountToken() = %t, want %t for attrib %v", result, test.expect, test.attrib)
+			}
+		})
+	}
+}
+
 func makeFakeCmd(fakeCmd *testingexec.FakeCmd, cmd string, args ...string) testingexec.FakeCommandAction {
 	c := cmd
 	a := args
diff --git a/pkg/azurefile/utils.go b/pkg/azurefile/utils.go
index 06d030a3ef..58823c2c1f 100644
--- a/pkg/azurefile/utils.go
+++ b/pkg/azurefile/utils.go
@@ -361,7 +361,7 @@ func getFileServiceURL(accountName, storageEndpointSuffix string) string {
 }
 
 func isValidSubscriptionID(subsID string) bool {
-	return regexp.MustCompile(`^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`).MatchString(subsID)
+	return regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`).MatchString(subsID)
 }
 
 // RemoveOptionIfExists removes the given option from the list of options
@@ -417,13 +417,43 @@ func getDefaultBandwidth(requestGiB int, storageAccountType string) *int32 {
 	return &bandwidth
 }
 
-func setCredentialCache(server, clientID string) ([]byte, error) {
-	if server == "" || clientID == "" {
-		return nil, fmt.Errorf("server and clientID must be provided")
+func setCredentialCache(server, clientID, tenantID, tokenFile string) ([]byte, error) {
+	if server == "" {
+		return nil, fmt.Errorf("server must be provided")
+	}
+	if clientID == "" {
+		return nil, fmt.Errorf("clientID must be provided")
 	}
 
-	cmd := exec.Command("azfilesauthmanager", "set", "https://"+server, "--imds-client-id", clientID)
+	var args []string
+	if tokenFile != "" {
+		if tenantID == "" {
+			return nil, fmt.Errorf("tenantID must be provided when tokenFile is provided")
+		}
+		args = []string{"set", "https://" + server, "--workload-identity", "--tenant-id", tenantID, "--client-id", clientID, "--token-file", tokenFile}
+	} else {
+		args = []string{"set", "https://" + server, "--imds-client-id", clientID}
+	}
+
+	cmd := exec.Command("azfilesauthmanager", args...)
 	cmd.Env = append(os.Environ(), cmd.Env...)
 	klog.V(2).Infof("Executing command: %q", cmd.String())
 	return cmd.CombinedOutput()
 }
+
+// isValidTokenFileName checks if the token file name is valid
+// fileName should only contain alphanumeric characters, hyphens
+func isValidTokenFileName(fileName string) bool {
+	if fileName == "" {
+		return false
+	}
+	for _, c := range fileName {
+		if !(('a' <= c && c <= 'z') ||
+			('A' <= c && c <= 'Z') ||
+			('0' <= c && c <= '9') ||
+			(c == '-')) {
+			return false
+		}
+	}
+	return true
+}
diff --git a/pkg/azurefile/utils_test.go b/pkg/azurefile/utils_test.go
index 7f4ece6d7c..9ff603abc3 100644
--- a/pkg/azurefile/utils_test.go
+++ b/pkg/azurefile/utils_test.go
@@ -1073,6 +1073,11 @@ func TestIsValidSubscriptionID(t *testing.T) {
 			subsID:   "2025-04-15T11:06:21.0000000Z",
 			expected: false,
 		},
+		{
+			desc:     "valid subscription ID - uppercase letters",
+			subsID:   "C9D2281E-DCD5-4DFD-9A97-0D50377CDF76",
+			expected: true,
+		},
 	}
 
 	for _, test := range tests {
@@ -1363,30 +1368,62 @@ func TestSetCredentialCache(t *testing.T) {
 		desc          string
 		server        string
 		clientID      string
+		tenantID      string
+		tokenFile     string
 		expectedError string
 	}{
 		{
 			desc:          "empty server",
 			server:        "",
 			clientID:      "test-client-id",
-			expectedError: "server and clientID must be provided",
+			tenantID:      "test-tenant-id",
+			tokenFile:     "test-token-file",
+			expectedError: "server must be provided",
 		},
 		{
 			desc:          "empty clientID",
 			server:        "test.file.core.windows.net",
 			clientID:      "",
-			expectedError: "server and clientID must be provided",
+			tenantID:      "test-tenant-id",
+			tokenFile:     "test-token-file",
+			expectedError: "clientID must be provided",
+		},
+		{
+			desc:          "empty tenantID with tokenFile",
+			server:        "test.file.core.windows.net",
+			clientID:      "test-client-id",
+			tenantID:      "",
+			tokenFile:     "test-token-file",
+			expectedError: "tenantID must be provided when tokenFile is provided",
+		},
+		{
+			desc:          "valid IMDS authentication (no tokenFile)",
+			server:        "test.file.core.windows.net",
+			clientID:      "test-client-id",
+			tenantID:      "",
+			tokenFile:     "",
+			expectedError: "", // Will fail due to missing azfilesauthmanager, but validates argument construction
+		},
+		{
+			desc:          "valid workload identity authentication",
+			server:        "test.file.core.windows.net",
+			clientID:      "test-client-id",
+			tenantID:      "test-tenant-id",
+			tokenFile:     "test-token-file",
+			expectedError: "", // Will fail due to missing azfilesauthmanager, but validates argument construction
 		},
 		{
-			desc:          "both empty",
+			desc:          "both empty server and clientID",
 			server:        "",
 			clientID:      "",
-			expectedError: "server and clientID must be provided",
+			tenantID:      "test-tenant-id",
+			tokenFile:     "test-token-file",
+			expectedError: "server must be provided",
 		},
 	}
 
 	for _, test := range tests {
-		_, err := setCredentialCache(test.server, test.clientID)
+		_, err := setCredentialCache(test.server, test.clientID, test.tenantID, test.tokenFile)
 		if test.expectedError != "" {
 			if err == nil {
 				t.Errorf("test[%s]: expected error containing %q, got nil", test.desc, test.expectedError)
@@ -1394,9 +1431,73 @@ func TestSetCredentialCache(t *testing.T) {
 				t.Errorf("test[%s]: expected error containing %q, got %v", test.desc, test.expectedError, err)
 			}
 		}
+		// Note: We don't test successful execution as it requires azfilesauthmanager binary
+		// The actual command execution will fail, but we've validated the argument construction
 	}
 }
 
 func int32Ptr(i int32) *int32 {
 	return &i
 }
+
+func TestIsValidTokenFileName(t *testing.T) {
+	testCases := []struct {
+		name     string
+		fileName string
+		expected bool
+	}{
+		{
+			name:     "valid lowercase",
+			fileName: "token",
+			expected: true,
+		},
+		{
+			name:     "valid uppercase",
+			fileName: "TOKEN",
+			expected: true,
+		},
+		{
+			name:     "valid mixed alphanumeric with hyphen",
+			fileName: "Token-123",
+			expected: true,
+		},
+		{
+			name:     "valid mixed alphanumeric with hyphen#2",
+			fileName: "0ab48765-efce-4799-8a9c-c3e1de2ee42eg",
+			expected: true,
+		},
+		{
+			name:     "empty string",
+			fileName: "",
+			expected: false,
+		},
+		{
+			name:     "contains underscore",
+			fileName: "token_file",
+			expected: false,
+		},
+		{
+			name:     "contains dot",
+			fileName: "token.file",
+			expected: false,
+		},
+		{
+			name:     "contains space",
+			fileName: "token file",
+			expected: false,
+		},
+		{
+			name:     "contains slash",
+			fileName: "token/file",
+			expected: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := isValidTokenFileName(tc.fileName); got != tc.expected {
+				t.Fatalf("isValidTokenFileName(%q) = %t, want %t", tc.fileName, got, tc.expected)
+			}
+		})
+	}
+}
diff --git a/pkg/azurefileplugin/Dockerfile b/pkg/azurefileplugin/Dockerfile
index 4b66f30c7f..166d0dbc19 100644
--- a/pkg/azurefileplugin/Dockerfile
+++ b/pkg/azurefileplugin/Dockerfile
@@ -14,7 +14,7 @@
 
 ARG ARCH=amd64
 
-FROM registry.k8s.io/build-image/debian-base:bookworm-v1.0.6 AS base
+FROM registry.k8s.io/build-image/debian-base:bookworm-v1.0.7 AS base
 
 FROM base AS builder
 
@@ -23,7 +23,7 @@ ARG ARCH
 RUN apt update \
     && apt install -y curl \
     && curl -Lso /tmp/packages-microsoft-prod-22.04.deb https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb \
-    && curl -Ls https://github.com/Azure/azure-storage-azcopy/releases/download/v10.30.1/azcopy_linux_${ARCH}_10.30.1.tar.gz \
+    && curl -Ls https://github.com/Azure/azure-storage-azcopy/releases/download/v10.31.1/azcopy_linux_${ARCH}_10.31.1.tar.gz \
         | tar xvzf - --strip-components=1 -C /usr/local/bin/ --wildcards "*/azcopy"
 
 FROM base
diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go
new file mode 100644
index 0000000000..fa42483c27
--- /dev/null
+++ b/pkg/metrics/metrics.go
@@ -0,0 +1,133 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package metrics
+
+import (
+	"time"
+
+	"k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/legacyregistry"
+)
+
+const (
+	subSystem = "azurefile_csi_driver"
+)
+
+var (
+	operationDuration = metrics.NewHistogramVec(
+		&metrics.HistogramOpts{
+			Subsystem:      subSystem,
+			Name:           "operation_duration_seconds",
+			Help:           "Histogram of CSI operation duration in seconds",
+			Buckets:        []float64{0.1, 0.2, 0.5, 1, 5, 10, 15, 20, 30, 40, 50, 60, 100, 200, 300},
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"operation", "success"},
+	)
+
+	operationDurationWithLabels = metrics.NewHistogramVec(
+		&metrics.HistogramOpts{
+			Subsystem:      subSystem,
+			Name:           "operation_duration_seconds_labeled",
+			Help:           "Histogram of CSI operation duration with additional labels",
+			Buckets:        []float64{0.1, 0.2, 0.5, 1, 5, 10, 15, 20, 30, 40, 50, 60, 100, 200, 300},
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"operation", "success", "protocol", "storage_account_type"},
+	)
+
+	operationTotal = metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Subsystem:      subSystem,
+			Name:           "operations_total",
+			Help:           "Total number of CSI operations",
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"operation", "success"},
+	)
+)
+
+func init() {
+	legacyregistry.MustRegister(operationDuration)
+	legacyregistry.MustRegister(operationDurationWithLabels)
+	legacyregistry.MustRegister(operationTotal)
+}
+
+// CSIMetricContext represents the context for CSI operation metrics
+type CSIMetricContext struct {
+	operation string
+	start     time.Time
+	labels    map[string]string
+}
+
+// NewCSIMetricContext creates a new CSI metric context
+func NewCSIMetricContext(operation string) *CSIMetricContext {
+	return &CSIMetricContext{
+		operation: operation,
+		start:     time.Now(),
+		labels:    make(map[string]string),
+	}
+}
+
+// WithLabel adds a label to the metric context
+func (mc *CSIMetricContext) WithLabel(key, value string) *CSIMetricContext {
+	if mc.labels == nil {
+		mc.labels = make(map[string]string)
+	}
+	mc.labels[key] = value
+	return mc
+}
+
+// Observe records the operation result and duration
+func (mc *CSIMetricContext) Observe(success bool) {
+	duration := time.Since(mc.start).Seconds()
+	successStr := "false"
+	if success {
+		successStr = "true"
+	}
+
+	// Always record basic metrics
+	operationDuration.WithLabelValues(mc.operation, successStr).Observe(duration)
+	operationTotal.WithLabelValues(mc.operation, successStr).Inc()
+
+	// Record detailed metrics if labels are present
+	if len(mc.labels) > 0 {
+		protocol := mc.labels["protocol"]
+		storageAccountType := mc.labels["storage_account_type"]
+
+		operationDurationWithLabels.WithLabelValues(
+			mc.operation,
+			successStr,
+			protocol,
+			storageAccountType,
+		).Observe(duration)
+	}
+}
+
+// ObserveWithLabels records the operation with provided label pairs
+func (mc *CSIMetricContext) ObserveWithLabels(success bool, labelPairs ...string) {
+	if len(labelPairs)%2 != 0 {
+		// Invalid label pairs, just observe without labels
+		mc.Observe(success)
+		return
+	}
+
+	for i := 0; i < len(labelPairs); i += 2 {
+		mc.WithLabel(labelPairs[i], labelPairs[i+1])
+	}
+	mc.Observe(success)
+}
diff --git a/pkg/metrics/metrics_test.go b/pkg/metrics/metrics_test.go
new file mode 100644
index 0000000000..f817a3cda5
--- /dev/null
+++ b/pkg/metrics/metrics_test.go
@@ -0,0 +1,312 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package metrics
+
+import (
+	"testing"
+	"time"
+
+	"k8s.io/component-base/metrics/legacyregistry"
+)
+
+func TestCSIMetricContext_NewCSIMetricContext(t *testing.T) {
+	operation := "test_operation"
+	mc := NewCSIMetricContext(operation)
+
+	if mc.operation != operation {
+		t.Errorf("expected operation %s, got %s", operation, mc.operation)
+	}
+
+	if mc.labels == nil {
+		t.Error("expected labels map to be initialized")
+	}
+
+	if mc.start.IsZero() {
+		t.Error("expected start time to be set")
+	}
+}
+
+func TestCSIMetricContext_WithLabel(t *testing.T) {
+	mc := NewCSIMetricContext("test_operation")
+
+	mc.WithLabel("key1", "value1")
+	mc.WithLabel("key2", "value2")
+
+	if mc.labels["key1"] != "value1" {
+		t.Errorf("expected label key1=value1, got %s", mc.labels["key1"])
+	}
+
+	if mc.labels["key2"] != "value2" {
+		t.Errorf("expected label key2=value2, got %s", mc.labels["key2"])
+	}
+}
+
+func TestCSIMetricContext_Observe(t *testing.T) {
+	// Reset metrics before test
+	operationDuration.Reset()
+	operationTotal.Reset()
+
+	mc := NewCSIMetricContext("node_stage_volume")
+
+	// Test basic observation (success)
+	mc.Observe(true)
+
+	// Check that metrics were recorded by gathering all metrics
+	families, err := legacyregistry.DefaultGatherer.Gather()
+	if err != nil {
+		t.Fatalf("failed to gather metrics: %v", err)
+	}
+
+	foundCounter := false
+	foundHistogram := false
+
+	for _, family := range families {
+		if family.GetName() == "azurefile_csi_driver_operations_total" {
+			foundCounter = true
+			if len(family.GetMetric()) == 0 {
+				t.Error("expected counter to have metrics")
+			}
+		}
+		if family.GetName() == "azurefile_csi_driver_operation_duration_seconds" {
+			foundHistogram = true
+			if len(family.GetMetric()) == 0 {
+				t.Error("expected histogram to have metrics")
+			}
+		}
+	}
+
+	if !foundCounter {
+		t.Error("expected to find operation counter")
+	}
+	if !foundHistogram {
+		t.Error("expected to find operation duration histogram")
+	}
+}
+
+func TestCSIMetricContext_ObserveWithFailure(t *testing.T) {
+	// Reset metrics before test
+	operationTotal.Reset()
+
+	mc := NewCSIMetricContext("node_publish_volume")
+
+	// Test observation with failure
+	mc.Observe(false)
+
+	// Verify metrics were recorded
+	families, err := legacyregistry.DefaultGatherer.Gather()
+	if err != nil {
+		t.Fatalf("failed to gather metrics: %v", err)
+	}
+
+	foundCounter := false
+	for _, family := range families {
+		if family.GetName() == "azurefile_csi_driver_operations_total" {
+			foundCounter = true
+			// Check that we have metrics recorded
+			if len(family.GetMetric()) == 0 {
+				t.Error("expected counter to have metrics for failure case")
+			}
+			// Verify that success="false" label exists in one of the metrics
+			foundFailureMetric := false
+			for _, metric := range family.GetMetric() {
+				for _, label := range metric.GetLabel() {
+					if label.GetName() == "success" && label.GetValue() == "false" {
+						foundFailureMetric = true
+						break
+					}
+				}
+			}
+			if !foundFailureMetric {
+				t.Error("expected to find metric with success=false")
+			}
+		}
+	}
+
+	if !foundCounter {
+		t.Error("expected to find operation counter")
+	}
+}
+
+func TestCSIMetricContext_ObserveWithLabels(t *testing.T) {
+	// Reset metrics before test
+	operationDuration.Reset()
+	operationTotal.Reset()
+	operationDurationWithLabels.Reset()
+
+	mc := NewCSIMetricContext("controller_create_volume")
+
+	// Test observation with labels
+	mc.ObserveWithLabels(true,
+		"protocol", "smb",
+		"storage_account_type", "Standard_LRS")
+
+	// Verify that both basic and labeled metrics were recorded
+	families, err := legacyregistry.DefaultGatherer.Gather()
+	if err != nil {
+		t.Fatalf("failed to gather metrics: %v", err)
+	}
+
+	foundBasicCounter := false
+	foundLabeledHistogram := false
+
+	for _, family := range families {
+		if family.GetName() == "azurefile_csi_driver_operations_total" {
+			foundBasicCounter = true
+			if len(family.GetMetric()) == 0 {
+				t.Error("expected basic counter to have metrics")
+			}
+		}
+		if family.GetName() == "azurefile_csi_driver_operation_duration_seconds_labeled" {
+			foundLabeledHistogram = true
+			if len(family.GetMetric()) == 0 {
+				t.Error("expected labeled histogram to have metrics")
+			}
+			// Verify that our expected labels are present
+			for _, metric := range family.GetMetric() {
+				labelMap := make(map[string]string)
+				for _, label := range metric.GetLabel() {
+					labelMap[label.GetName()] = label.GetValue()
+				}
+
+				if labelMap["protocol"] != "smb" ||
+					labelMap["storage_account_type"] != "Standard_LRS" {
+					t.Errorf("expected labeled metric with correct labels, got: %v", labelMap)
+				}
+			}
+		}
+	}
+
+	if !foundBasicCounter {
+		t.Error("expected to find basic operation counter")
+	}
+	if !foundLabeledHistogram {
+		t.Error("expected to find labeled operation histogram")
+	}
+}
+
+func TestCSIMetricContext_ObserveWithInvalidLabels(t *testing.T) {
+	// Reset metrics before test
+	operationTotal.Reset()
+	operationDurationWithLabels.Reset()
+
+	mc := NewCSIMetricContext("test_operation")
+
+	// Test with odd number of label parameters (should fallback to basic observe)
+	mc.ObserveWithLabels(true, "protocol", "smb", "orphan_key")
+
+	// Should still record basic metrics but not labeled metrics
+	families, err := legacyregistry.DefaultGatherer.Gather()
+	if err != nil {
+		t.Fatalf("failed to gather metrics: %v", err)
+	}
+
+	foundBasicCounter := false
+	for _, family := range families {
+		if family.GetName() == "azurefile_csi_driver_operations_total" {
+			foundBasicCounter = true
+			if len(family.GetMetric()) == 0 {
+				t.Error("expected basic counter to have metrics even with invalid labels")
+			}
+		}
+		if family.GetName() == "azurefile_csi_driver_operation_duration_seconds_labeled" {
+			if len(family.GetMetric()) > 0 {
+				t.Error("expected no labeled metrics to be recorded with invalid label pairs")
+			}
+		}
+	}
+
+	if !foundBasicCounter {
+		t.Error("expected to find basic operation counter")
+	}
+}
+
+func TestCSIMetricContext_TimingAccuracy(t *testing.T) {
+	mc := NewCSIMetricContext("timing_test")
+
+	// Simulate that the operation started some time ago by setting a fixed start time.
+	expectedDuration := 50 * time.Millisecond
+	mc.start = time.Now().Add(-expectedDuration)
+	mc.Observe(true)
+	duration := time.Since(mc.start)
+	// The duration should be at least the expected duration (allowing for minimal overhead).
+	if duration < expectedDuration {
+		t.Errorf("expected duration to be at least %v, got %v", expectedDuration, duration)
+	}
+	// But not too much more (allowing for some variance in execution).
+	if duration > expectedDuration+50*time.Millisecond {
+		t.Errorf("expected duration to be less than %v, got %v", expectedDuration+50*time.Millisecond, duration)
+	}
+}
+
+func TestCSIMetricContext_ChainedLabels(t *testing.T) {
+	mc := NewCSIMetricContext("test_operation")
+
+	// Test method chaining
+	mc.WithLabel("key1", "value1").WithLabel("key2", "value2").WithLabel("key3", "value3")
+
+	if mc.labels["key1"] != "value1" || mc.labels["key2"] != "value2" || mc.labels["key3"] != "value3" {
+		t.Errorf("expected all chained labels to be set, got: %v", mc.labels)
+	}
+}
+
+func TestCSIMetricContext_EmptyLabels(t *testing.T) {
+	mc := NewCSIMetricContext("test_operation")
+
+	// Test observing without any labels
+	mc.Observe(true)
+
+	if len(mc.labels) != 0 {
+		t.Errorf("expected no labels, got: %v", mc.labels)
+	}
+}
+
+func BenchmarkCSIMetricContext_Observe(b *testing.B) {
+	mc := NewCSIMetricContext("benchmark_test")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		mc.start = time.Now() // Reset start time each iteration to simulate fresh observation
+		mc.Observe(true)
+	}
+}
+
+func BenchmarkCSIMetricContext_ObserveWithLabels(b *testing.B) {
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		mc := NewCSIMetricContext("benchmark_test")
+		mc.ObserveWithLabels(true,
+			"protocol", "smb",
+			"storage_account_type", "Standard_LRS")
+	}
+}
+
+// Benchmark just the metrics recording portion (no duration calculation)
+func BenchmarkMetricsRecordingOnly(b *testing.B) {
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		// Directly record metrics without duration calculation
+		operationDuration.WithLabelValues("benchmark_test", "true").Observe(0.001) // Fixed small duration
+		operationTotal.WithLabelValues("benchmark_test", "true").Inc()
+	}
+}
+
+func BenchmarkCSIMetricContext_NewAndObserve(b *testing.B) {
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		mc := NewCSIMetricContext("benchmark_test")
+		mc.Observe(true)
+	}
+}
diff --git a/test/e2e/dynamic_provisioning_test.go b/test/e2e/dynamic_provisioning_test.go
index 4455919399..db3da56d4d 100644
--- a/test/e2e/dynamic_provisioning_test.go
+++ b/test/e2e/dynamic_provisioning_test.go
@@ -189,6 +189,9 @@ var _ = ginkgo.Describe("Dynamic Provisioning", func() {
 					NameGenerate:      "test-volume-",
 					MountPathGenerate: "/mnt/test-",
 				},
+				MountOptions: []string{
+					"max_channels=4",
+				},
 			},
 		}
 		tags := "account=azurefile-test"
@@ -203,6 +206,7 @@ var _ = ginkgo.Describe("Dynamic Provisioning", func() {
 				"getLatestAccountKey":    "true",
 				"shareAccessTier":        "Premium",
 				"requireInfraEncryption": "true",
+				"enableMultichannel":     "true",
 			},
 			Tags: tags,
 		}
diff --git a/test/e2e/testsuites/pre_provisioned_existing_credentials_tester.go b/test/e2e/testsuites/pre_provisioned_existing_credentials_tester.go
index 103c6becb1..c86a718316 100644
--- a/test/e2e/testsuites/pre_provisioned_existing_credentials_tester.go
+++ b/test/e2e/testsuites/pre_provisioned_existing_credentials_tester.go
@@ -41,7 +41,7 @@ type PreProvisionedExistingCredentialsTest struct {
 func (t *PreProvisionedExistingCredentialsTest) Run(ctx context.Context, client clientset.Interface, namespace *v1.Namespace) {
 	for _, pod := range t.Pods {
 		for n, volume := range pod.Volumes {
-			resourceGroupName, accountName, _, fileShareName, _, _, err := t.Azurefile.GetAccountInfo(ctx, volume.VolumeID, nil, nil)
+			resourceGroupName, accountName, _, fileShareName, _, _, _, _, err := t.Azurefile.GetAccountInfo(ctx, volume.VolumeID, nil, nil)
 			if err != nil {
 				framework.ExpectNoError(err, fmt.Sprintf("Error GetContainerInfo from volumeID(%s): %v", volume.VolumeID, err))
 				return
diff --git a/test/e2e/testsuites/pre_provisioned_provided_credentials_tester.go b/test/e2e/testsuites/pre_provisioned_provided_credentials_tester.go
index 4f679bc014..f881f0fde4 100644
--- a/test/e2e/testsuites/pre_provisioned_provided_credentials_tester.go
+++ b/test/e2e/testsuites/pre_provisioned_provided_credentials_tester.go
@@ -41,7 +41,7 @@ type PreProvisionedProvidedCredentiasTest struct {
 func (t *PreProvisionedProvidedCredentiasTest) Run(ctx context.Context, client clientset.Interface, namespace *v1.Namespace) {
 	for _, pod := range t.Pods {
 		for n, volume := range pod.Volumes {
-			_, accountName, accountKey, fileShareName, _, _, err := t.Azurefile.GetAccountInfo(ctx, volume.VolumeID, nil, nil)
+			_, accountName, accountKey, fileShareName, _, _, _, _, err := t.Azurefile.GetAccountInfo(ctx, volume.VolumeID, nil, nil)
 			framework.ExpectNoError(err, fmt.Sprintf("Error GetAccountInfo from volumeID(%s): %v", volume.VolumeID, err))
 
 			ginkgo.By("creating the secret")
diff --git a/test/sanity/run-test.sh b/test/sanity/run-test.sh
index 758142953f..5c3416ac13 100755
--- a/test/sanity/run-test.sh
+++ b/test/sanity/run-test.sh
@@ -40,7 +40,7 @@ azcopyPath="/usr/local/bin/azcopy"
 if [ ! -f "$azcopyPath" ]; then
   azcopyTarFile="azcopy.tar.gz"
   echo 'Downloading azcopy...'
-  wget -O $azcopyTarFile https://github.com/Azure/azure-storage-azcopy/releases/download/v10.30.1/azcopy_linux_amd64_10.30.1.tar.gz
+  wget -O $azcopyTarFile https://github.com/Azure/azure-storage-azcopy/releases/download/v10.31.1/azcopy_linux_amd64_10.31.1.tar.gz
   tar -zxvf $azcopyTarFile
   mv ./azcopy*/azcopy /usr/local/bin/azcopy
   rm -rf ./$azcopyTarFile
diff --git a/test/sanity/run-tests-all-clouds.sh b/test/sanity/run-tests-all-clouds.sh
index f080b837fe..d6a4872d1b 100755
--- a/test/sanity/run-tests-all-clouds.sh
+++ b/test/sanity/run-tests-all-clouds.sh
@@ -21,7 +21,7 @@ function install_csi_sanity_bin {
   mkdir -p $GOPATH/src/github.com/kubernetes-csi
   pushd $GOPATH/src/github.com/kubernetes-csi
   export GO111MODULE=off
-  git clone https://github.com/kubernetes-csi/csi-test.git -b v5.3.1
+  git clone https://github.com/kubernetes-csi/csi-test.git -b v5.4.0
   pushd csi-test/cmd/csi-sanity
   make install
   popd
diff --git a/test/sanity/sanity_test.go b/test/sanity/sanity_test.go
index 0813bc78c6..5eb47ad696 100644
--- a/test/sanity/sanity_test.go
+++ b/test/sanity/sanity_test.go
@@ -63,10 +63,6 @@ func TestSanity(t *testing.T) {
 		}
 	}()
 
-	log.Printf("Creating a VM in %s", creds.ResourceGroup)
-	_, err = azureClient.EnsureVirtualMachine(ctx, creds.ResourceGroup, creds.Location, nodeid)
-	assert.NoError(t, err)
-
 	// Execute the script from project root
 	err = os.Chdir("../..")
 	assert.NoError(t, err)
diff --git a/test/utils/azure/azure_helpers.go b/test/utils/azure/azure_helpers.go
index 1d2494b2f6..57f1a6c97c 100644
--- a/test/utils/azure/azure_helpers.go
+++ b/test/utils/azure/azure_helpers.go
@@ -22,34 +22,19 @@ import (
 	"os"
 	"time"
 
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
-	compute "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6"
-	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6"
-	network "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6"
 	resources "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
 	storage "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage/v2"
-	"k8s.io/utils/ptr"
 	"sigs.k8s.io/azurefile-csi-driver/pkg/azurefile"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/accountclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/fileshareclient"
-	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/interfaceclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/resourcegroupclient"
-	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/sshpublickeyresourceclient"
-	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/subnetclient"
-	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/virtualmachineclient"
-	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/virtualnetworkclient"
 )
 
 type Client struct {
-	groupsClient        resourcegroupclient.Interface
-	vmClient            virtualmachineclient.Interface
-	nicClient           interfaceclient.Interface
-	subnetsClient       subnetclient.Interface
-	vnetClient          virtualnetworkclient.Interface
-	accountsClient      accountclient.Interface
-	filesharesClient    fileshareclient.Interface
-	sshPublicKeysClient sshpublickeyresourceclient.Interface
+	groupsClient     resourcegroupclient.Interface
+	accountsClient   accountclient.Interface
+	filesharesClient fileshareclient.Interface
 }
 
 func GetAzureClient(cloud, subscriptionID, clientID, tenantID, clientSecret, aadFederatedTokenFile string) (*Client, error) {
@@ -83,14 +68,9 @@ func GetAzureClient(cloud, subscriptionID, clientID, tenantID, clientSecret, aad
 		return nil, err
 	}
 	return &Client{
-		groupsClient:        factory.GetResourceGroupClient(),
-		vmClient:            factory.GetVirtualMachineClient(),
-		nicClient:           factory.GetInterfaceClient(),
-		subnetsClient:       factory.GetSubnetClient(),
-		vnetClient:          factory.GetVirtualNetworkClient(),
-		sshPublicKeysClient: factory.GetSSHPublicKeyResourceClient(),
-		accountsClient:      factory.GetAccountClient(),
-		filesharesClient:    factory.GetFileShareClient(),
+		groupsClient:     factory.GetResourceGroupClient(),
+		accountsClient:   factory.GetAccountClient(),
+		filesharesClient: factory.GetFileShareClient(),
 	}, nil
 }
 
@@ -98,18 +78,6 @@ func (az *Client) GetAzureFilesClient() (fileshareclient.Interface, error) {
 	return az.filesharesClient, nil
 }
 
-func (az *Client) EnsureSSHPublicKey(ctx context.Context, resourceGroupName, location, keyName string) (publicKey string, err error) {
-	_, err = az.sshPublicKeysClient.Create(ctx, resourceGroupName, keyName, compute.SSHPublicKeyResource{Location: &location})
-	if err != nil {
-		return "", err
-	}
-	result, err := az.sshPublicKeysClient.GenerateKeyPair(ctx, resourceGroupName, keyName)
-	if err != nil {
-		return "", err
-	}
-	return *result.PublicKey, nil
-}
-
 func (az *Client) EnsureResourceGroup(ctx context.Context, name, location string, managedBy *string) (resourceGroup *resources.ResourceGroup, err error) {
 	var tags map[string]*string
 	group, err := az.groupsClient.Get(ctx, name)
@@ -158,142 +126,6 @@ func (az *Client) DeleteResourceGroup(ctx context.Context, groupName string) err
 	}
 }
 
-func (az *Client) EnsureVirtualMachine(ctx context.Context, groupName, location, vmName string) (vm *compute.VirtualMachine, err error) {
-	nic, err := az.EnsureNIC(ctx, groupName, location, vmName+"-nic", vmName+"-vnet", vmName+"-subnet")
-	if err != nil {
-		return vm, err
-	}
-
-	publicKey, err := az.EnsureSSHPublicKey(ctx, groupName, location, "test-key")
-	if err != nil {
-		return vm, err
-	}
-
-	future, err := az.vmClient.CreateOrUpdate(
-		ctx,
-		groupName,
-		vmName,
-		compute.VirtualMachine{
-			Location: ptr.To(location),
-			Properties: &compute.VirtualMachineProperties{
-				HardwareProfile: &compute.HardwareProfile{
-					VMSize: to.Ptr(compute.VirtualMachineSizeTypesStandardDS2V2),
-				},
-				StorageProfile: &compute.StorageProfile{
-					ImageReference: &compute.ImageReference{
-						Publisher: ptr.To("Canonical"),
-						Offer:     ptr.To("UbuntuServer"),
-						SKU:       ptr.To("16.04.0-LTS"),
-						Version:   ptr.To("latest"),
-					},
-				},
-				OSProfile: &compute.OSProfile{
-					ComputerName:  ptr.To(vmName),
-					AdminUsername: ptr.To("azureuser"),
-					AdminPassword: ptr.To("Azureuser1234"),
-					LinuxConfiguration: &compute.LinuxConfiguration{
-						DisablePasswordAuthentication: ptr.To(true),
-						SSH: &compute.SSHConfiguration{
-							PublicKeys: []*compute.SSHPublicKey{
-								{
-									Path:    ptr.To("/home/azureuser/.ssh/authorized_keys"),
-									KeyData: &publicKey,
-								},
-							},
-						},
-					},
-				},
-				NetworkProfile: &compute.NetworkProfile{
-					NetworkInterfaces: []*compute.NetworkInterfaceReference{
-						{
-							ID: nic.ID,
-							Properties: &compute.NetworkInterfaceReferenceProperties{
-								Primary: ptr.To(true),
-							},
-						},
-					},
-				},
-			},
-		},
-	)
-	if err != nil {
-		return vm, fmt.Errorf("cannot create vm: %v", err)
-	}
-
-	return future, nil
-}
-
-func (az *Client) EnsureNIC(ctx context.Context, groupName, location, nicName, vnetName, subnetName string) (nic *network.Interface, err error) {
-	_, err = az.EnsureVirtualNetworkAndSubnet(ctx, groupName, location, vnetName, subnetName)
-	if err != nil {
-		return nic, err
-	}
-
-	subnet, err := az.GetVirtualNetworkSubnet(ctx, groupName, vnetName, subnetName)
-	if err != nil {
-		return nic, fmt.Errorf("cannot get subnet %s of virtual network %s in %s: %v", subnetName, vnetName, groupName, err)
-	}
-
-	future, err := az.nicClient.CreateOrUpdate(
-		ctx,
-		groupName,
-		nicName,
-		network.Interface{
-			Name:     ptr.To(nicName),
-			Location: ptr.To(location),
-			Properties: &armnetwork.InterfacePropertiesFormat{
-				IPConfigurations: []*network.InterfaceIPConfiguration{
-					{
-						Name: ptr.To("ipConfig1"),
-						Properties: &armnetwork.InterfaceIPConfigurationPropertiesFormat{
-							Subnet:                    subnet,
-							PrivateIPAllocationMethod: to.Ptr(network.IPAllocationMethodDynamic),
-						},
-					},
-				},
-			},
-		},
-	)
-	if err != nil {
-		return nic, fmt.Errorf("cannot create nic: %v", err)
-	}
-
-	return future, nil
-}
-
-func (az *Client) EnsureVirtualNetworkAndSubnet(ctx context.Context, groupName, location, vnetName, subnetName string) (vnet *network.VirtualNetwork, err error) {
-	future, err := az.vnetClient.CreateOrUpdate(
-		ctx,
-		groupName,
-		vnetName,
-		network.VirtualNetwork{
-			Location: ptr.To(location),
-			Properties: &armnetwork.VirtualNetworkPropertiesFormat{
-				AddressSpace: &armnetwork.AddressSpace{
-					AddressPrefixes: []*string{to.Ptr("10.0.0.0/8")},
-				},
-				Subnets: []*network.Subnet{
-					{
-						Name: ptr.To(subnetName),
-						Properties: &armnetwork.SubnetPropertiesFormat{
-							AddressPrefix: ptr.To("10.0.0.0/16"),
-						},
-					},
-				},
-			},
-		})
-
-	if err != nil {
-		return vnet, fmt.Errorf("cannot create virtual network: %v", err)
-	}
-
-	return future, nil
-}
-
-func (az *Client) GetVirtualNetworkSubnet(ctx context.Context, groupName, vnetName, subnetName string) (*network.Subnet, error) {
-	return az.subnetsClient.Get(ctx, groupName, vnetName, subnetName, nil)
-}
-
 func (az *Client) GetStorageAccount(ctx context.Context, groupName, accountName string) (*storage.Account, error) {
 	return az.accountsClient.GetProperties(ctx, groupName, accountName, nil)
 }
diff --git a/vendor/cyphar.com/go-pathrs/.golangci.yml b/vendor/cyphar.com/go-pathrs/.golangci.yml
new file mode 100644
index 0000000000..2778a3268e
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/.golangci.yml
@@ -0,0 +1,43 @@
+# SPDX-License-Identifier: MPL-2.0
+#
+# libpathrs: safe path resolution on Linux
+# Copyright (C) 2019-2025 Aleksa Sarai 
+# Copyright (C) 2019-2025 SUSE LLC
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+version: "2"
+linters:
+  enable:
+    - bidichk
+    - cyclop
+    - errname
+    - errorlint
+    - exhaustive
+    - goconst
+    - godot
+    - gomoddirectives
+    - gosec
+    - mirror
+    - misspell
+    - mnd
+    - nilerr
+    - nilnil
+    - perfsprint
+    - prealloc
+    - reassign
+    - revive
+    - unconvert
+    - unparam
+    - usestdlibvars
+    - wastedassign
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - cyphar.com/go-pathrs
diff --git a/vendor/cyphar.com/go-pathrs/COPYING b/vendor/cyphar.com/go-pathrs/COPYING
new file mode 100644
index 0000000000..d0a1fa1482
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/COPYING
@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
diff --git a/vendor/cyphar.com/go-pathrs/doc.go b/vendor/cyphar.com/go-pathrs/doc.go
new file mode 100644
index 0000000000..a7ee4bc487
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/doc.go
@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai 
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+// Package pathrs provides bindings for libpathrs, a library for safe path
+// resolution on Linux.
+package pathrs
diff --git a/vendor/cyphar.com/go-pathrs/handle_linux.go b/vendor/cyphar.com/go-pathrs/handle_linux.go
new file mode 100644
index 0000000000..3221ef6738
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/handle_linux.go
@@ -0,0 +1,114 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai 
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package pathrs
+
+import (
+	"fmt"
+	"os"
+
+	"cyphar.com/go-pathrs/internal/fdutils"
+	"cyphar.com/go-pathrs/internal/libpathrs"
+)
+
+// Handle is a handle for a path within a given [Root]. This handle references
+// an already-resolved path which can be used for only one purpose -- to
+// "re-open" the handle and get an actual [os.File] which can be used for
+// ordinary operations.
+//
+// If you wish to open a file without having an intermediate [Handle] object,
+// you can try to use [Root.Open] or [Root.OpenFile].
+//
+// It is critical that perform all relevant operations through this [Handle]
+// (rather than fetching the file descriptor yourself with [Handle.IntoRaw]),
+// because the security properties of libpathrs depend on users doing all
+// relevant filesystem operations through libpathrs.
+//
+// [os.File]: https://pkg.go.dev/os#File
+type Handle struct {
+	inner *os.File
+}
+
+// HandleFromFile creates a new [Handle] from an existing file handle. The
+// handle will be copied by this method, so the original handle should still be
+// freed by the caller.
+//
+// This is effectively the inverse operation of [Handle.IntoRaw], and is used
+// for "deserialising" pathrs root handles.
+func HandleFromFile(file *os.File) (*Handle, error) {
+	newFile, err := fdutils.DupFile(file)
+	if err != nil {
+		return nil, fmt.Errorf("duplicate handle fd: %w", err)
+	}
+	return &Handle{inner: newFile}, nil
+}
+
+// Open creates an "upgraded" file handle to the file referenced by the
+// [Handle]. Note that the original [Handle] is not consumed by this operation,
+// and can be opened multiple times.
+//
+// The handle returned is only usable for reading, and this is method is
+// shorthand for [Handle.OpenFile] with os.O_RDONLY.
+//
+// TODO: Rename these to "Reopen" or something.
+func (h *Handle) Open() (*os.File, error) {
+	return h.OpenFile(os.O_RDONLY)
+}
+
+// OpenFile creates an "upgraded" file handle to the file referenced by the
+// [Handle]. Note that the original [Handle] is not consumed by this operation,
+// and can be opened multiple times.
+//
+// The provided flags indicate which open(2) flags are used to create the new
+// handle.
+//
+// TODO: Rename these to "Reopen" or something.
+func (h *Handle) OpenFile(flags int) (*os.File, error) {
+	return fdutils.WithFileFd(h.inner, func(fd uintptr) (*os.File, error) {
+		newFd, err := libpathrs.Reopen(fd, flags)
+		if err != nil {
+			return nil, err
+		}
+		return os.NewFile(newFd, h.inner.Name()), nil
+	})
+}
+
+// IntoFile unwraps the [Handle] into its underlying [os.File].
+//
+// You almost certainly want to use [Handle.OpenFile] to get a non-O_PATH
+// version of this [Handle].
+//
+// This operation returns the internal [os.File] of the [Handle] directly, so
+// calling [Handle.Close] will also close any copies of the returned [os.File].
+// If you want to get an independent copy, use [Handle.Clone] followed by
+// [Handle.IntoFile] on the cloned [Handle].
+//
+// [os.File]: https://pkg.go.dev/os#File
+func (h *Handle) IntoFile() *os.File {
+	// TODO: Figure out if we really don't want to make a copy.
+	// TODO: We almost certainly want to clear r.inner here, but we can't do
+	//       that easily atomically (we could use atomic.Value but that'll make
+	//       things quite a bit uglier).
+	return h.inner
+}
+
+// Clone creates a copy of a [Handle], such that it has a separate lifetime to
+// the original (while referring to the same underlying file).
+func (h *Handle) Clone() (*Handle, error) {
+	return HandleFromFile(h.inner)
+}
+
+// Close frees all of the resources used by the [Handle].
+func (h *Handle) Close() error {
+	return h.inner.Close()
+}
diff --git a/vendor/cyphar.com/go-pathrs/internal/fdutils/fd_linux.go b/vendor/cyphar.com/go-pathrs/internal/fdutils/fd_linux.go
new file mode 100644
index 0000000000..41aea3e4b3
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/internal/fdutils/fd_linux.go
@@ -0,0 +1,75 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai 
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+// Package fdutils contains a few helper methods when dealing with *os.File and
+// file descriptors.
+package fdutils
+
+import (
+	"fmt"
+	"os"
+
+	"golang.org/x/sys/unix"
+
+	"cyphar.com/go-pathrs/internal/libpathrs"
+)
+
+// DupFd makes a duplicate of the given fd.
+func DupFd(fd uintptr, name string) (*os.File, error) {
+	newFd, err := unix.FcntlInt(fd, unix.F_DUPFD_CLOEXEC, 0)
+	if err != nil {
+		return nil, fmt.Errorf("fcntl(F_DUPFD_CLOEXEC): %w", err)
+	}
+	return os.NewFile(uintptr(newFd), name), nil
+}
+
+// WithFileFd is a more ergonomic wrapper around file.SyscallConn().Control().
+func WithFileFd[T any](file *os.File, fn func(fd uintptr) (T, error)) (T, error) {
+	conn, err := file.SyscallConn()
+	if err != nil {
+		return *new(T), err
+	}
+	var (
+		ret      T
+		innerErr error
+	)
+	if err := conn.Control(func(fd uintptr) {
+		ret, innerErr = fn(fd)
+	}); err != nil {
+		return *new(T), err
+	}
+	return ret, innerErr
+}
+
+// DupFile makes a duplicate of the given file.
+func DupFile(file *os.File) (*os.File, error) {
+	return WithFileFd(file, func(fd uintptr) (*os.File, error) {
+		return DupFd(fd, file.Name())
+	})
+}
+
+// MkFile creates a new *os.File from the provided file descriptor. However,
+// unlike os.NewFile, the file's Name is based on the real path (provided by
+// /proc/self/fd/$n).
+func MkFile(fd uintptr) (*os.File, error) {
+	fdPath := fmt.Sprintf("fd/%d", fd)
+	fdName, err := libpathrs.ProcReadlinkat(libpathrs.ProcDefaultRootFd, libpathrs.ProcThreadSelf, fdPath)
+	if err != nil {
+		_ = unix.Close(int(fd))
+		return nil, fmt.Errorf("failed to fetch real name of fd %d: %w", fd, err)
+	}
+	// TODO: Maybe we should prefix this name with something to indicate to
+	// users that they must not use this path as a "safe" path. Something like
+	// "//pathrs-handle:/foo/bar"?
+	return os.NewFile(fd, fdName), nil
+}
diff --git a/vendor/cyphar.com/go-pathrs/internal/libpathrs/error_unix.go b/vendor/cyphar.com/go-pathrs/internal/libpathrs/error_unix.go
new file mode 100644
index 0000000000..c9f416de01
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/internal/libpathrs/error_unix.go
@@ -0,0 +1,40 @@
+//go:build linux
+
+// TODO: Use "go:build unix" once we bump the minimum Go version 1.19.
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai 
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package libpathrs
+
+import (
+	"syscall"
+)
+
+// Error represents an underlying libpathrs error.
+type Error struct {
+	description string
+	errno       syscall.Errno
+}
+
+// Error returns a textual description of the error.
+func (err *Error) Error() string {
+	return err.description
+}
+
+// Unwrap returns the underlying error which was wrapped by this error (if
+// applicable).
+func (err *Error) Unwrap() error {
+	if err.errno != 0 {
+		return err.errno
+	}
+	return nil
+}
diff --git a/vendor/cyphar.com/go-pathrs/internal/libpathrs/libpathrs_linux.go b/vendor/cyphar.com/go-pathrs/internal/libpathrs/libpathrs_linux.go
new file mode 100644
index 0000000000..c07b80e307
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/internal/libpathrs/libpathrs_linux.go
@@ -0,0 +1,337 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai 
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+// Package libpathrs is an internal thin wrapper around the libpathrs C API.
+package libpathrs
+
+import (
+	"fmt"
+	"syscall"
+	"unsafe"
+)
+
+/*
+// TODO: Figure out if we need to add support for linking against libpathrs
+//       statically even if in dynamically linked builds in order to make
+//       packaging a bit easier (using "-Wl,-Bstatic -lpathrs -Wl,-Bdynamic" or
+//       "-l:pathrs.a").
+#cgo pkg-config: pathrs
+#include 
+
+// This is a workaround for unsafe.Pointer() not working for non-void pointers.
+char *cast_ptr(void *ptr) { return ptr; }
+*/
+import "C"
+
+func fetchError(errID C.int) error {
+	if errID >= C.__PATHRS_MAX_ERR_VALUE {
+		return nil
+	}
+	cErr := C.pathrs_errorinfo(errID)
+	defer C.pathrs_errorinfo_free(cErr)
+
+	var err error
+	if cErr != nil {
+		err = &Error{
+			errno:       syscall.Errno(cErr.saved_errno),
+			description: C.GoString(cErr.description),
+		}
+	}
+	return err
+}
+
+// OpenRoot wraps pathrs_open_root.
+func OpenRoot(path string) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_open_root(cPath)
+	return uintptr(fd), fetchError(fd)
+}
+
+// Reopen wraps pathrs_reopen.
+func Reopen(fd uintptr, flags int) (uintptr, error) {
+	newFd := C.pathrs_reopen(C.int(fd), C.int(flags))
+	return uintptr(newFd), fetchError(newFd)
+}
+
+// InRootResolve wraps pathrs_inroot_resolve.
+func InRootResolve(rootFd uintptr, path string) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_resolve(C.int(rootFd), cPath)
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootResolveNoFollow wraps pathrs_inroot_resolve_nofollow.
+func InRootResolveNoFollow(rootFd uintptr, path string) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_resolve_nofollow(C.int(rootFd), cPath)
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootOpen wraps pathrs_inroot_open.
+func InRootOpen(rootFd uintptr, path string, flags int) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_open(C.int(rootFd), cPath, C.int(flags))
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootReadlink wraps pathrs_inroot_readlink.
+func InRootReadlink(rootFd uintptr, path string) (string, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	size := 128
+	for {
+		linkBuf := make([]byte, size)
+		n := C.pathrs_inroot_readlink(C.int(rootFd), cPath, C.cast_ptr(unsafe.Pointer(&linkBuf[0])), C.ulong(len(linkBuf)))
+		switch {
+		case int(n) < C.__PATHRS_MAX_ERR_VALUE:
+			return "", fetchError(n)
+		case int(n) <= len(linkBuf):
+			return string(linkBuf[:int(n)]), nil
+		default:
+			// The contents were truncated. Unlike readlinkat, pathrs returns
+			// the size of the link when it checked. So use the returned size
+			// as a basis for the reallocated size (but in order to avoid a DoS
+			// where a magic-link is growing by a single byte each iteration,
+			// make sure we are a fair bit larger).
+			size += int(n)
+		}
+	}
+}
+
+// InRootRmdir wraps pathrs_inroot_rmdir.
+func InRootRmdir(rootFd uintptr, path string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_rmdir(C.int(rootFd), cPath)
+	return fetchError(err)
+}
+
+// InRootUnlink wraps pathrs_inroot_unlink.
+func InRootUnlink(rootFd uintptr, path string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_unlink(C.int(rootFd), cPath)
+	return fetchError(err)
+}
+
+// InRootRemoveAll wraps pathrs_inroot_remove_all.
+func InRootRemoveAll(rootFd uintptr, path string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_remove_all(C.int(rootFd), cPath)
+	return fetchError(err)
+}
+
+// InRootCreat wraps pathrs_inroot_creat.
+func InRootCreat(rootFd uintptr, path string, flags int, mode uint32) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_creat(C.int(rootFd), cPath, C.int(flags), C.uint(mode))
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootRename wraps pathrs_inroot_rename.
+func InRootRename(rootFd uintptr, src, dst string, flags uint) error {
+	cSrc := C.CString(src)
+	defer C.free(unsafe.Pointer(cSrc))
+
+	cDst := C.CString(dst)
+	defer C.free(unsafe.Pointer(cDst))
+
+	err := C.pathrs_inroot_rename(C.int(rootFd), cSrc, cDst, C.uint(flags))
+	return fetchError(err)
+}
+
+// InRootMkdir wraps pathrs_inroot_mkdir.
+func InRootMkdir(rootFd uintptr, path string, mode uint32) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_mkdir(C.int(rootFd), cPath, C.uint(mode))
+	return fetchError(err)
+}
+
+// InRootMkdirAll wraps pathrs_inroot_mkdir_all.
+func InRootMkdirAll(rootFd uintptr, path string, mode uint32) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_mkdir_all(C.int(rootFd), cPath, C.uint(mode))
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootMknod wraps pathrs_inroot_mknod.
+func InRootMknod(rootFd uintptr, path string, mode uint32, dev uint64) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_mknod(C.int(rootFd), cPath, C.uint(mode), C.dev_t(dev))
+	return fetchError(err)
+}
+
+// InRootSymlink wraps pathrs_inroot_symlink.
+func InRootSymlink(rootFd uintptr, path, target string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	cTarget := C.CString(target)
+	defer C.free(unsafe.Pointer(cTarget))
+
+	err := C.pathrs_inroot_symlink(C.int(rootFd), cPath, cTarget)
+	return fetchError(err)
+}
+
+// InRootHardlink wraps pathrs_inroot_hardlink.
+func InRootHardlink(rootFd uintptr, path, target string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	cTarget := C.CString(target)
+	defer C.free(unsafe.Pointer(cTarget))
+
+	err := C.pathrs_inroot_hardlink(C.int(rootFd), cPath, cTarget)
+	return fetchError(err)
+}
+
+// ProcBase is pathrs_proc_base_t (uint64_t).
+type ProcBase C.pathrs_proc_base_t
+
+// FIXME: We need to open-code the constants because CGo unfortunately will
+// implicitly convert any non-literal constants (i.e. those resolved using gcc)
+// to signed integers. See  for some
+// more information on the underlying issue (though.
+const (
+	// ProcRoot is PATHRS_PROC_ROOT.
+	ProcRoot ProcBase = 0xFFFF_FFFE_7072_6F63 // C.PATHRS_PROC_ROOT
+	// ProcSelf is PATHRS_PROC_SELF.
+	ProcSelf ProcBase = 0xFFFF_FFFE_091D_5E1F // C.PATHRS_PROC_SELF
+	// ProcThreadSelf is PATHRS_PROC_THREAD_SELF.
+	ProcThreadSelf ProcBase = 0xFFFF_FFFE_3EAD_5E1F // C.PATHRS_PROC_THREAD_SELF
+
+	// ProcBaseTypeMask is __PATHRS_PROC_TYPE_MASK.
+	ProcBaseTypeMask ProcBase = 0xFFFF_FFFF_0000_0000 // C.__PATHRS_PROC_TYPE_MASK
+	// ProcBaseTypePid is __PATHRS_PROC_TYPE_PID.
+	ProcBaseTypePid ProcBase = 0x8000_0000_0000_0000 // C.__PATHRS_PROC_TYPE_PID
+
+	// ProcDefaultRootFd is PATHRS_PROC_DEFAULT_ROOTFD.
+	ProcDefaultRootFd = -int(syscall.EBADF) // C.PATHRS_PROC_DEFAULT_ROOTFD
+)
+
+func assertEqual[T comparable](a, b T, msg string) {
+	if a != b {
+		panic(fmt.Sprintf("%s ((%T) %#v != (%T) %#v)", msg, a, a, b, b))
+	}
+}
+
+// Verify that the values above match the actual C values. Unfortunately, Go
+// only allows us to forcefully cast int64 to uint64 if you use a temporary
+// variable, which means we cannot do it in a const context and thus need to do
+// it at runtime (even though it is a check that fundamentally could be done at
+// compile-time)...
+func init() {
+	var (
+		actualProcRoot       int64 = C.PATHRS_PROC_ROOT
+		actualProcSelf       int64 = C.PATHRS_PROC_SELF
+		actualProcThreadSelf int64 = C.PATHRS_PROC_THREAD_SELF
+	)
+
+	assertEqual(ProcRoot, ProcBase(actualProcRoot), "PATHRS_PROC_ROOT")
+	assertEqual(ProcSelf, ProcBase(actualProcSelf), "PATHRS_PROC_SELF")
+	assertEqual(ProcThreadSelf, ProcBase(actualProcThreadSelf), "PATHRS_PROC_THREAD_SELF")
+
+	var (
+		actualProcBaseTypeMask uint64 = C.__PATHRS_PROC_TYPE_MASK
+		actualProcBaseTypePid  uint64 = C.__PATHRS_PROC_TYPE_PID
+	)
+
+	assertEqual(ProcBaseTypeMask, ProcBase(actualProcBaseTypeMask), "__PATHRS_PROC_TYPE_MASK")
+	assertEqual(ProcBaseTypePid, ProcBase(actualProcBaseTypePid), "__PATHRS_PROC_TYPE_PID")
+
+	assertEqual(ProcDefaultRootFd, int(C.PATHRS_PROC_DEFAULT_ROOTFD), "PATHRS_PROC_DEFAULT_ROOTFD")
+}
+
+// ProcPid reimplements the PROC_PID(x) conversion.
+func ProcPid(pid uint32) ProcBase { return ProcBaseTypePid | ProcBase(pid) }
+
+// ProcOpenat wraps pathrs_proc_openat.
+func ProcOpenat(procRootFd int, base ProcBase, path string, flags int) (uintptr, error) {
+	cBase := C.pathrs_proc_base_t(base)
+
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_proc_openat(C.int(procRootFd), cBase, cPath, C.int(flags))
+	return uintptr(fd), fetchError(fd)
+}
+
+// ProcReadlinkat wraps pathrs_proc_readlinkat.
+func ProcReadlinkat(procRootFd int, base ProcBase, path string) (string, error) {
+	// TODO: See if we can unify this code with InRootReadlink.
+
+	cBase := C.pathrs_proc_base_t(base)
+
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	size := 128
+	for {
+		linkBuf := make([]byte, size)
+		n := C.pathrs_proc_readlinkat(
+			C.int(procRootFd), cBase, cPath,
+			C.cast_ptr(unsafe.Pointer(&linkBuf[0])), C.ulong(len(linkBuf)))
+		switch {
+		case int(n) < C.__PATHRS_MAX_ERR_VALUE:
+			return "", fetchError(n)
+		case int(n) <= len(linkBuf):
+			return string(linkBuf[:int(n)]), nil
+		default:
+			// The contents were truncated. Unlike readlinkat, pathrs returns
+			// the size of the link when it checked. So use the returned size
+			// as a basis for the reallocated size (but in order to avoid a DoS
+			// where a magic-link is growing by a single byte each iteration,
+			// make sure we are a fair bit larger).
+			size += int(n)
+		}
+	}
+}
+
+// ProcfsOpenHow is pathrs_procfs_open_how (struct).
+type ProcfsOpenHow C.pathrs_procfs_open_how
+
+const (
+	// ProcfsNewUnmasked is PATHRS_PROCFS_NEW_UNMASKED.
+	ProcfsNewUnmasked = C.PATHRS_PROCFS_NEW_UNMASKED
+)
+
+// Flags returns a pointer to the internal flags field to allow other packages
+// to modify structure fields that are internal due to Go's visibility model.
+func (how *ProcfsOpenHow) Flags() *C.uint64_t { return &how.flags }
+
+// ProcfsOpen is pathrs_procfs_open (sizeof(*how) is passed automatically).
+func ProcfsOpen(how *ProcfsOpenHow) (uintptr, error) {
+	fd := C.pathrs_procfs_open((*C.pathrs_procfs_open_how)(how), C.size_t(unsafe.Sizeof(*how)))
+	return uintptr(fd), fetchError(fd)
+}
diff --git a/vendor/cyphar.com/go-pathrs/procfs/procfs_linux.go b/vendor/cyphar.com/go-pathrs/procfs/procfs_linux.go
new file mode 100644
index 0000000000..5533c427cb
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/procfs/procfs_linux.go
@@ -0,0 +1,246 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai 
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+// Package procfs provides a safe API for operating on /proc on Linux.
+package procfs
+
+import (
+	"os"
+	"runtime"
+
+	"cyphar.com/go-pathrs/internal/fdutils"
+	"cyphar.com/go-pathrs/internal/libpathrs"
+)
+
+// ProcBase is used with [ProcReadlink] and related functions to indicate what
+// /proc subpath path operations should be done relative to.
+type ProcBase struct {
+	inner libpathrs.ProcBase
+}
+
+var (
+	// ProcRoot indicates to use /proc. Note that this mode may be more
+	// expensive because we have to take steps to try to avoid leaking unmasked
+	// procfs handles, so you should use [ProcBaseSelf] if you can.
+	ProcRoot = ProcBase{inner: libpathrs.ProcRoot}
+	// ProcSelf indicates to use /proc/self. For most programs, this is the
+	// standard choice.
+	ProcSelf = ProcBase{inner: libpathrs.ProcSelf}
+	// ProcThreadSelf indicates to use /proc/thread-self. In multi-threaded
+	// programs where one thread has a different CLONE_FS, it is possible for
+	// /proc/self to point the wrong thread and so /proc/thread-self may be
+	// necessary.
+	ProcThreadSelf = ProcBase{inner: libpathrs.ProcThreadSelf}
+)
+
+// ProcPid returns a ProcBase which indicates to use /proc/$pid for the given
+// PID (or TID). Be aware that due to PID recycling, using this is generally
+// not safe except in certain circumstances. Namely:
+//
+//   - PID 1 (the init process), as that PID cannot ever get recycled.
+//   - Your current PID (though you should just use [ProcBaseSelf]).
+//   - Your current TID if you have used [runtime.LockOSThread] (though you
+//     should just use [ProcBaseThreadSelf]).
+//   - PIDs of child processes (as long as you are sure that no other part of
+//     your program incorrectly catches or ignores SIGCHLD, and that you do it
+//     *before* you call wait(2)or any equivalent method that could reap
+//     zombies).
+func ProcPid(pid int) ProcBase {
+	if pid < 0 || pid >= 1<<31 {
+		panic("invalid ProcBasePid value") // TODO: should this be an error?
+	}
+	return ProcBase{inner: libpathrs.ProcPid(uint32(pid))}
+}
+
+// ThreadCloser is a callback that needs to be called when you are done
+// operating on an [os.File] fetched using [Handle.OpenThreadSelf].
+//
+// [os.File]: https://pkg.go.dev/os#File
+type ThreadCloser func()
+
+// Handle is a wrapper around an *os.File handle to "/proc", which can be
+// used to do further procfs-related operations in a safe way.
+type Handle struct {
+	inner *os.File
+}
+
+// Close releases all internal resources for this [Handle].
+//
+// Note that if the handle is actually the global cached handle, this operation
+// is a no-op.
+func (proc *Handle) Close() error {
+	var err error
+	if proc.inner != nil {
+		err = proc.inner.Close()
+	}
+	return err
+}
+
+// OpenOption is a configuration function passed as an argument to [Open].
+type OpenOption func(*libpathrs.ProcfsOpenHow) error
+
+// UnmaskedProcRoot can be passed to [Open] to request an unmasked procfs
+// handle be created.
+//
+//	procfs, err := procfs.OpenRoot(procfs.UnmaskedProcRoot)
+func UnmaskedProcRoot(how *libpathrs.ProcfsOpenHow) error {
+	*how.Flags() |= libpathrs.ProcfsNewUnmasked
+	return nil
+}
+
+// Open creates a new [Handle] to a safe "/proc", based on the passed
+// configuration options (in the form of a series of [OpenOption]s).
+func Open(opts ...OpenOption) (*Handle, error) {
+	var how libpathrs.ProcfsOpenHow
+	for _, opt := range opts {
+		if err := opt(&how); err != nil {
+			return nil, err
+		}
+	}
+	fd, err := libpathrs.ProcfsOpen(&how)
+	if err != nil {
+		return nil, err
+	}
+	var procFile *os.File
+	if int(fd) >= 0 {
+		procFile = os.NewFile(fd, "/proc")
+	}
+	// TODO: Check that fd == PATHRS_PROC_DEFAULT_ROOTFD in the <0 case?
+	return &Handle{inner: procFile}, nil
+}
+
+// TODO: Switch to something fdutils.WithFileFd-like.
+func (proc *Handle) fd() int {
+	if proc.inner != nil {
+		return int(proc.inner.Fd())
+	}
+	return libpathrs.ProcDefaultRootFd
+}
+
+// TODO: Should we expose open?
+func (proc *Handle) open(base ProcBase, path string, flags int) (_ *os.File, Closer ThreadCloser, Err error) {
+	var closer ThreadCloser
+	if base == ProcThreadSelf {
+		runtime.LockOSThread()
+		closer = runtime.UnlockOSThread
+	}
+	defer func() {
+		if closer != nil && Err != nil {
+			closer()
+			Closer = nil
+		}
+	}()
+
+	fd, err := libpathrs.ProcOpenat(proc.fd(), base.inner, path, flags)
+	if err != nil {
+		return nil, nil, err
+	}
+	file, err := fdutils.MkFile(fd)
+	return file, closer, err
+}
+
+// OpenRoot safely opens a given path from inside /proc/.
+//
+// This function must only be used for accessing global information from procfs
+// (such as /proc/cpuinfo) or information about other processes (such as
+// /proc/1). Accessing your own process information should be done using
+// [Handle.OpenSelf] or [Handle.OpenThreadSelf].
+func (proc *Handle) OpenRoot(path string, flags int) (*os.File, error) {
+	file, closer, err := proc.open(ProcRoot, path, flags)
+	if closer != nil {
+		// should not happen
+		panic("non-zero closer returned from procOpen(ProcRoot)")
+	}
+	return file, err
+}
+
+// OpenSelf safely opens a given path from inside /proc/self/.
+//
+// This method is recommend for getting process information about the current
+// process for almost all Go processes *except* for cases where there are
+// [runtime.LockOSThread] threads that have changed some aspect of their state
+// (such as through unshare(CLONE_FS) or changing namespaces).
+//
+// For such non-heterogeneous processes, /proc/self may reference to a task
+// that has different state from the current goroutine and so it may be
+// preferable to use [Handle.OpenThreadSelf]. The same is true if a user
+// really wants to inspect the current OS thread's information (such as
+// /proc/thread-self/stack or /proc/thread-self/status which is always uniquely
+// per-thread).
+//
+// Unlike [Handle.OpenThreadSelf], this method does not involve locking
+// the goroutine to the current OS thread and so is simpler to use and
+// theoretically has slightly less overhead.
+//
+// [runtime.LockOSThread]: https://pkg.go.dev/runtime#LockOSThread
+func (proc *Handle) OpenSelf(path string, flags int) (*os.File, error) {
+	file, closer, err := proc.open(ProcSelf, path, flags)
+	if closer != nil {
+		// should not happen
+		panic("non-zero closer returned from procOpen(ProcSelf)")
+	}
+	return file, err
+}
+
+// OpenPid safely opens a given path from inside /proc/$pid/, where pid can be
+// either a PID or TID.
+//
+// This is effectively equivalent to calling [Handle.OpenRoot] with the
+// pid prefixed to the subpath.
+//
+// Be aware that due to PID recycling, using this is generally not safe except
+// in certain circumstances. See the documentation of [ProcPid] for more
+// details.
+func (proc *Handle) OpenPid(pid int, path string, flags int) (*os.File, error) {
+	file, closer, err := proc.open(ProcPid(pid), path, flags)
+	if closer != nil {
+		// should not happen
+		panic("non-zero closer returned from procOpen(ProcPidOpen)")
+	}
+	return file, err
+}
+
+// OpenThreadSelf safely opens a given path from inside /proc/thread-self/.
+//
+// Most Go processes have heterogeneous threads (all threads have most of the
+// same kernel state such as CLONE_FS) and so [Handle.OpenSelf] is
+// preferable for most users.
+//
+// For non-heterogeneous threads, or users that actually want thread-specific
+// information (such as /proc/thread-self/stack or /proc/thread-self/status),
+// this method is necessary.
+//
+// Because Go can change the running OS thread of your goroutine without notice
+// (and then subsequently kill the old thread), this method will lock the
+// current goroutine to the OS thread (with [runtime.LockOSThread]) and the
+// caller is responsible for unlocking the the OS thread with the
+// [ThreadCloser] callback once they are done using the returned file. This
+// callback MUST be called AFTER you have finished using the returned
+// [os.File]. This callback is completely separate to [os.File.Close], so it
+// must be called regardless of how you close the handle.
+//
+// [runtime.LockOSThread]: https://pkg.go.dev/runtime#LockOSThread
+// [os.File]: https://pkg.go.dev/os#File
+// [os.File.Close]: https://pkg.go.dev/os#File.Close
+func (proc *Handle) OpenThreadSelf(path string, flags int) (*os.File, ThreadCloser, error) {
+	return proc.open(ProcThreadSelf, path, flags)
+}
+
+// Readlink safely reads the contents of a symlink from the given procfs base.
+//
+// This is effectively equivalent to doing an Open*(O_PATH|O_NOFOLLOW) of the
+// path and then doing unix.Readlinkat(fd, ""), but with the benefit that
+// thread locking is not necessary for [ProcThreadSelf].
+func (proc *Handle) Readlink(base ProcBase, path string) (string, error) {
+	return libpathrs.ProcReadlinkat(proc.fd(), base.inner, path)
+}
diff --git a/vendor/cyphar.com/go-pathrs/root_linux.go b/vendor/cyphar.com/go-pathrs/root_linux.go
new file mode 100644
index 0000000000..edc9e4c87f
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/root_linux.go
@@ -0,0 +1,367 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai 
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package pathrs
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"syscall"
+
+	"cyphar.com/go-pathrs/internal/fdutils"
+	"cyphar.com/go-pathrs/internal/libpathrs"
+)
+
+// Root is a handle to the root of a directory tree to resolve within. The only
+// purpose of this "root handle" is to perform operations within the directory
+// tree, or to get a [Handle] to inodes within the directory tree.
+//
+// At time of writing, it is considered a *VERY BAD IDEA* to open a [Root]
+// inside a possibly-attacker-controlled directory tree. While we do have
+// protections that should defend against it, it's far more dangerous than just
+// opening a directory tree which is not inside a potentially-untrusted
+// directory.
+type Root struct {
+	inner *os.File
+}
+
+// OpenRoot creates a new [Root] handle to the directory at the given path.
+func OpenRoot(path string) (*Root, error) {
+	fd, err := libpathrs.OpenRoot(path)
+	if err != nil {
+		return nil, err
+	}
+	file, err := fdutils.MkFile(fd)
+	if err != nil {
+		return nil, err
+	}
+	return &Root{inner: file}, nil
+}
+
+// RootFromFile creates a new [Root] handle from an [os.File] referencing a
+// directory. The provided file will be duplicated, so the original file should
+// still be closed by the caller.
+//
+// This is effectively the inverse operation of [Root.IntoFile].
+//
+// [os.File]: https://pkg.go.dev/os#File
+func RootFromFile(file *os.File) (*Root, error) {
+	newFile, err := fdutils.DupFile(file)
+	if err != nil {
+		return nil, fmt.Errorf("duplicate root fd: %w", err)
+	}
+	return &Root{inner: newFile}, nil
+}
+
+// Resolve resolves the given path within the [Root]'s directory tree, and
+// returns a [Handle] to the resolved path. The path must already exist,
+// otherwise an error will occur.
+//
+// All symlinks (including trailing symlinks) are followed, but they are
+// resolved within the rootfs. If you wish to open a handle to the symlink
+// itself, use [ResolveNoFollow].
+func (r *Root) Resolve(path string) (*Handle, error) {
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*Handle, error) {
+		handleFd, err := libpathrs.InRootResolve(rootFd, path)
+		if err != nil {
+			return nil, err
+		}
+		handleFile, err := fdutils.MkFile(handleFd)
+		if err != nil {
+			return nil, err
+		}
+		return &Handle{inner: handleFile}, nil
+	})
+}
+
+// ResolveNoFollow is effectively an O_NOFOLLOW version of [Resolve]. Their
+// behaviour is identical, except that *trailing* symlinks will not be
+// followed. If the final component is a trailing symlink, an O_PATH|O_NOFOLLOW
+// handle to the symlink itself is returned.
+func (r *Root) ResolveNoFollow(path string) (*Handle, error) {
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*Handle, error) {
+		handleFd, err := libpathrs.InRootResolveNoFollow(rootFd, path)
+		if err != nil {
+			return nil, err
+		}
+		handleFile, err := fdutils.MkFile(handleFd)
+		if err != nil {
+			return nil, err
+		}
+		return &Handle{inner: handleFile}, nil
+	})
+}
+
+// Open is effectively shorthand for [Resolve] followed by [Handle.Open], but
+// can be slightly more efficient (it reduces CGo overhead and the number of
+// syscalls used when using the openat2-based resolver) and is arguably more
+// ergonomic to use.
+//
+// This is effectively equivalent to [os.Open].
+//
+// [os.Open]: https://pkg.go.dev/os#Open
+func (r *Root) Open(path string) (*os.File, error) {
+	return r.OpenFile(path, os.O_RDONLY)
+}
+
+// OpenFile is effectively shorthand for [Resolve] followed by
+// [Handle.OpenFile], but can be slightly more efficient (it reduces CGo
+// overhead and the number of syscalls used when using the openat2-based
+// resolver) and is arguably more ergonomic to use.
+//
+// However, if flags contains os.O_NOFOLLOW and the path is a symlink, then
+// OpenFile's behaviour will match that of openat2. In most cases an error will
+// be returned, but if os.O_PATH is provided along with os.O_NOFOLLOW then a
+// file equivalent to [ResolveNoFollow] will be returned instead.
+//
+// This is effectively equivalent to [os.OpenFile], except that os.O_CREAT is
+// not supported.
+//
+// [os.OpenFile]: https://pkg.go.dev/os#OpenFile
+func (r *Root) OpenFile(path string, flags int) (*os.File, error) {
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*os.File, error) {
+		fd, err := libpathrs.InRootOpen(rootFd, path, flags)
+		if err != nil {
+			return nil, err
+		}
+		return fdutils.MkFile(fd)
+	})
+}
+
+// Create creates a file within the [Root]'s directory tree at the given path,
+// and returns a handle to the file. The provided mode is used for the new file
+// (the process's umask applies).
+//
+// Unlike [os.Create], if the file already exists an error is created rather
+// than the file being opened and truncated.
+//
+// [os.Create]: https://pkg.go.dev/os#Create
+func (r *Root) Create(path string, flags int, mode os.FileMode) (*os.File, error) {
+	unixMode, err := toUnixMode(mode, false)
+	if err != nil {
+		return nil, err
+	}
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*os.File, error) {
+		handleFd, err := libpathrs.InRootCreat(rootFd, path, flags, unixMode)
+		if err != nil {
+			return nil, err
+		}
+		return fdutils.MkFile(handleFd)
+	})
+}
+
+// Rename two paths within a [Root]'s directory tree. The flags argument is
+// identical to the RENAME_* flags to the renameat2(2) system call.
+func (r *Root) Rename(src, dst string, flags uint) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootRename(rootFd, src, dst, flags)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// RemoveDir removes the named empty directory within a [Root]'s directory
+// tree.
+func (r *Root) RemoveDir(path string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootRmdir(rootFd, path)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// RemoveFile removes the named file within a [Root]'s directory tree.
+func (r *Root) RemoveFile(path string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootUnlink(rootFd, path)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Remove removes the named file or (empty) directory within a [Root]'s
+// directory tree.
+//
+// This is effectively equivalent to [os.Remove].
+//
+// [os.Remove]: https://pkg.go.dev/os#Remove
+func (r *Root) Remove(path string) error {
+	// In order to match os.Remove's implementation we need to also do both
+	// syscalls unconditionally and adjust the error based on whether
+	// pathrs_inroot_rmdir() returned ENOTDIR.
+	unlinkErr := r.RemoveFile(path)
+	if unlinkErr == nil {
+		return nil
+	}
+	rmdirErr := r.RemoveDir(path)
+	if rmdirErr == nil {
+		return nil
+	}
+	// Both failed, adjust the error in the same way that os.Remove does.
+	err := rmdirErr
+	if errors.Is(err, syscall.ENOTDIR) {
+		err = unlinkErr
+	}
+	return err
+}
+
+// RemoveAll recursively deletes a path and all of its children.
+//
+// This is effectively equivalent to [os.RemoveAll].
+//
+// [os.RemoveAll]: https://pkg.go.dev/os#RemoveAll
+func (r *Root) RemoveAll(path string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootRemoveAll(rootFd, path)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Mkdir creates a directory within a [Root]'s directory tree. The provided
+// mode is used for the new directory (the process's umask applies).
+//
+// This is effectively equivalent to [os.Mkdir].
+//
+// [os.Mkdir]: https://pkg.go.dev/os#Mkdir
+func (r *Root) Mkdir(path string, mode os.FileMode) error {
+	unixMode, err := toUnixMode(mode, false)
+	if err != nil {
+		return err
+	}
+
+	_, err = fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootMkdir(rootFd, path, unixMode)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// MkdirAll creates a directory (and any parent path components if they don't
+// exist) within a [Root]'s directory tree. The provided mode is used for any
+// directories created by this function (the process's umask applies).
+//
+// This is effectively equivalent to [os.MkdirAll].
+//
+// [os.MkdirAll]: https://pkg.go.dev/os#MkdirAll
+func (r *Root) MkdirAll(path string, mode os.FileMode) (*Handle, error) {
+	unixMode, err := toUnixMode(mode, false)
+	if err != nil {
+		return nil, err
+	}
+
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*Handle, error) {
+		handleFd, err := libpathrs.InRootMkdirAll(rootFd, path, unixMode)
+		if err != nil {
+			return nil, err
+		}
+		handleFile, err := fdutils.MkFile(handleFd)
+		if err != nil {
+			return nil, err
+		}
+		return &Handle{inner: handleFile}, err
+	})
+}
+
+// Mknod creates a new device inode of the given type within a [Root]'s
+// directory tree. The provided mode is used for the new directory (the
+// process's umask applies).
+//
+// This is effectively equivalent to [unix.Mknod].
+//
+// [unix.Mknod]: https://pkg.go.dev/golang.org/x/sys/unix#Mknod
+func (r *Root) Mknod(path string, mode os.FileMode, dev uint64) error {
+	unixMode, err := toUnixMode(mode, true)
+	if err != nil {
+		return err
+	}
+
+	_, err = fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootMknod(rootFd, path, unixMode, dev)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Symlink creates a symlink within a [Root]'s directory tree. The symlink is
+// created at path and is a link to target.
+//
+// This is effectively equivalent to [os.Symlink].
+//
+// [os.Symlink]: https://pkg.go.dev/os#Symlink
+func (r *Root) Symlink(path, target string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootSymlink(rootFd, path, target)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Hardlink creates a hardlink within a [Root]'s directory tree. The hardlink
+// is created at path and is a link to target. Both paths are within the
+// [Root]'s directory tree (you cannot hardlink to a different [Root] or the
+// host).
+//
+// This is effectively equivalent to [os.Link].
+//
+// [os.Link]: https://pkg.go.dev/os#Link
+func (r *Root) Hardlink(path, target string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootHardlink(rootFd, path, target)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Readlink returns the target of a symlink with a [Root]'s directory tree.
+//
+// This is effectively equivalent to [os.Readlink].
+//
+// [os.Readlink]: https://pkg.go.dev/os#Readlink
+func (r *Root) Readlink(path string) (string, error) {
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (string, error) {
+		return libpathrs.InRootReadlink(rootFd, path)
+	})
+}
+
+// IntoFile unwraps the [Root] into its underlying [os.File].
+//
+// It is critical that you do not operate on this file descriptor yourself,
+// because the security properties of libpathrs depend on users doing all
+// relevant filesystem operations through libpathrs.
+//
+// This operation returns the internal [os.File] of the [Root] directly, so
+// calling [Root.Close] will also close any copies of the returned [os.File].
+// If you want to get an independent copy, use [Root.Clone] followed by
+// [Root.IntoFile] on the cloned [Root].
+//
+// [os.File]: https://pkg.go.dev/os#File
+func (r *Root) IntoFile() *os.File {
+	// TODO: Figure out if we really don't want to make a copy.
+	// TODO: We almost certainly want to clear r.inner here, but we can't do
+	//       that easily atomically (we could use atomic.Value but that'll make
+	//       things quite a bit uglier).
+	return r.inner
+}
+
+// Clone creates a copy of a [Root] handle, such that it has a separate
+// lifetime to the original (while referring to the same underlying directory).
+func (r *Root) Clone() (*Root, error) {
+	return RootFromFile(r.inner)
+}
+
+// Close frees all of the resources used by the [Root] handle.
+func (r *Root) Close() error {
+	return r.inner.Close()
+}
diff --git a/vendor/cyphar.com/go-pathrs/utils_linux.go b/vendor/cyphar.com/go-pathrs/utils_linux.go
new file mode 100644
index 0000000000..2208d608f8
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/utils_linux.go
@@ -0,0 +1,56 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai 
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package pathrs
+
+import (
+	"fmt"
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+//nolint:cyclop // this function needs to handle a lot of cases
+func toUnixMode(mode os.FileMode, needsType bool) (uint32, error) {
+	sysMode := uint32(mode.Perm())
+	switch mode & os.ModeType { //nolint:exhaustive // we only care about ModeType bits
+	case 0:
+		if needsType {
+			sysMode |= unix.S_IFREG
+		}
+	case os.ModeDir:
+		sysMode |= unix.S_IFDIR
+	case os.ModeSymlink:
+		sysMode |= unix.S_IFLNK
+	case os.ModeCharDevice | os.ModeDevice:
+		sysMode |= unix.S_IFCHR
+	case os.ModeDevice:
+		sysMode |= unix.S_IFBLK
+	case os.ModeNamedPipe:
+		sysMode |= unix.S_IFIFO
+	case os.ModeSocket:
+		sysMode |= unix.S_IFSOCK
+	default:
+		return 0, fmt.Errorf("invalid mode filetype %+o", mode)
+	}
+	if mode&os.ModeSetuid != 0 {
+		sysMode |= unix.S_ISUID
+	}
+	if mode&os.ModeSetgid != 0 {
+		sysMode |= unix.S_ISGID
+	}
+	if mode&os.ModeSticky != 0 {
+		sysMode |= unix.S_ISVTX
+	}
+	return sysMode, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
index 1799c6ef22..47d2b85fa8 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Release History
 
+## 1.20.0 (2025-11-06)
+
+### Features Added
+
+* Added `runtime.FetcherForNextLinkOptions.HTTPVerb` to specify the HTTP verb when fetching the next page via next link. Defaults to `http.MethodGet`.
+
+### Bugs Fixed
+
+* Fixed potential panic when decoding base64 strings.
+* Fixed an issue in resource identifier parsing which prevented it from returning an error for malformed resource IDs.
+
 ## 1.19.1 (2025-09-11)
 
 ### Bugs Fixed
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go
index b8348b7d82..8a40ebe4d2 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go
@@ -217,6 +217,7 @@ func appendNext(parent *ResourceID, parts []string, id string) (*ResourceID, err
 func splitStringAndOmitEmpty(v, sep string) []string {
 	r := make([]string, 0)
 	for _, s := range strings.Split(v, sep) {
+		s = strings.TrimSpace(s)
 		if len(s) == 0 {
 			continue
 		}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go
index 460170034a..612af11ac6 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go
@@ -92,7 +92,7 @@ func DecodeByteArray(s string, v *[]byte, format Base64Encoding) error {
 		return nil
 	}
 	payload := string(s)
-	if payload[0] == '"' {
+	if len(payload) >= 2 && payload[0] == '"' && payload[len(payload)-1] == '"' {
 		// remove surrounding quotes
 		payload = payload[1 : len(payload)-1]
 	}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
index 8aebe5ce53..f152000913 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
@@ -40,5 +40,5 @@ const (
 	Module = "azcore"
 
 	// Version is the semantic version (see http://semver.org) of this module.
-	Version = "v1.19.1"
+	Version = "v1.20.0"
 )
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
index c66fc0a90a..edb4a3cd44 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
@@ -99,6 +99,11 @@ type FetcherForNextLinkOptions struct {
 	// StatusCodes contains additional HTTP status codes indicating success.
 	// The default value is http.StatusOK.
 	StatusCodes []int
+
+	// HTTPVerb specifies the HTTP verb to use when fetching the next page.
+	// The default value is http.MethodGet.
+	// This field is only used when NextReq is not specified.
+	HTTPVerb string
 }
 
 // FetcherForNextLink is a helper containing boilerplate code to simplify creating a PagingHandler[T].Fetcher from a next link URL.
@@ -119,7 +124,11 @@ func FetcherForNextLink(ctx context.Context, pl Pipeline, nextLink string, first
 		if options.NextReq != nil {
 			req, err = options.NextReq(ctx, nextLink)
 		} else {
-			req, err = NewRequest(ctx, http.MethodGet, nextLink)
+			verb := http.MethodGet
+			if options.HTTPVerb != "" {
+				verb = options.HTTPVerb
+			}
+			req, err = NewRequest(ctx, verb, nextLink)
 		}
 	}
 	if err != nil {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
index ab63f9c031..4a6349e167 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
@@ -1,5 +1,34 @@
 # Release History
 
+## 1.13.1 (2025-11-10)
+
+### Bugs Fixed
+
+- `AzureCLICredential` quoted arguments incorrectly on Windows
+
+## 1.13.0 (2025-10-07)
+
+### Features Added
+
+- Added `AzurePowerShellCredential`, which authenticates as the identity logged in to Azure PowerShell
+  (thanks [ArmaanMcleod](https://github.com/ArmaanMcleod))
+- When `AZURE_TOKEN_CREDENTIALS` is set to `ManagedIdentityCredential`, `DefaultAzureCredential` behaves the same as
+  does `ManagedIdentityCredential` when used directly. It doesn't apply special retry configuration or attempt to
+  determine whether IMDS is available. ([#25265](https://github.com/Azure/azure-sdk-for-go/issues/25265))
+
+### Breaking Changes
+
+* Removed the `WorkloadIdentityCredential` support for identity binding mode added in v1.13.0-beta.1.
+  It will return in v1.14.0-beta.1
+
+## 1.13.0-beta.1 (2025-09-17)
+
+### Features Added
+
+- Added `AzurePowerShellCredential`, which authenticates as the identity logged in to Azure PowerShell
+  (thanks [ArmaanMcleod](https://github.com/ArmaanMcleod))
+- `WorkloadIdentityCredential` supports identity binding mode ([#25056](https://github.com/Azure/azure-sdk-for-go/issues/25056))
+
 ## 1.12.0 (2025-09-16)
 
 ### Features Added
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
index 069bc688d5..127c25b72c 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
@@ -1,6 +1,6 @@
 # Azure Identity Client Module for Go
 
-The Azure Identity module provides Microsoft Entra ID ([formerly Azure Active Directory](https://learn.microsoft.com/entra/fundamentals/new-name)) token authentication support across the Azure SDK. It includes a set of `TokenCredential` implementations, which can be used with Azure SDK clients supporting token authentication.
+The Azure Identity module provides [Microsoft Entra ID](https://learn.microsoft.com/entra/fundamentals/whatis) token-based authentication support across the Azure SDK. It includes a set of `TokenCredential` implementations, which can be used with Azure SDK clients supporting token authentication.
 
 [![PkgGoDev](https://pkg.go.dev/badge/github.com/Azure/azure-sdk-for-go/sdk/azidentity)](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity)
 | [Microsoft Entra ID documentation](https://learn.microsoft.com/entra/identity/)
@@ -153,6 +153,7 @@ client := armresources.NewResourceGroupsClient("subscription ID", chain, nil)
 |-|-
 |[AzureCLICredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzureCLICredential)|Authenticate as the user signed in to the Azure CLI
 |[AzureDeveloperCLICredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzureDeveloperCLICredential)|Authenticates as the user signed in to the Azure Developer CLI
+|[AzurePowerShellCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzurePowerShellCredential)|Authenticates as the user signed in to Azure PowerShell
 
 ## Environment Variables
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
index da2094e36b..8bdaf81651 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
@@ -40,6 +40,7 @@ The following table indicates the state of in-memory and persistent caching in e
 | ------------------------------ | ------------------------------------------------------------------- | ------------------------ |
 | `AzureCLICredential`           | Not Supported                                                       | Not Supported            |
 | `AzureDeveloperCLICredential`  | Not Supported                                                       | Not Supported            |
+| `AzurePowerShellCredential`    | Not Supported                                                       | Not Supported            |
 | `AzurePipelinesCredential`     | Supported                                                           | Supported                |
 | `ClientAssertionCredential`    | Supported                                                           | Supported                |
 | `ClientCertificateCredential`  | Supported                                                           | Supported                |
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
index 838601d69c..517006a424 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
@@ -12,6 +12,7 @@ This troubleshooting guide covers failure investigation techniques, common error
 - [Troubleshoot AzureCLICredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
 - [Troubleshoot AzureDeveloperCLICredential authentication issues](#troubleshoot-azuredeveloperclicredential-authentication-issues)
 - [Troubleshoot AzurePipelinesCredential authentication issues](#troubleshoot-azurepipelinescredential-authentication-issues)
+- [Troubleshoot AzurePowerShellCredential authentication issues](#troubleshoot-azurepowershellcredential-authentication-issues)
 - [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
 - [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
 - [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues)
@@ -205,6 +206,34 @@ azd auth token --output json --scope https://management.core.windows.net/.defaul
 ```
 >Note that output of this command will contain a valid access token, and SHOULD NOT BE SHARED to avoid compromising account security.
 
+
+## Troubleshoot `AzurePowerShellCredential` authentication issues
+
+| Error Message |Description| Mitigation |
+|---|---|---|
+|executable not found on path|No local installation of PowerShell was found.|Ensure that PowerShell is properly installed on the machine. Instructions for installing PowerShell can be found [here](https://learn.microsoft.com/powershell/scripting/install/installing-powershell).|
+|Az.Accounts module not found|The Az.Account module needed for authentication in Azure PowerShell isn't installed.|Install the latest Az.Account module. Installation instructions can be found [here](https://learn.microsoft.com/powershell/azure/install-az-ps).|
+|Please run "Connect-AzAccount" to set up account.|No account is currently logged into Azure PowerShell.|
  • Log in to Azure PowerShell using the `Connect-AzAccount` command. More instructions for authenticating Azure PowerShell can be found at [Sign in with Azure PowerShell](https://learn.microsoft.com/powershell/azure/authenticate-azureps).
  • Validate that Azure PowerShell can obtain tokens. For instructions, see [Verify Azure PowerShell can obtain tokens](#verify-azure-powershell-can-obtain-tokens).
|
+
+#### __Verify Azure PowerShell can obtain tokens__
+
+You can manually verify that Azure PowerShell is authenticated and can obtain tokens. First, use the `Get-AzContext` command to verify the account that is currently logged in to Azure PowerShell.
+
+```
+PS C:\> Get-AzContext
+
+Name                                     Account             SubscriptionName    Environment         TenantId
+----                                     -------             ----------------    -----------         --------
+Subscription1 (xxxxxxxx-xxxx-xxxx-xxx... test@outlook.com    Subscription1       AzureCloud          xxxxxxxx-x...
+```
+
+Once you've verified Azure PowerShell is using correct account, validate that it's able to obtain tokens for this account:
+
+```bash
+Get-AzAccessToken -ResourceUrl "https://management.core.windows.net"
+```
+>Note that output of this command will contain a valid access token, and SHOULD NOT BE SHARED to avoid compromising account security.
+
 
 ## Troubleshoot `WorkloadIdentityCredential` authentication issues
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_powershell_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_powershell_credential.go
new file mode 100644
index 0000000000..0829655545
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_powershell_credential.go
@@ -0,0 +1,234 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package azidentity
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/binary"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os/exec"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+	"unicode/utf16"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
+)
+
+const (
+	credNameAzurePowerShell = "AzurePowerShellCredential"
+	noAzAccountModule       = "Az.Accounts module not found"
+)
+
+// AzurePowerShellCredentialOptions contains optional parameters for AzurePowerShellCredential.
+type AzurePowerShellCredentialOptions struct {
+	// AdditionallyAllowedTenants specifies tenants to which the credential may authenticate, in addition to
+	// TenantID. When TenantID is empty, this option has no effect and the credential will authenticate to
+	// any requested tenant. Add the wildcard value "*" to allow the credential to authenticate to any tenant.
+	AdditionallyAllowedTenants []string
+
+	// TenantID identifies the tenant the credential should authenticate in.
+	// Defaults to Azure PowerShell's default tenant, which is typically the home tenant of the logged in user.
+	TenantID string
+
+	// inDefaultChain is true when the credential is part of DefaultAzureCredential
+	inDefaultChain bool
+
+	// exec is used by tests to fake invoking Azure PowerShell
+	exec executor
+}
+
+// AzurePowerShellCredential authenticates as the identity logged in to Azure PowerShell.
+type AzurePowerShellCredential struct {
+	mu   *sync.Mutex
+	opts AzurePowerShellCredentialOptions
+}
+
+// NewAzurePowerShellCredential constructs an AzurePowerShellCredential. Pass nil to accept default options.
+func NewAzurePowerShellCredential(options *AzurePowerShellCredentialOptions) (*AzurePowerShellCredential, error) {
+	cp := AzurePowerShellCredentialOptions{}
+
+	if options != nil {
+		cp = *options
+	}
+
+	if cp.TenantID != "" && !validTenantID(cp.TenantID) {
+		return nil, errInvalidTenantID
+	}
+
+	if cp.exec == nil {
+		cp.exec = shellExec
+	}
+
+	cp.AdditionallyAllowedTenants = resolveAdditionalTenants(cp.AdditionallyAllowedTenants)
+
+	return &AzurePowerShellCredential{mu: &sync.Mutex{}, opts: cp}, nil
+}
+
+// GetToken requests a token from Azure PowerShell. This credential doesn't cache tokens, so every call invokes Azure PowerShell.
+// This method is called automatically by Azure SDK clients.
+func (c *AzurePowerShellCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	at := azcore.AccessToken{}
+
+	if len(opts.Scopes) != 1 {
+		return at, errors.New(credNameAzurePowerShell + ": GetToken() requires exactly one scope")
+	}
+
+	if !validScope(opts.Scopes[0]) {
+		return at, fmt.Errorf("%s.GetToken(): invalid scope %q", credNameAzurePowerShell, opts.Scopes[0])
+	}
+
+	tenant, err := resolveTenant(c.opts.TenantID, opts.TenantID, credNameAzurePowerShell, c.opts.AdditionallyAllowedTenants)
+	if err != nil {
+		return at, err
+	}
+
+	// Always pass a Microsoft Entra ID v1 resource URI (not a v2 scope) because Get-AzAccessToken only supports v1 resource URIs.
+	resource := strings.TrimSuffix(opts.Scopes[0], defaultSuffix)
+
+	tenantArg := ""
+	if tenant != "" {
+		tenantArg = fmt.Sprintf(" -TenantId '%s'", tenant)
+	}
+
+	if opts.Claims != "" {
+		encoded := base64.StdEncoding.EncodeToString([]byte(opts.Claims))
+		return at, fmt.Errorf(
+			"%s.GetToken(): Azure PowerShell requires multifactor authentication or additional claims. Run this command then retry the operation: Connect-AzAccount%s -ClaimsChallenge '%s'",
+			credNameAzurePowerShell,
+			tenantArg,
+			encoded,
+		)
+	}
+
+	// Inline script to handle Get-AzAccessToken differences between Az.Accounts versions with SecureString handling and minimum version requirement
+	script := fmt.Sprintf(`
+$ErrorActionPreference = 'Stop'
+[version]$minimumVersion = '2.2.0'
+
+$mod = Import-Module Az.Accounts -MinimumVersion $minimumVersion -PassThru -ErrorAction SilentlyContinue
+
+if (-not $mod) {
+    Write-Error '%s'
+}
+
+$params = @{
+    ResourceUrl   = '%s'
+	WarningAction = 'Ignore'
+}
+
+# Only force AsSecureString for Az.Accounts versions > 2.17.0 and < 5.0.0 which return plain text token by default.
+# Newer Az.Accounts versions return SecureString token by default and no longer use AsSecureString parameter.
+if ($mod.Version -ge [version]'2.17.0' -and $mod.Version -lt [version]'5.0.0') {
+    $params['AsSecureString'] = $true
+}
+
+$tenantId = '%s'
+if ($tenantId.Length -gt 0) {
+    $params['TenantId'] = '%s'
+}
+
+$token = Get-AzAccessToken @params
+
+$customToken = New-Object -TypeName psobject
+
+# The following .NET interop pattern is supported in all PowerShell versions and safely converts SecureString to plain text.
+if ($token.Token -is [System.Security.SecureString]) {
+    $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($token.Token)
+    try {
+        $plainToken = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
+    } finally {
+        [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
+    }
+    $customToken | Add-Member -MemberType NoteProperty -Name Token -Value $plainToken
+} else {
+    $customToken | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token
+}
+$customToken | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn.ToUnixTimeSeconds()
+
+$jsonToken = $customToken | ConvertTo-Json
+return $jsonToken
+`, noAzAccountModule, resource, tenant, tenant)
+
+	// Windows: prefer pwsh.exe (PowerShell Core), fallback to powershell.exe (Windows PowerShell)
+	// Unix: only support pwsh (PowerShell Core)
+	exe := "pwsh"
+	if runtime.GOOS == "windows" {
+		if _, err := exec.LookPath("pwsh.exe"); err == nil {
+			exe = "pwsh.exe"
+		} else {
+			exe = "powershell.exe"
+		}
+	}
+
+	command := exe + " -NoProfile -NonInteractive -OutputFormat Text -EncodedCommand " + base64EncodeUTF16LE(script)
+
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	b, err := c.opts.exec(ctx, credNameAzurePowerShell, command)
+	if err == nil {
+		at, err = c.createAccessToken(b)
+	}
+
+	if err != nil {
+		err = unavailableIfInDAC(err, c.opts.inDefaultChain)
+		return at, err
+	}
+
+	msg := fmt.Sprintf("%s.GetToken() acquired a token for scope %q", credNameAzurePowerShell, strings.Join(opts.Scopes, ", "))
+	log.Write(EventAuthentication, msg)
+
+	return at, nil
+}
+
+func (c *AzurePowerShellCredential) createAccessToken(tk []byte) (azcore.AccessToken, error) {
+	t := struct {
+		Token     string `json:"Token"`
+		ExpiresOn int64  `json:"ExpiresOn"`
+	}{}
+
+	err := json.Unmarshal(tk, &t)
+	if err != nil {
+		return azcore.AccessToken{}, err
+	}
+
+	converted := azcore.AccessToken{
+		Token:     t.Token,
+		ExpiresOn: time.Unix(t.ExpiresOn, 0).UTC(),
+	}
+
+	return converted, nil
+}
+
+// Encodes a string to Base64 using UTF-16LE encoding
+func base64EncodeUTF16LE(text string) string {
+	u16 := utf16.Encode([]rune(text))
+	buf := make([]byte, len(u16)*2)
+	for i, v := range u16 {
+		binary.LittleEndian.PutUint16(buf[i*2:], v)
+	}
+	return base64.StdEncoding.EncodeToString(buf)
+}
+
+// Decodes a Base64 UTF-16LE string back to string
+func base64DecodeUTF16LE(encoded string) (string, error) {
+	data, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return "", err
+	}
+	u16 := make([]uint16, len(data)/2)
+	for i := range u16 {
+		u16[i] = binary.LittleEndian.Uint16(data[i*2:])
+	}
+	return string(utf16.Decode(u16)), nil
+}
+
+var _ azcore.TokenCredential = (*AzurePowerShellCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
index c041a52dbb..aaaabc5c2f 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
@@ -26,6 +26,7 @@ const (
 	managedIdentity
 	az
 	azd
+	azurePowerShell
 )
 
 // DefaultAzureCredentialOptions contains optional parameters for DefaultAzureCredential.
@@ -71,6 +72,7 @@ type DefaultAzureCredentialOptions struct {
 //   - [ManagedIdentityCredential]
 //   - [AzureCLICredential]
 //   - [AzureDeveloperCLICredential]
+//   - [AzurePowerShellCredential]
 //
 // Consult the documentation for these credential types for more information on how they authenticate.
 // Once a credential has successfully authenticated, DefaultAzureCredential will use that credential for
@@ -83,7 +85,7 @@ type DefaultAzureCredentialOptions struct {
 // Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example
 // "EnvironmentCredential" or "AzureCLICredential", and these special values:
 //
-//   - "dev": try [AzureCLICredential] and [AzureDeveloperCLICredential], in that order
+//   - "dev": try [AzureCLICredential], [AzureDeveloperCLICredential], and [AzurePowerShellCredential], in that order
 //   - "prod": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order
 //
 // [DefaultAzureCredentialOptions].RequireAzureTokenCredentials controls whether AZURE_TOKEN_CREDENTIALS must be set.
@@ -104,13 +106,13 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 	var (
 		creds         []azcore.TokenCredential
 		errorMessages []string
-		selected      = env | workloadIdentity | managedIdentity | az | azd
+		selected      = env | workloadIdentity | managedIdentity | az | azd | azurePowerShell
 	)
 
 	if atc, ok := os.LookupEnv(azureTokenCredentials); ok {
 		switch {
 		case atc == "dev":
-			selected = az | azd
+			selected = az | azd | azurePowerShell
 		case atc == "prod":
 			selected = env | workloadIdentity | managedIdentity
 		case strings.EqualFold(atc, credNameEnvironment):
@@ -123,6 +125,8 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 			selected = az
 		case strings.EqualFold(atc, credNameAzureDeveloperCLI):
 			selected = azd
+		case strings.EqualFold(atc, credNameAzurePowerShell):
+			selected = azurePowerShell
 		default:
 			return nil, fmt.Errorf(`invalid %s value %q. Valid values are "dev", "prod", or the name of any credential type in the default chain. See https://aka.ms/azsdk/go/identity/docs#DefaultAzureCredential for more information`, azureTokenCredentials, atc)
 		}
@@ -164,7 +168,11 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 		}
 	}
 	if selected&managedIdentity != 0 {
-		o := &ManagedIdentityCredentialOptions{ClientOptions: options.ClientOptions, dac: true}
+		o := &ManagedIdentityCredentialOptions{
+			ClientOptions: options.ClientOptions,
+			// enable special DefaultAzureCredential behavior (IMDS probing) only when the chain contains another credential
+			dac: selected^managedIdentity != 0,
+		}
 		if ID, ok := os.LookupEnv(azureClientID); ok {
 			o.ID = ClientID(ID)
 		}
@@ -202,6 +210,19 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 			creds = append(creds, &defaultCredentialErrorReporter{credType: credNameAzureDeveloperCLI, err: err})
 		}
 	}
+	if selected&azurePowerShell != 0 {
+		azurePowerShellCred, err := NewAzurePowerShellCredential(&AzurePowerShellCredentialOptions{
+			AdditionallyAllowedTenants: additionalTenants,
+			TenantID:                   options.TenantID,
+			inDefaultChain:             true,
+		})
+		if err == nil {
+			creds = append(creds, azurePowerShellCred)
+		} else {
+			errorMessages = append(errorMessages, credNameAzurePowerShell+": "+err.Error())
+			creds = append(creds, &defaultCredentialErrorReporter{credType: credNameAzurePowerShell, err: err})
+		}
+	}
 
 	if len(errorMessages) > 0 {
 		log.Writef(EventAuthentication, "NewDefaultAzureCredential failed to initialize some credentials:\n\t%s", strings.Join(errorMessages, "\n\t"))
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go
index 14f8a03126..cb7dbe2e4b 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go
@@ -12,7 +12,6 @@ import (
 	"errors"
 	"os"
 	"os/exec"
-	"runtime"
 	"strings"
 	"time"
 )
@@ -30,17 +29,9 @@ var shellExec = func(ctx context.Context, credName, command string) ([]byte, err
 		ctx, cancel = context.WithTimeout(ctx, cliTimeout)
 		defer cancel()
 	}
-	var cmd *exec.Cmd
-	if runtime.GOOS == "windows" {
-		dir := os.Getenv("SYSTEMROOT")
-		if dir == "" {
-			return nil, newCredentialUnavailableError(credName, `environment variable "SYSTEMROOT" has no value`)
-		}
-		cmd = exec.CommandContext(ctx, "cmd.exe", "/c", command)
-		cmd.Dir = dir
-	} else {
-		cmd = exec.CommandContext(ctx, "/bin/sh", "-c", command)
-		cmd.Dir = "/bin"
+	cmd, err := buildCmd(ctx, credName, command)
+	if err != nil {
+		return nil, err
 	}
 	cmd.Env = os.Environ()
 	stderr := bytes.Buffer{}
@@ -57,7 +48,15 @@ var shellExec = func(ctx context.Context, credName, command string) ([]byte, err
 		msg := stderr.String()
 		var exErr *exec.ExitError
 		if errors.As(err, &exErr) && exErr.ExitCode() == 127 || strings.Contains(msg, "' is not recognized") {
-			return nil, newCredentialUnavailableError(credName, "CLI executable not found on path")
+			return nil, newCredentialUnavailableError(credName, "executable not found on path")
+		}
+		if credName == credNameAzurePowerShell {
+			if strings.Contains(msg, "Connect-AzAccount") {
+				msg = `Please run "Connect-AzAccount" to set up an account`
+			}
+			if strings.Contains(msg, noAzAccountModule) {
+				msg = noAzAccountModule
+			}
 		}
 		if msg == "" {
 			msg = err.Error()
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go
new file mode 100644
index 0000000000..681fcd0cf9
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go
@@ -0,0 +1,17 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+//go:build !windows
+
+package azidentity
+
+import (
+	"context"
+	"os/exec"
+)
+
+func buildCmd(ctx context.Context, _, command string) (*exec.Cmd, error) {
+	cmd := exec.CommandContext(ctx, "/bin/sh", "-c", command)
+	cmd.Dir = "/bin"
+	return cmd, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go
new file mode 100644
index 0000000000..09c7a1a977
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go
@@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package azidentity
+
+import (
+	"context"
+	"os"
+	"os/exec"
+	"syscall"
+)
+
+func buildCmd(ctx context.Context, credName, command string) (*exec.Cmd, error) {
+	dir := os.Getenv("SYSTEMROOT")
+	if dir == "" {
+		return nil, newCredentialUnavailableError(credName, `environment variable "SYSTEMROOT" has no value`)
+	}
+	cmd := exec.CommandContext(ctx, "cmd.exe")
+	cmd.Dir = dir
+	cmd.SysProcAttr = &syscall.SysProcAttr{CmdLine: "/c " + command}
+	return cmd, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
index a6d7c6cbc7..33cb63be09 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
@@ -99,6 +99,8 @@ func (e *AuthenticationFailedError) Error() string {
 		anchor = "apc"
 	case credNameCert:
 		anchor = "client-cert"
+	case credNameAzurePowerShell:
+		anchor = "azure-pwsh"
 	case credNameSecret:
 		anchor = "client-secret"
 	case credNameManagedIdentity:
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
index 4c88605366..041f11658d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
@@ -14,5 +14,5 @@ const (
 	module = "github.com/Azure/azure-sdk-for-go/sdk/" + component
 
 	// Version is the semantic version (see http://semver.org) of this module.
-	version = "v1.12.0"
+	version = "v1.13.1"
 )
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/client.go
index d71e039463..a4e7ea2334 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/constants.go
index 0f4f3e9b4e..724174f072 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/constants.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/models.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/models.go
index 990fbe64d2..97ea566d85 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/models.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/models.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/responses.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/responses.go
index 92bc742323..9db3d8608d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/responses.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory/responses.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/chunkwriting.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/chunkwriting.go
index 21070c19bc..c135362930 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/chunkwriting.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/chunkwriting.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/client.go
index 5823037852..a4bd9b4834 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -267,7 +264,7 @@ func (f *Client) UploadRange(ctx context.Context, offset int64, body io.ReadSeek
 		return UploadRangeResponse{}, err
 	}
 
-	resp, err := f.generated().UploadRange(ctx, rangeParam, RangeWriteTypeUpdate, contentLength, body, uploadRangeOptions, leaseAccessConditions)
+	resp, err := f.generated().UploadRange(ctx, rangeParam, RangeWriteTypeUpdate, contentLength, uploadRangeOptions, leaseAccessConditions)
 	return resp, err
 }
 
@@ -281,7 +278,7 @@ func (f *Client) ClearRange(ctx context.Context, contentRange HTTPRange, options
 		return ClearRangeResponse{}, err
 	}
 
-	resp, err := f.generated().UploadRange(ctx, rangeParam, RangeWriteTypeClear, 0, nil, nil, leaseAccessConditions)
+	resp, err := f.generated().UploadRange(ctx, rangeParam, RangeWriteTypeClear, 0, nil, leaseAccessConditions)
 	return resp, err
 }
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/constants.go
index c6e612686c..e11533b750 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/constants.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -97,6 +94,14 @@ const (
 	FilePermissionFormatSddl   PermissionFormat = generated.FilePermissionFormatSddl
 )
 
+// PropertySemantics has two values - New and Restore, SMB only
+type PropertySemantics = generated.FilePropertySemantics
+
+const (
+	FilePropertySemanticsNew     PropertySemantics = "New"
+	FilePropertySemanticsRestore PropertySemantics = "Restore"
+)
+
 // PossibleFilePermissionFormatValues returns the possible values for the FilePermissionFormat const type.
 func PossibleFilePermissionFormatValues() []PermissionFormat {
 	return generated.PossibleFilePermissionFormatValues()
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/mmf_unix.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/mmf_unix.go
index 4c8ed223db..8d0be97f2e 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/mmf_unix.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/mmf_unix.go
@@ -1,6 +1,4 @@
-//go:build go1.18 && (linux || darwin || dragonfly || freebsd || openbsd || netbsd || solaris || aix)
-// +build go1.18
-// +build linux darwin dragonfly freebsd openbsd netbsd solaris aix
+//go:build linux || darwin || dragonfly || freebsd || openbsd || netbsd || solaris || aix
 
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/mmf_windows.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/mmf_windows.go
index b59e6b4157..dd136c88fc 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/mmf_windows.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/mmf_windows.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -9,7 +6,6 @@ package file
 import (
 	"fmt"
 	"os"
-	"reflect"
 	"syscall"
 	"unsafe"
 )
@@ -34,12 +30,8 @@ func newMMB(size int64) (mmb, error) {
 	if err != nil {
 		return nil, os.NewSyscallError("MapViewOfFile", err)
 	}
-
-	m := mmb{}
-	h := (*reflect.SliceHeader)(unsafe.Pointer(&m))
-	h.Data = addr
-	h.Len = int(size)
-	h.Cap = h.Len
+	//nolint:govet // unsafeptr: addr is a stable pointer from MapViewOfFile
+	m := unsafe.Slice((*byte)(unsafe.Pointer(addr)), int(size))
 	return m, nil
 }
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/models.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/models.go
index 6be00dbba9..0c5e8ff9d3 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/models.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/models.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -90,6 +87,11 @@ type CreateOptions struct {
 	LeaseAccessConditions *LeaseAccessConditions
 	// A name-value pair to associate with a file storage object.
 	Metadata map[string]*string
+	// SMB only, default value is New. Restore will apply changes without further modification.
+	FilePropertySemantics *PropertySemantics
+	OptionalBody          io.ReadSeekCloser
+	ContentLength         *int64
+	ContentMD5            []byte
 }
 
 func (o *CreateOptions) format() (*generated.FileClientCreateOptions, *generated.ShareFileHTTPHeaders, *LeaseAccessConditions) {
@@ -123,6 +125,7 @@ func (o *CreateOptions) format() (*generated.FileClientCreateOptions, *generated
 			FilePermission:    permission,
 			FilePermissionKey: permissionKey,
 			Metadata:          o.Metadata,
+			Optionalbody:      o.OptionalBody,
 		}
 		// Refer the documentation for details - https://learn.microsoft.com/en-us/rest/api/storageservices/create-file#smb-only-request-headers
 		if permissionKey != nil {
@@ -135,6 +138,12 @@ func (o *CreateOptions) format() (*generated.FileClientCreateOptions, *generated
 				createOptions.FilePermissionFormat = to.Ptr(FilePermissionFormatSddl) // optional, default
 			}
 		}
+		if o.FilePropertySemantics != nil {
+			createOptions.FilePropertySemantics = o.FilePropertySemantics
+		}
+		if len(o.ContentMD5) > 0 {
+			createOptions.ContentMD5 = o.ContentMD5
+		}
 	}
 	return createOptions, o.HTTPHeaders, o.LeaseAccessConditions
 }
@@ -673,7 +682,9 @@ func (o *UploadRangeOptions) format(offset int64, body io.ReadSeekCloser) (strin
 	}
 
 	var leaseAccessConditions *LeaseAccessConditions
-	uploadRangeOptions := &generated.FileClientUploadRangeOptions{}
+	uploadRangeOptions := &generated.FileClientUploadRangeOptions{
+		Optionalbody: body,
+	}
 
 	if o != nil {
 		leaseAccessConditions = o.LeaseAccessConditions
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/responses.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/responses.go
index 16a2cbdf44..230ad66c7c 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/responses.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/responses.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/retry_reader.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/retry_reader.go
index 5e6d257c93..066a320842 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/retry_reader.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file/retry_reader.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/fileerror/error_codes.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/fileerror/error_codes.go
index 43898d8123..769e442480 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/fileerror/error_codes.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/fileerror/error_codes.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -103,6 +100,7 @@ const (
 	FileOAuthManagementAPIRestrictedToSRP Code = "FileOAuthManagementApiRestrictedToSrp"
 )
 
+// nolint:staticcheck // ST1012: Renaming would be a breaking change, so suppressing linter warning.
 var (
 	// MissingSharedKeyCredential - Error is returned when SAS URL is being created without SharedKeyCredential.
 	MissingSharedKeyCredential = errors.New("SAS can only be signed with a SharedKeyCredential")
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/base/clients.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/base/clients.go
index e39baf0060..09d5ac1403 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/base/clients.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/base/clients.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/access_policy.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/access_policy.go
index d9c95db282..6dcd34673c 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/access_policy.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/access_policy.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/copy_file_nfs_property.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/copy_file_nfs_property.go
index de97fe32c1..35d791f23d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/copy_file_nfs_property.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/copy_file_nfs_property.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/copy_file_smb_options.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/copy_file_smb_options.go
index 4dc9d91d95..a77d7a7e2a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/copy_file_smb_options.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/copy_file_smb_options.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/exported.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/exported.go
index d0355727c9..5f298987cd 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/exported.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/exported.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/file_permissions.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/file_permissions.go
index 6ba95bb67b..5d33d5c1c4 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/file_permissions.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/file_permissions.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/log_events.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/log_events.go
index d33528ea8e..71960ca980 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/log_events.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/log_events.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/nfs_property.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/nfs_property.go
index 1fc0e87b64..803528ca4a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/nfs_property.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/nfs_property.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/shared_key_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/shared_key_credential.go
index 408b6d653b..f26db0d6a3 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/shared_key_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/shared_key_credential.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/smb_property.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/smb_property.go
index 07752c79d3..df1822eb38 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/smb_property.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/smb_property.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/transfer_validation_option.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/transfer_validation_option.go
index ae8df1ea0d..e2ee813c18 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/transfer_validation_option.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/transfer_validation_option.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/user_delegation_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/user_delegation_credential.go
new file mode 100644
index 0000000000..49ef7cf185
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/user_delegation_credential.go
@@ -0,0 +1,61 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package exported
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated"
+)
+
+// NewUserDelegationCredential creates a new UserDelegationCredential using a Storage account's Name and a user delegation Key from it
+func NewUserDelegationCredential(accountName string, udk UserDelegationKey) *UserDelegationCredential {
+	return &UserDelegationCredential{
+		accountName:       accountName,
+		userDelegationKey: udk,
+	}
+}
+
+// UserDelegationKey contains UserDelegationKey.
+type UserDelegationKey = generated.UserDelegationKey
+
+// UserDelegationCredential contains an account's name and its user delegation key.
+type UserDelegationCredential struct {
+	accountName       string
+	userDelegationKey UserDelegationKey
+}
+
+// getAccountName returns the Storage account's Name
+func (f *UserDelegationCredential) getAccountName() string {
+	return f.accountName
+}
+
+// GetAccountName is a helper method for accessing the user delegation key parameters outside this package.
+func GetAccountName(udc *UserDelegationCredential) string {
+	return udc.getAccountName()
+}
+
+// computeHMACSHA256 generates a hash signature for an HTTP request or for a SAS.
+func (f *UserDelegationCredential) computeHMACSHA256(message string) (string, error) {
+	bytes, _ := base64.StdEncoding.DecodeString(*f.userDelegationKey.Value)
+	h := hmac.New(sha256.New, bytes)
+	_, err := h.Write([]byte(message))
+	return base64.StdEncoding.EncodeToString(h.Sum(nil)), err
+}
+
+// ComputeUDCHMACSHA256 is a helper method for computing the signed string outside this package.
+func ComputeUDCHMACSHA256(udc *UserDelegationCredential, message string) (string, error) {
+	return udc.computeHMACSHA256(message)
+}
+
+// getUDKParams returns UserDelegationKey
+func (f *UserDelegationCredential) getUDKParams() *UserDelegationKey {
+	return &f.userDelegationKey
+}
+
+// GetUDKParams is a helper method for accessing the user delegation key parameters outside this package.
+func GetUDKParams(udc *UserDelegationCredential) *UserDelegationKey {
+	return udc.getUDKParams()
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/version.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/version.go
index eb69aae7f0..744295b17d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/version.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported/version.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -8,5 +5,5 @@ package exported
 
 const (
 	ModuleName    = "github.com/Azure/azure-sdk-for-go/sdk/storage/azfile"
-	ModuleVersion = "v1.5.2"
+	ModuleVersion = "v1.5.4"
 )
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/autorest.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/autorest.md
index 6de04b39a8..d2d338474b 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/autorest.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/autorest.md
@@ -7,7 +7,7 @@ go: true
 clear-output-folder: false
 version: "^3.0.0"
 license-header: MICROSOFT_MIT_NO_VERSION
-input-file: "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/07c350e6126e53f3a25fe75536c4b3324f91475b/specification/storage/data-plane/Microsoft.FileStorage/stable/2025-11-05/file.json"
+input-file: "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/b6472ffd34d5d4a155101b41b4eb1f356abff600/specification/storage/data-plane/Microsoft.FileStorage/stable/2026-02-06/file.json"
 credential-scope: "https://storage.azure.com/.default"
 output-folder: ../generated
 file-prefix: "zz_"
@@ -19,10 +19,11 @@ modelerfour:
   seal-single-value-enum-by-default: true
   lenient-model-deduplication: true
 export-clients: true
+honor-body-placement: true
 use: "@autorest/go@4.0.0-preview.61"
 ```
 
-### Updating service version to 2025-11-05
+### Updating service version to 2026-02-06
 
 ```yaml
 directive:
@@ -34,9 +35,10 @@ directive:
   where: $
   transform: >-
     return $.
-      replaceAll(`[]string{"2025-07-05"}`, `[]string{ServiceVersion}`);
+      replaceAll(`[]string{"2025-11-05"}`, `[]string{ServiceVersion}`);
 ```
-### Changing casing of NfsFileType
+### Changing casing of NfsFileType, Nfs, ShareNfsSettingsEncryptionInTransit and ShareNfsSettings
+
 ```yaml
 directive:
 - from: 
@@ -45,10 +47,14 @@ directive:
   - zz_response_types.go
   - zz_file_client.go
   - zz_directory_client.go
+  - zz_models.go
   where: $
   transform: >-
     return $.
-      replaceAll(`NfsFileType`, `NFSFileType`);
+      replaceAll(`NfsFileType`, `NFSFileType`).
+      replaceAll(`ShareNfsSettings`, `ShareNFSSettings`).
+      replaceAll(`ShareNfsSettingsEncryptionInTransit`, `ShareNFSSettingsEncryptionInTransit`).
+      replaceAll(`Nfs *`, `NFS *`);
 ```
 
 ### Updating Header Names XMSFileShareSnapshotUsageBytes and XMSFileShareUsageBytes
@@ -188,13 +194,28 @@ directive:
   - zz_file_client.go
   - zz_models.go
   - zz_options.go
+  - zz_share_client.go
+  - zz_response_types.go
   where: $
   transform: >-
     return $.
       replace(/SmbMultichannel/g, `SMBMultichannel`).
       replace(/copyFileSmbInfo/g, `copyFileSMBInfo`).
       replace(/CopyFileSmbInfo/g, `CopyFileSMBInfo`).
-      replace(/Smb\s+\*ShareSMBSettings/g, `SMB *ShareSMBSettings`);
+      replace(/Smb\s+\*ShareSMBSettings/g, `SMB *ShareSMBSettings`).
+      replace(/EnableSmbDirectoryLease/g, `EnableSMBDirectoryLease`); 
+```
+
+### Fixing casing of SignedTid and SignedOid
+
+``` yaml
+directive:
+- from: zz_models.go
+  where: $
+  transform: >-
+    return $.
+      replace(/SignedOid\s+\*string/g, `SignedOID *string`).
+      replace(/SignedTid\s+\*string/g, `SignedTID *string`);
 ```
 
 ### Rename models - remove `Item` and `Internal` suffix
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/build.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/build.go
index 57f112001b..188426a4d3 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/build.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/build.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 //go:generate autorest ./autorest.md
 //go:generate gofmt -w .
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/constants.go
index 858ac83f98..c2c6cad815 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/constants.go
@@ -1,9 +1,6 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 package generated
 
-const ServiceVersion = "2025-11-05"
+const ServiceVersion = "2026-02-06"
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/directory_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/directory_client.go
index cd81b4db82..d94fbdec2c 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/directory_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/directory_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/file_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/file_client.go
index e3c415e752..492bcac207 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/file_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/file_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/models.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/models.go
index 36a671cc6a..d31a09e7e5 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/models.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/models.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/service_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/service_client.go
index 8c99594b7d..b84e9e1669 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/service_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/service_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/share_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/share_client.go
index 14f4d5bdef..75e95f4788 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/share_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/share_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_constants.go
index dd099f8516..8452a8e067 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_constants.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
@@ -90,6 +87,21 @@ func PossibleFilePermissionFormatValues() []FilePermissionFormat {
 	}
 }
 
+type FilePropertySemantics string
+
+const (
+	FilePropertySemanticsNew     FilePropertySemantics = "New"
+	FilePropertySemanticsRestore FilePropertySemantics = "Restore"
+)
+
+// PossibleFilePropertySemanticsValues returns the possible values for the FilePropertySemantics const type.
+func PossibleFilePropertySemanticsValues() []FilePropertySemantics {
+	return []FilePropertySemantics{
+		FilePropertySemanticsNew,
+		FilePropertySemanticsRestore,
+	}
+}
+
 type FileRangeWriteType string
 
 const (
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_directory_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_directory_client.go
index 0f5f020959..e789e65236 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_directory_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_directory_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
@@ -34,7 +31,7 @@ type DirectoryClient struct {
 // Create - Creates a new directory under the specified share or parent directory.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - DirectoryClientCreateOptions contains the optional parameters for the DirectoryClient.Create method.
 func (client *DirectoryClient) Create(ctx context.Context, options *DirectoryClientCreateOptions) (DirectoryClientCreateResponse, error) {
 	var err error
@@ -76,7 +73,7 @@ func (client *DirectoryClient) createCreateRequest(ctx context.Context, options
 			}
 		}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.FilePermission != nil {
 		req.Raw().Header["x-ms-file-permission"] = []string{*options.FilePermission}
 	}
@@ -110,6 +107,9 @@ func (client *DirectoryClient) createCreateRequest(ctx context.Context, options
 	if options != nil && options.FileMode != nil {
 		req.Raw().Header["x-ms-mode"] = []string{*options.FileMode}
 	}
+	if options != nil && options.FilePropertySemantics != nil {
+		req.Raw().Header["x-ms-file-property-semantics"] = []string{string(*options.FilePropertySemantics)}
+	}
 	req.Raw().Header["Accept"] = []string{"application/xml"}
 	return req, nil
 }
@@ -198,7 +198,7 @@ func (client *DirectoryClient) createHandleResponse(resp *http.Response) (Direct
 // Delete - Removes the specified empty directory. Note that the directory must be empty before it can be deleted.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - DirectoryClientDeleteOptions contains the optional parameters for the DirectoryClient.Delete method.
 func (client *DirectoryClient) Delete(ctx context.Context, options *DirectoryClientDeleteOptions) (DirectoryClientDeleteResponse, error) {
 	var err error
@@ -233,7 +233,7 @@ func (client *DirectoryClient) deleteCreateRequest(ctx context.Context, options
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.fileRequestIntent != nil {
 		req.Raw().Header["x-ms-file-request-intent"] = []string{string(*client.fileRequestIntent)}
 	}
@@ -263,7 +263,7 @@ func (client *DirectoryClient) deleteHandleResponse(resp *http.Response) (Direct
 // ForceCloseHandles - Closes all handles open for given directory.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - handleID - Specifies handle ID opened on the file or directory to be closed. Asterisk (‘*’) is a wildcard that specifies
 //     all handles.
 //   - options - DirectoryClientForceCloseHandlesOptions contains the optional parameters for the DirectoryClient.ForceCloseHandles
@@ -308,7 +308,7 @@ func (client *DirectoryClient) forceCloseHandlesCreateRequest(ctx context.Contex
 	if options != nil && options.Recursive != nil {
 		req.Raw().Header["x-ms-recursive"] = []string{strconv.FormatBool(*options.Recursive)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
@@ -362,7 +362,7 @@ func (client *DirectoryClient) forceCloseHandlesHandleResponse(resp *http.Respon
 // subdirectories.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - DirectoryClientGetPropertiesOptions contains the optional parameters for the DirectoryClient.GetProperties method.
 func (client *DirectoryClient) GetProperties(ctx context.Context, options *DirectoryClientGetPropertiesOptions) (DirectoryClientGetPropertiesResponse, error) {
 	var err error
@@ -400,7 +400,7 @@ func (client *DirectoryClient) getPropertiesCreateRequest(ctx context.Context, o
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.fileRequestIntent != nil {
 		req.Raw().Header["x-ms-file-request-intent"] = []string{string(*client.fileRequestIntent)}
 	}
@@ -500,7 +500,7 @@ func (client *DirectoryClient) getPropertiesHandleResponse(resp *http.Response)
 // NewListFilesAndDirectoriesSegmentPager - Returns a list of files or directories under the specified share or directory.
 // It lists the contents only for a single level of the directory hierarchy.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - DirectoryClientListFilesAndDirectoriesSegmentOptions contains the optional parameters for the DirectoryClient.NewListFilesAndDirectoriesSegmentPager
 //     method.
 //
@@ -532,7 +532,7 @@ func (client *DirectoryClient) ListFilesAndDirectoriesSegmentCreateRequest(ctx c
 		reqQP.Set("include", strings.Join(strings.Fields(strings.Trim(fmt.Sprint(options.Include), "[]")), ","))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.IncludeExtendedInfo != nil {
 		req.Raw().Header["x-ms-file-extended-info"] = []string{strconv.FormatBool(*options.IncludeExtendedInfo)}
 	}
@@ -574,7 +574,7 @@ func (client *DirectoryClient) ListFilesAndDirectoriesSegmentHandleResponse(resp
 // ListHandles - Lists handles for directory.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - DirectoryClientListHandlesOptions contains the optional parameters for the DirectoryClient.ListHandles method.
 func (client *DirectoryClient) ListHandles(ctx context.Context, options *DirectoryClientListHandlesOptions) (DirectoryClientListHandlesResponse, error) {
 	var err error
@@ -618,7 +618,7 @@ func (client *DirectoryClient) listHandlesCreateRequest(ctx context.Context, opt
 	if options != nil && options.Recursive != nil {
 		req.Raw().Header["x-ms-recursive"] = []string{strconv.FormatBool(*options.Recursive)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
@@ -657,7 +657,7 @@ func (client *DirectoryClient) listHandlesHandleResponse(resp *http.Response) (D
 // Rename - Renames a directory
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - renameSource - Required. Specifies the URI-style path of the source file, up to 2 KB in length.
 //   - options - DirectoryClientRenameOptions contains the optional parameters for the DirectoryClient.Rename method.
 //   - SourceLeaseAccessConditions - SourceLeaseAccessConditions contains a group of parameters for the DirectoryClient.Rename
@@ -696,7 +696,7 @@ func (client *DirectoryClient) renameCreateRequest(ctx context.Context, renameSo
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	req.Raw().Header["x-ms-file-rename-source"] = []string{renameSource}
 	if options != nil && options.ReplaceIfExists != nil {
 		req.Raw().Header["x-ms-file-rename-replace-if-exists"] = []string{strconv.FormatBool(*options.ReplaceIfExists)}
@@ -823,7 +823,7 @@ func (client *DirectoryClient) renameHandleResponse(resp *http.Response) (Direct
 // SetMetadata - Updates user defined metadata for the specified directory.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - DirectoryClientSetMetadataOptions contains the optional parameters for the DirectoryClient.SetMetadata method.
 func (client *DirectoryClient) SetMetadata(ctx context.Context, options *DirectoryClientSetMetadataOptions) (DirectoryClientSetMetadataResponse, error) {
 	var err error
@@ -863,7 +863,7 @@ func (client *DirectoryClient) setMetadataCreateRequest(ctx context.Context, opt
 			}
 		}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
@@ -906,7 +906,7 @@ func (client *DirectoryClient) setMetadataHandleResponse(resp *http.Response) (D
 // SetProperties - Sets properties on the directory.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - DirectoryClientSetPropertiesOptions contains the optional parameters for the DirectoryClient.SetProperties method.
 func (client *DirectoryClient) SetProperties(ctx context.Context, options *DirectoryClientSetPropertiesOptions) (DirectoryClientSetPropertiesResponse, error) {
 	var err error
@@ -939,7 +939,7 @@ func (client *DirectoryClient) setPropertiesCreateRequest(ctx context.Context, o
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.FilePermission != nil {
 		req.Raw().Header["x-ms-file-permission"] = []string{*options.FilePermission}
 	}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_file_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_file_client.go
index 7beeff1a9d..8655e0cba6 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_file_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_file_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
@@ -15,7 +12,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
-	"io"
 	"net/http"
 	"strconv"
 	"strings"
@@ -35,7 +31,7 @@ type FileClient struct {
 // AbortCopy - Aborts a pending Copy File operation, and leaves a destination file with zero length and full metadata.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - copyID - The copy identifier provided in the x-ms-copy-id header of the original Copy File operation.
 //   - options - FileClientAbortCopyOptions contains the optional parameters for the FileClient.AbortCopy method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
@@ -71,7 +67,7 @@ func (client *FileClient) abortCopyCreateRequest(ctx context.Context, copyID str
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
 	req.Raw().Header["x-ms-copy-action"] = []string{"abort"}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -107,7 +103,7 @@ func (client *FileClient) abortCopyHandleResponse(resp *http.Response) (FileClie
 // AcquireLease - [Update] The Lease File operation establishes and manages a lock on a file for write and delete operations
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - duration - Specifies the duration of the lease, in seconds, or negative one (-1) for a lease that never expires. A non-infinite
 //     lease can be between 15 and 60 seconds. A lease duration cannot be changed using
 //     renew or change.
@@ -147,7 +143,7 @@ func (client *FileClient) acquireLeaseCreateRequest(ctx context.Context, duratio
 	if options != nil && options.ProposedLeaseID != nil {
 		req.Raw().Header["x-ms-proposed-lease-id"] = []string{*options.ProposedLeaseID}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -199,7 +195,7 @@ func (client *FileClient) acquireLeaseHandleResponse(resp *http.Response) (FileC
 // BreakLease - [Update] The Lease File operation establishes and manages a lock on a file for write and delete operations
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - FileClientBreakLeaseOptions contains the optional parameters for the FileClient.BreakLease method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *FileClient) BreakLease(ctx context.Context, options *FileClientBreakLeaseOptions, leaseAccessConditions *LeaseAccessConditions) (FileClientBreakLeaseResponse, error) {
@@ -236,7 +232,7 @@ func (client *FileClient) breakLeaseCreateRequest(ctx context.Context, options *
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -288,7 +284,7 @@ func (client *FileClient) breakLeaseHandleResponse(resp *http.Response) (FileCli
 // ChangeLease - [Update] The Lease File operation establishes and manages a lock on a file for write and delete operations
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - leaseID - Specifies the current lease ID on the resource.
 //   - options - FileClientChangeLeaseOptions contains the optional parameters for the FileClient.ChangeLease method.
 func (client *FileClient) ChangeLease(ctx context.Context, leaseID string, options *FileClientChangeLeaseOptions) (FileClientChangeLeaseResponse, error) {
@@ -326,7 +322,7 @@ func (client *FileClient) changeLeaseCreateRequest(ctx context.Context, leaseID
 	if options != nil && options.ProposedLeaseID != nil {
 		req.Raw().Header["x-ms-proposed-lease-id"] = []string{*options.ProposedLeaseID}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -378,7 +374,7 @@ func (client *FileClient) changeLeaseHandleResponse(resp *http.Response) (FileCl
 // Create - Creates a new file or replaces a file. Note it only initializes the file with no content.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - fileContentLength - Specifies the maximum size for the file, up to 4 TB.
 //   - options - FileClientCreateOptions contains the optional parameters for the FileClient.Create method.
 //   - ShareFileHTTPHeaders - ShareFileHTTPHeaders contains a group of parameters for the FileClient.Create method.
@@ -415,7 +411,7 @@ func (client *FileClient) createCreateRequest(ctx context.Context, fileContentLe
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	req.Raw().Header["x-ms-content-length"] = []string{strconv.FormatInt(fileContentLength, 10)}
 	req.Raw().Header["x-ms-type"] = []string{"file"}
 	if shareFileHTTPHeaders != nil && shareFileHTTPHeaders.ContentType != nil {
@@ -482,13 +478,42 @@ func (client *FileClient) createCreateRequest(ctx context.Context, fileContentLe
 	if options != nil && options.NFSFileType != nil {
 		req.Raw().Header["x-ms-file-file-type"] = []string{string(*options.NFSFileType)}
 	}
+	if options != nil && options.ContentMD5 != nil {
+		req.Raw().Header["Content-MD5"] = []string{base64.StdEncoding.EncodeToString(options.ContentMD5)}
+	}
+	if options != nil && options.FilePropertySemantics != nil {
+		req.Raw().Header["x-ms-file-property-semantics"] = []string{string(*options.FilePropertySemantics)}
+	}
+	if options != nil && options.ContentLength != nil {
+		req.Raw().Header["Content-Length"] = []string{strconv.FormatInt(*options.ContentLength, 10)}
+	}
 	req.Raw().Header["Accept"] = []string{"application/xml"}
+	if options != nil && options.Optionalbody != nil {
+		if err := req.SetBody(options.Optionalbody, "application/octet-stream"); err != nil {
+			return nil, err
+		}
+		return req, nil
+	}
 	return req, nil
 }
 
 // createHandleResponse handles the Create response.
 func (client *FileClient) createHandleResponse(resp *http.Response) (FileClientCreateResponse, error) {
 	result := FileClientCreateResponse{}
+	if val := resp.Header.Get("Content-Length"); val != "" {
+		contentLength, err := strconv.ParseInt(val, 10, 64)
+		if err != nil {
+			return FileClientCreateResponse{}, err
+		}
+		result.ContentLength = &contentLength
+	}
+	if val := resp.Header.Get("Content-MD5"); val != "" {
+		contentMD5, err := base64.StdEncoding.DecodeString(val)
+		if err != nil {
+			return FileClientCreateResponse{}, err
+		}
+		result.ContentMD5 = contentMD5
+	}
 	if val := resp.Header.Get("Date"); val != "" {
 		date, err := time.Parse(time.RFC1123, val)
 		if err != nil {
@@ -570,7 +595,7 @@ func (client *FileClient) createHandleResponse(resp *http.Response) (FileClientC
 // CreateHardLink - Creates a hard link.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - targetFile - NFS only. Required. Specifies the path of the target file to which the link will be created, up to 2 KiB in
 //     length. It should be full path of the target from the root.The target file must be in the
 //     same share and hence the same storage account.
@@ -606,7 +631,7 @@ func (client *FileClient) createHardLinkCreateRequest(ctx context.Context, targe
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	req.Raw().Header["x-ms-type"] = []string{"file"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
@@ -703,7 +728,7 @@ func (client *FileClient) createHardLinkHandleResponse(resp *http.Response) (Fil
 // CreateSymbolicLink - Creates a symbolic link.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - linkText - NFS only. Required. The path to the original file, the symbolic link is pointing to. The path is of type string
 //     which is not resolved and is stored as is. The path can be absolute path or the relative
 //     path depending on the content stored in the symbolic link file.
@@ -739,7 +764,7 @@ func (client *FileClient) createSymbolicLinkCreateRequest(ctx context.Context, l
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.Metadata != nil {
 		for k, v := range options.Metadata {
 			if v != nil {
@@ -847,7 +872,7 @@ func (client *FileClient) createSymbolicLinkHandleResponse(resp *http.Response)
 // Delete - removes the file from the storage account.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - FileClientDeleteOptions contains the optional parameters for the FileClient.Delete method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *FileClient) Delete(ctx context.Context, options *FileClientDeleteOptions, leaseAccessConditions *LeaseAccessConditions) (FileClientDeleteResponse, error) {
@@ -882,7 +907,7 @@ func (client *FileClient) deleteCreateRequest(ctx context.Context, options *File
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -922,7 +947,7 @@ func (client *FileClient) deleteHandleResponse(resp *http.Response) (FileClientD
 // Download - Reads or downloads a file from the system, including its metadata and properties.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - FileClientDownloadOptions contains the optional parameters for the FileClient.Download method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *FileClient) Download(ctx context.Context, options *FileClientDownloadOptions, leaseAccessConditions *LeaseAccessConditions) (FileClientDownloadResponse, error) {
@@ -958,7 +983,7 @@ func (client *FileClient) downloadCreateRequest(ctx context.Context, options *Fi
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.Range != nil {
 		req.Raw().Header["x-ms-range"] = []string{*options.Range}
 	}
@@ -1157,7 +1182,7 @@ func (client *FileClient) downloadHandleResponse(resp *http.Response) (FileClien
 // ForceCloseHandles - Closes all handles open for given file
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - handleID - Specifies handle ID opened on the file or directory to be closed. Asterisk (‘*’) is a wildcard that specifies
 //     all handles.
 //   - options - FileClientForceCloseHandlesOptions contains the optional parameters for the FileClient.ForceCloseHandles method.
@@ -1198,7 +1223,7 @@ func (client *FileClient) forceCloseHandlesCreateRequest(ctx context.Context, ha
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
 	req.Raw().Header["x-ms-handle-id"] = []string{handleID}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
@@ -1251,7 +1276,7 @@ func (client *FileClient) forceCloseHandlesHandleResponse(resp *http.Response) (
 // not return the content of the file.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - FileClientGetPropertiesOptions contains the optional parameters for the FileClient.GetProperties method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *FileClient) GetProperties(ctx context.Context, options *FileClientGetPropertiesOptions, leaseAccessConditions *LeaseAccessConditions) (FileClientGetPropertiesResponse, error) {
@@ -1289,7 +1314,7 @@ func (client *FileClient) getPropertiesCreateRequest(ctx context.Context, option
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -1462,7 +1487,7 @@ func (client *FileClient) getPropertiesHandleResponse(resp *http.Response) (File
 // GetRangeList - Returns the list of valid ranges for a file.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - FileClientGetRangeListOptions contains the optional parameters for the FileClient.GetRangeList method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *FileClient) GetRangeList(ctx context.Context, options *FileClientGetRangeListOptions, leaseAccessConditions *LeaseAccessConditions) (FileClientGetRangeListResponse, error) {
@@ -1501,7 +1526,7 @@ func (client *FileClient) getRangeListCreateRequest(ctx context.Context, options
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.Range != nil {
 		req.Raw().Header["x-ms-range"] = []string{*options.Range}
 	}
@@ -1563,7 +1588,7 @@ func (client *FileClient) getRangeListHandleResponse(resp *http.Response) (FileC
 // GetSymbolicLink -
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - FileClientGetSymbolicLinkOptions contains the optional parameters for the FileClient.GetSymbolicLink method.
 func (client *FileClient) GetSymbolicLink(ctx context.Context, options *FileClientGetSymbolicLinkOptions) (FileClientGetSymbolicLinkResponse, error) {
 	var err error
@@ -1598,7 +1623,7 @@ func (client *FileClient) getSymbolicLinkCreateRequest(ctx context.Context, opti
 		reqQP.Set("sharesnapshot", *options.Sharesnapshot)
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -1647,7 +1672,7 @@ func (client *FileClient) getSymbolicLinkHandleResponse(resp *http.Response) (Fi
 // ListHandles - Lists handles for file
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - FileClientListHandlesOptions contains the optional parameters for the FileClient.ListHandles method.
 func (client *FileClient) ListHandles(ctx context.Context, options *FileClientListHandlesOptions) (FileClientListHandlesResponse, error) {
 	var err error
@@ -1688,7 +1713,7 @@ func (client *FileClient) listHandlesCreateRequest(ctx context.Context, options
 		reqQP.Set("sharesnapshot", *options.Sharesnapshot)
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.allowTrailingDot != nil {
 		req.Raw().Header["x-ms-allow-trailing-dot"] = []string{strconv.FormatBool(*client.allowTrailingDot)}
 	}
@@ -1727,7 +1752,7 @@ func (client *FileClient) listHandlesHandleResponse(resp *http.Response) (FileCl
 // ReleaseLease - [Update] The Lease File operation establishes and manages a lock on a file for write and delete operations
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - leaseID - Specifies the current lease ID on the resource.
 //   - options - FileClientReleaseLeaseOptions contains the optional parameters for the FileClient.ReleaseLease method.
 func (client *FileClient) ReleaseLease(ctx context.Context, leaseID string, options *FileClientReleaseLeaseOptions) (FileClientReleaseLeaseResponse, error) {
@@ -1762,7 +1787,7 @@ func (client *FileClient) releaseLeaseCreateRequest(ctx context.Context, leaseID
 	req.Raw().URL.RawQuery = reqQP.Encode()
 	req.Raw().Header["x-ms-lease-action"] = []string{"release"}
 	req.Raw().Header["x-ms-lease-id"] = []string{leaseID}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -1811,7 +1836,7 @@ func (client *FileClient) releaseLeaseHandleResponse(resp *http.Response) (FileC
 // Rename - Renames a file
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - renameSource - Required. Specifies the URI-style path of the source file, up to 2 KB in length.
 //   - options - FileClientRenameOptions contains the optional parameters for the FileClient.Rename method.
 //   - SourceLeaseAccessConditions - SourceLeaseAccessConditions contains a group of parameters for the DirectoryClient.Rename
@@ -1850,7 +1875,7 @@ func (client *FileClient) renameCreateRequest(ctx context.Context, renameSource
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	req.Raw().Header["x-ms-file-rename-source"] = []string{renameSource}
 	if options != nil && options.ReplaceIfExists != nil {
 		req.Raw().Header["x-ms-file-rename-replace-if-exists"] = []string{strconv.FormatBool(*options.ReplaceIfExists)}
@@ -1980,7 +2005,7 @@ func (client *FileClient) renameHandleResponse(resp *http.Response) (FileClientR
 // SetHTTPHeaders - Sets HTTP headers on the file.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - FileClientSetHTTPHeadersOptions contains the optional parameters for the FileClient.SetHTTPHeaders method.
 //   - ShareFileHTTPHeaders - ShareFileHTTPHeaders contains a group of parameters for the FileClient.Create method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
@@ -2014,7 +2039,7 @@ func (client *FileClient) setHTTPHeadersCreateRequest(ctx context.Context, optio
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.FileContentLength != nil {
 		req.Raw().Header["x-ms-content-length"] = []string{strconv.FormatInt(*options.FileContentLength, 10)}
 	}
@@ -2167,7 +2192,7 @@ func (client *FileClient) setHTTPHeadersHandleResponse(resp *http.Response) (Fil
 // SetMetadata - Updates user-defined metadata for the specified file.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - FileClientSetMetadataOptions contains the optional parameters for the FileClient.SetMetadata method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *FileClient) SetMetadata(ctx context.Context, options *FileClientSetMetadataOptions, leaseAccessConditions *LeaseAccessConditions) (FileClientSetMetadataResponse, error) {
@@ -2207,7 +2232,7 @@ func (client *FileClient) setMetadataCreateRequest(ctx context.Context, options
 			}
 		}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -2260,7 +2285,7 @@ func (client *FileClient) setMetadataHandleResponse(resp *http.Response) (FileCl
 // StartCopy - Copies a blob or file to a destination file within the storage account.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - copySource - Specifies the URL of the source file or blob, up to 2 KB in length. To copy a file to another file within
 //     the same storage account, you may use Shared Key to authenticate the source file. If you are
 //     copying a file from another storage account, or if you are copying a blob from the same storage account or another storage
@@ -2299,7 +2324,7 @@ func (client *FileClient) startCopyCreateRequest(ctx context.Context, copySource
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.Metadata != nil {
 		for k, v := range options.Metadata {
 			if v != nil {
@@ -2407,7 +2432,7 @@ func (client *FileClient) startCopyHandleResponse(resp *http.Response) (FileClie
 // UploadRange - Upload a range of bytes to a file.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - rangeParam - Specifies the range of bytes to be written. Both the start and end of the range must be specified. For an
 //     update operation, the range can be up to 4 MB in size. For a clear operation, the range can be
 //     up to the value of the file's full size. The File service accepts only a single byte range for the Range and 'x-ms-range'
@@ -2420,12 +2445,11 @@ func (client *FileClient) startCopyHandleResponse(resp *http.Response) (FileClie
 //     to clear, up to maximum file size.
 //   - contentLength - Specifies the number of bytes being transmitted in the request body. When the x-ms-write header is set
 //     to clear, the value of this header must be set to zero.
-//   - optionalbody - Initial data.
 //   - options - FileClientUploadRangeOptions contains the optional parameters for the FileClient.UploadRange method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
-func (client *FileClient) UploadRange(ctx context.Context, rangeParam string, fileRangeWrite FileRangeWriteType, contentLength int64, optionalbody io.ReadSeekCloser, options *FileClientUploadRangeOptions, leaseAccessConditions *LeaseAccessConditions) (FileClientUploadRangeResponse, error) {
+func (client *FileClient) UploadRange(ctx context.Context, rangeParam string, fileRangeWrite FileRangeWriteType, contentLength int64, options *FileClientUploadRangeOptions, leaseAccessConditions *LeaseAccessConditions) (FileClientUploadRangeResponse, error) {
 	var err error
-	req, err := client.uploadRangeCreateRequest(ctx, rangeParam, fileRangeWrite, contentLength, optionalbody, options, leaseAccessConditions)
+	req, err := client.uploadRangeCreateRequest(ctx, rangeParam, fileRangeWrite, contentLength, options, leaseAccessConditions)
 	if err != nil {
 		return FileClientUploadRangeResponse{}, err
 	}
@@ -2442,7 +2466,7 @@ func (client *FileClient) UploadRange(ctx context.Context, rangeParam string, fi
 }
 
 // uploadRangeCreateRequest creates the UploadRange request.
-func (client *FileClient) uploadRangeCreateRequest(ctx context.Context, rangeParam string, fileRangeWrite FileRangeWriteType, contentLength int64, optionalbody io.ReadSeekCloser, options *FileClientUploadRangeOptions, leaseAccessConditions *LeaseAccessConditions) (*policy.Request, error) {
+func (client *FileClient) uploadRangeCreateRequest(ctx context.Context, rangeParam string, fileRangeWrite FileRangeWriteType, contentLength int64, options *FileClientUploadRangeOptions, leaseAccessConditions *LeaseAccessConditions) (*policy.Request, error) {
 	req, err := runtime.NewRequest(ctx, http.MethodPut, client.endpoint)
 	if err != nil {
 		return nil, err
@@ -2459,7 +2483,7 @@ func (client *FileClient) uploadRangeCreateRequest(ctx context.Context, rangePar
 	if options != nil && options.ContentMD5 != nil {
 		req.Raw().Header["Content-MD5"] = []string{base64.StdEncoding.EncodeToString(options.ContentMD5)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -2479,8 +2503,11 @@ func (client *FileClient) uploadRangeCreateRequest(ctx context.Context, rangePar
 		req.Raw().Header["x-ms-structured-content-length"] = []string{strconv.FormatInt(*options.StructuredContentLength, 10)}
 	}
 	req.Raw().Header["Accept"] = []string{"application/xml"}
-	if err := req.SetBody(optionalbody, "application/octet-stream"); err != nil {
-		return nil, err
+	if options != nil && options.Optionalbody != nil {
+		if err := req.SetBody(options.Optionalbody, "application/octet-stream"); err != nil {
+			return nil, err
+		}
+		return req, nil
 	}
 	return req, nil
 }
@@ -2541,7 +2568,7 @@ func (client *FileClient) uploadRangeHandleResponse(resp *http.Response) (FileCl
 // UploadRangeFromURL - Upload a range of bytes to a file where the contents are read from a URL.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - rangeParam - Writes data to the specified byte range in the file.
 //   - copySource - Specifies the URL of the source file or blob, up to 2 KB in length. To copy a file to another file within
 //     the same storage account, you may use Shared Key to authenticate the source file. If you are
@@ -2601,7 +2628,7 @@ func (client *FileClient) uploadRangeFromURLCreateRequest(ctx context.Context, r
 	if sourceModifiedAccessConditions != nil && sourceModifiedAccessConditions.SourceIfNoneMatchCRC64 != nil {
 		req.Raw().Header["x-ms-source-if-none-match-crc64"] = []string{base64.StdEncoding.EncodeToString(sourceModifiedAccessConditions.SourceIfNoneMatchCRC64)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_models.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_models.go
index 8da71ea9ae..8c5d2e962a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_models.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_models.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
@@ -145,6 +142,15 @@ type Handle struct {
 	ParentID *string `xml:"ParentId"`
 }
 
+// KeyInfo - Key information
+type KeyInfo struct {
+	// REQUIRED; The date-time the key expires in ISO 8601 UTC time
+	Expiry *string `xml:"Expiry"`
+
+	// The date-time the key is active in ISO 8601 UTC time
+	Start *string `xml:"Start"`
+}
+
 // ListFilesAndDirectoriesSegmentResponse - An enumeration of directories and files.
 type ListFilesAndDirectoriesSegmentResponse struct {
 	// REQUIRED
@@ -208,6 +214,9 @@ type Metrics struct {
 
 // ProtocolSettings - Protocol settings
 type ProtocolSettings struct {
+	// Settings for NFS protocol.
+	NFS *ShareNFSSettings `xml:"NFS"`
+
 	// Settings for SMB protocol.
 	Smb *SMBSettings `xml:"SMB"`
 }
@@ -225,10 +234,19 @@ type RetentionPolicy struct {
 
 // SMBSettings - Settings for SMB protocol.
 type SMBSettings struct {
+	// Enable or disable encryption in transit.
+	EncryptionInTransit *SMBSettingsEncryptionInTransit `xml:"EncryptionInTransit"`
+
 	// Settings for SMB Multichannel.
 	Multichannel *SMBMultichannel `xml:"Multichannel"`
 }
 
+// SMBSettingsEncryptionInTransit - Enable or disable encryption in transit.
+type SMBSettingsEncryptionInTransit struct {
+	// If encryption in transit is required
+	Required *bool `xml:"Required"`
+}
+
 // Share - A listed Azure Storage share item.
 type Share struct {
 	// REQUIRED
@@ -250,6 +268,18 @@ type ShareFileRangeList struct {
 	Ranges      []*FileRange  `xml:"Range"`
 }
 
+// ShareNFSSettings - Settings for SMB protocol.
+type ShareNFSSettings struct {
+	// Enable or disable encryption in transit.
+	EncryptionInTransit *ShareNFSSettingsEncryptionInTransit `xml:"EncryptionInTransit"`
+}
+
+// ShareNFSSettingsEncryptionInTransit - Enable or disable encryption in transit.
+type ShareNFSSettingsEncryptionInTransit struct {
+	// If encryption in transit is required
+	Required *bool `xml:"Required"`
+}
+
 // SharePermission - A permission (a security descriptor) at the share level.
 type SharePermission struct {
 	// REQUIRED; The permission in the Security Descriptor Definition Language (SDDL).
@@ -271,6 +301,7 @@ type ShareProperties struct {
 	AccessTierChangeTime                 *time.Time `xml:"AccessTierChangeTime"`
 	AccessTierTransitionState            *string    `xml:"AccessTierTransitionState"`
 	DeletedTime                          *time.Time `xml:"DeletedTime"`
+	EnableSMBDirectoryLease              *bool      `xml:"EnableSMBDirectoryLease"`
 	EnableSnapshotVirtualDirectoryAccess *bool      `xml:"EnableSnapshotVirtualDirectoryAccess"`
 	EnabledProtocols                     *string    `xml:"EnabledProtocols"`
 	IncludedBurstIops                    *int64     `xml:"IncludedBurstIops"`
@@ -322,6 +353,9 @@ type SMBMultichannel struct {
 
 type StorageError struct {
 	AuthenticationErrorDetail *string
+	CopySourceErrorCode       *string
+	CopySourceErrorMessage    *string
+	CopySourceStatusCode      *int64
 	Message                   *string
 }
 
@@ -344,3 +378,27 @@ type StringEncoded struct {
 	Content *string `xml:",chardata"`
 	Encoded *bool   `xml:"Encoded,attr"`
 }
+
+// UserDelegationKey - A user delegation key
+type UserDelegationKey struct {
+	// REQUIRED; The date-time the key expires
+	SignedExpiry *time.Time `xml:"SignedExpiry"`
+
+	// REQUIRED; The Azure Active Directory object ID in GUID format.
+	SignedOID *string `xml:"SignedOid"`
+
+	// REQUIRED; Abbreviation of the Azure Storage service that accepts the key
+	SignedService *string `xml:"SignedService"`
+
+	// REQUIRED; The date-time the key is active
+	SignedStart *time.Time `xml:"SignedStart"`
+
+	// REQUIRED; The Azure Active Directory tenant ID in GUID format
+	SignedTID *string `xml:"SignedTid"`
+
+	// REQUIRED; The service version that created the key
+	SignedVersion *string `xml:"SignedVersion"`
+
+	// REQUIRED; The key as a base64 string
+	Value *string `xml:"Value"`
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_models_serde.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_models_serde.go
index 1cda239fc7..763f9d0894 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_models_serde.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_models_serde.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
@@ -263,6 +260,9 @@ func (s *ShareProperties) UnmarshalXML(dec *xml.Decoder, start xml.StartElement)
 func (s StorageError) MarshalJSON() ([]byte, error) {
 	objectMap := make(map[string]any)
 	populate(objectMap, "AuthenticationErrorDetail", s.AuthenticationErrorDetail)
+	populate(objectMap, "CopySourceErrorCode", s.CopySourceErrorCode)
+	populate(objectMap, "CopySourceErrorMessage", s.CopySourceErrorMessage)
+	populate(objectMap, "CopySourceStatusCode", s.CopySourceStatusCode)
 	populate(objectMap, "Message", s.Message)
 	return json.Marshal(objectMap)
 }
@@ -279,6 +279,15 @@ func (s *StorageError) UnmarshalJSON(data []byte) error {
 		case "AuthenticationErrorDetail":
 			err = unpopulate(val, "AuthenticationErrorDetail", &s.AuthenticationErrorDetail)
 			delete(rawMsg, key)
+		case "CopySourceErrorCode":
+			err = unpopulate(val, "CopySourceErrorCode", &s.CopySourceErrorCode)
+			delete(rawMsg, key)
+		case "CopySourceErrorMessage":
+			err = unpopulate(val, "CopySourceErrorMessage", &s.CopySourceErrorMessage)
+			delete(rawMsg, key)
+		case "CopySourceStatusCode":
+			err = unpopulate(val, "CopySourceStatusCode", &s.CopySourceStatusCode)
+			delete(rawMsg, key)
 		case "Message":
 			err = unpopulate(val, "Message", &s.Message)
 			delete(rawMsg, key)
@@ -305,6 +314,39 @@ func (s StorageServiceProperties) MarshalXML(enc *xml.Encoder, start xml.StartEl
 	return enc.EncodeElement(aux, start)
 }
 
+// MarshalXML implements the xml.Marshaller interface for type UserDelegationKey.
+func (u UserDelegationKey) MarshalXML(enc *xml.Encoder, start xml.StartElement) error {
+	type alias UserDelegationKey
+	aux := &struct {
+		*alias
+		SignedExpiry *dateTimeRFC3339 `xml:"SignedExpiry"`
+		SignedStart  *dateTimeRFC3339 `xml:"SignedStart"`
+	}{
+		alias:        (*alias)(&u),
+		SignedExpiry: (*dateTimeRFC3339)(u.SignedExpiry),
+		SignedStart:  (*dateTimeRFC3339)(u.SignedStart),
+	}
+	return enc.EncodeElement(aux, start)
+}
+
+// UnmarshalXML implements the xml.Unmarshaller interface for type UserDelegationKey.
+func (u *UserDelegationKey) UnmarshalXML(dec *xml.Decoder, start xml.StartElement) error {
+	type alias UserDelegationKey
+	aux := &struct {
+		*alias
+		SignedExpiry *dateTimeRFC3339 `xml:"SignedExpiry"`
+		SignedStart  *dateTimeRFC3339 `xml:"SignedStart"`
+	}{
+		alias: (*alias)(u),
+	}
+	if err := dec.DecodeElement(aux, &start); err != nil {
+		return err
+	}
+	u.SignedExpiry = (*time.Time)(aux.SignedExpiry)
+	u.SignedStart = (*time.Time)(aux.SignedStart)
+	return nil
+}
+
 func populate(m map[string]any, k string, v any) {
 	if v == nil {
 		return
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_options.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_options.go
index e8da79d094..e8502a1eb9 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_options.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_options.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
@@ -8,6 +5,8 @@
 
 package generated
 
+import "io"
+
 // CopyFileSMBInfo contains a group of parameters for the DirectoryClient.Rename method.
 type CopyFileSMBInfo struct {
 	// Specifies either the option to copy file attributes from a source file(source) to a target file or a list of attributes
@@ -83,6 +82,11 @@ type DirectoryClientCreateOptions struct {
 	// should be specified.
 	FilePermissionKey *string
 
+	// SMB only, default value is New. New will forcefully add the ARCHIVE attribute flag and alter the permissions specified
+	// in x-ms-file-permission to inherit missing permissions from the parent. Restore
+	// will apply changes without further modification.
+	FilePropertySemantics *FilePropertySemantics
+
 	// Optional, NFS only. The owning group of the file or directory.
 	Group *string
 
@@ -344,6 +348,16 @@ type FileClientCreateHardLinkOptions struct {
 
 // FileClientCreateOptions contains the optional parameters for the FileClient.Create method.
 type FileClientCreateOptions struct {
+	// Specifies the number of bytes being transmitted in the request body. When the x-ms-write header is set to clear, the value
+	// of this header must be set to zero.
+	ContentLength *int64
+
+	// An MD5 hash of the content. This hash is used to verify the integrity of the data during transport. When the Content-MD5
+	// header is specified, the File service compares the hash of the content that has
+	// arrived with the header value that was sent. If the two hashes do not match, the operation will fail with error code 400
+	// (Bad Request).
+	ContentMD5 []byte
+
 	// If specified, the provided file attributes shall be set. Default value: ‘Archive’ for file and ‘Directory’ for directory.
 	// ‘None’ can also be specified as default.
 	FileAttributes *string
@@ -377,6 +391,11 @@ type FileClientCreateOptions struct {
 	// should be specified.
 	FilePermissionKey *string
 
+	// SMB only, default value is New. New will forcefully add the ARCHIVE attribute flag and alter the permissions specified
+	// in x-ms-file-permission to inherit missing permissions from the parent. Restore
+	// will apply changes without further modification.
+	FilePropertySemantics *FilePropertySemantics
+
 	// Optional, NFS only. The owning group of the file or directory.
 	Group *string
 
@@ -386,6 +405,9 @@ type FileClientCreateOptions struct {
 	// Optional, NFS only. Type of the file or directory.
 	NFSFileType *NFSFileType
 
+	// Initial data.
+	Optionalbody io.ReadSeekCloser
+
 	// Optional, NFS only. The owner of the file or directory.
 	Owner *string
 
@@ -715,6 +737,9 @@ type FileClientUploadRangeOptions struct {
 	// If the file last write time should be preserved or overwritten
 	FileLastWrittenMode *FileLastWrittenMode
 
+	// Initial data.
+	Optionalbody io.ReadSeekCloser
+
 	// Required if the request body is a structured message. Specifies the message schema version and properties.
 	StructuredBodyType *string
 
@@ -740,6 +765,17 @@ type ServiceClientGetPropertiesOptions struct {
 	Timeout *int32
 }
 
+// ServiceClientGetUserDelegationKeyOptions contains the optional parameters for the ServiceClient.GetUserDelegationKey method.
+type ServiceClientGetUserDelegationKeyOptions struct {
+	// Provides a client-generated, opaque value with a 1 KB character limit that is recorded in the analytics logs when storage
+	// analytics logging is enabled.
+	RequestID *string
+
+	// The timeout parameter is expressed in seconds. For more information, see Setting Timeouts for File Service Operations.
+	// [https://learn.microsoft.com/rest/api/storageservices/Setting-Timeouts-for-File-Service-Operations]
+	Timeout *int32
+}
+
 // ServiceClientListSharesSegmentOptions contains the optional parameters for the ServiceClient.NewListSharesSegmentPager
 // method.
 type ServiceClientListSharesSegmentOptions struct {
@@ -834,7 +870,12 @@ type ShareClientChangeLeaseOptions struct {
 // ShareClientCreateOptions contains the optional parameters for the ShareClient.Create method.
 type ShareClientCreateOptions struct {
 	// Specifies the access tier of the share.
-	AccessTier                           *ShareAccessTier
+	AccessTier *ShareAccessTier
+
+	// SMB only, default is true. Specifies whether granting of new directory leases for directories present in a share are to
+	// be enabled or disabled. An input of true specifies that granting of new
+	// directory leases is to be allowed. An input of false specifies that granting of new directory leases is to be blocked.
+	EnableSMBDirectoryLease              *bool
 	EnableSnapshotVirtualDirectoryAccess *bool
 
 	// Protocols to enable on the share.
@@ -990,6 +1031,9 @@ type ShareClientRestoreOptions struct {
 
 // ShareClientSetAccessPolicyOptions contains the optional parameters for the ShareClient.SetAccessPolicy method.
 type ShareClientSetAccessPolicyOptions struct {
+	// The ACL for the share.
+	ShareACL []*SignedIdentifier
+
 	// The timeout parameter is expressed in seconds. For more information, see Setting Timeouts for File Service Operations.
 	// [https://learn.microsoft.com/rest/api/storageservices/Setting-Timeouts-for-File-Service-Operations]
 	Timeout *int32
@@ -1008,7 +1052,12 @@ type ShareClientSetMetadataOptions struct {
 // ShareClientSetPropertiesOptions contains the optional parameters for the ShareClient.SetProperties method.
 type ShareClientSetPropertiesOptions struct {
 	// Specifies the access tier of the share.
-	AccessTier                           *ShareAccessTier
+	AccessTier *ShareAccessTier
+
+	// SMB only, default is true. Specifies whether granting of new directory leases for directories present in a share are to
+	// be enabled or disabled. An input of true specifies that granting of new
+	// directory leases is to be allowed. An input of false specifies that granting of new directory leases is to be blocked.
+	EnableSMBDirectoryLease              *bool
 	EnableSnapshotVirtualDirectoryAccess *bool
 
 	// Optional. Boolean. Default if not specified is false. This property enables paid bursting.
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_response_types.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_response_types.go
index 10065ed10d..ca1647ab93 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_response_types.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_response_types.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
@@ -442,6 +439,12 @@ type FileClientCreateHardLinkResponse struct {
 
 // FileClientCreateResponse contains the response from method FileClient.Create.
 type FileClientCreateResponse struct {
+	// ContentLength contains the information returned from the Content-Length header response.
+	ContentLength *int64
+
+	// ContentMD5 contains the information returned from the Content-MD5 header response.
+	ContentMD5 []byte
+
 	// Date contains the information returned from the Date header response.
 	Date *time.Time
 
@@ -1112,6 +1115,24 @@ type ServiceClientGetPropertiesResponse struct {
 	Version *string
 }
 
+// ServiceClientGetUserDelegationKeyResponse contains the response from method ServiceClient.GetUserDelegationKey.
+type ServiceClientGetUserDelegationKeyResponse struct {
+	// A user delegation key
+	UserDelegationKey
+
+	// ClientRequestID contains the information returned from the x-ms-client-request-id header response.
+	ClientRequestID *string
+
+	// Date contains the information returned from the Date header response.
+	Date *time.Time
+
+	// RequestID contains the information returned from the x-ms-request-id header response.
+	RequestID *string
+
+	// Version contains the information returned from the x-ms-version header response.
+	Version *string
+}
+
 // ServiceClientListSharesSegmentResponse contains the response from method ServiceClient.NewListSharesSegmentPager.
 type ServiceClientListSharesSegmentResponse struct {
 	// An enumeration of shares.
@@ -1349,6 +1370,9 @@ type ShareClientGetPropertiesResponse struct {
 	// ETag contains the information returned from the ETag header response.
 	ETag *azcore.ETag
 
+	// EnableSMBDirectoryLease contains the information returned from the x-ms-enable-smb-directory-lease header response.
+	EnableSMBDirectoryLease *bool
+
 	// EnableSnapshotVirtualDirectoryAccess contains the information returned from the x-ms-enable-snapshot-virtual-directory-access
 	// header response.
 	EnableSnapshotVirtualDirectoryAccess *bool
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_service_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_service_client.go
index 56c1e7c1d6..ce55f0d63c 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_service_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_service_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
@@ -17,6 +14,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
+	"time"
 )
 
 // ServiceClient contains the methods for the Service group.
@@ -31,7 +29,7 @@ type ServiceClient struct {
 // and CORS (Cross-Origin Resource Sharing) rules.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ServiceClientGetPropertiesOptions contains the optional parameters for the ServiceClient.GetProperties method.
 func (client *ServiceClient) GetProperties(ctx context.Context, options *ServiceClientGetPropertiesOptions) (ServiceClientGetPropertiesResponse, error) {
 	var err error
@@ -64,7 +62,7 @@ func (client *ServiceClient) getPropertiesCreateRequest(ctx context.Context, opt
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.fileRequestIntent != nil {
 		req.Raw().Header["x-ms-file-request-intent"] = []string{string(*client.fileRequestIntent)}
 	}
@@ -87,10 +85,85 @@ func (client *ServiceClient) getPropertiesHandleResponse(resp *http.Response) (S
 	return result, nil
 }
 
+// GetUserDelegationKey - Retrieves a user delegation key for the File service. This is only a valid operation when using
+// bearer token authentication.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2026-02-06
+//   - keyInfo - Key information
+//   - options - ServiceClientGetUserDelegationKeyOptions contains the optional parameters for the ServiceClient.GetUserDelegationKey
+//     method.
+func (client *ServiceClient) GetUserDelegationKey(ctx context.Context, keyInfo KeyInfo, options *ServiceClientGetUserDelegationKeyOptions) (ServiceClientGetUserDelegationKeyResponse, error) {
+	var err error
+	req, err := client.getUserDelegationKeyCreateRequest(ctx, keyInfo, options)
+	if err != nil {
+		return ServiceClientGetUserDelegationKeyResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return ServiceClientGetUserDelegationKeyResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return ServiceClientGetUserDelegationKeyResponse{}, err
+	}
+	resp, err := client.getUserDelegationKeyHandleResponse(httpResp)
+	return resp, err
+}
+
+// getUserDelegationKeyCreateRequest creates the GetUserDelegationKey request.
+func (client *ServiceClient) getUserDelegationKeyCreateRequest(ctx context.Context, keyInfo KeyInfo, options *ServiceClientGetUserDelegationKeyOptions) (*policy.Request, error) {
+	req, err := runtime.NewRequest(ctx, http.MethodPost, client.endpoint)
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("restype", "service")
+	reqQP.Set("comp", "userdelegationkey")
+	if options != nil && options.Timeout != nil {
+		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
+	}
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
+	if options != nil && options.RequestID != nil {
+		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
+	}
+	req.Raw().Header["Accept"] = []string{"application/xml"}
+	if err := runtime.MarshalAsXML(req, keyInfo); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// getUserDelegationKeyHandleResponse handles the GetUserDelegationKey response.
+func (client *ServiceClient) getUserDelegationKeyHandleResponse(resp *http.Response) (ServiceClientGetUserDelegationKeyResponse, error) {
+	result := ServiceClientGetUserDelegationKeyResponse{}
+	if val := resp.Header.Get("x-ms-client-request-id"); val != "" {
+		result.ClientRequestID = &val
+	}
+	if val := resp.Header.Get("Date"); val != "" {
+		date, err := time.Parse(time.RFC1123, val)
+		if err != nil {
+			return ServiceClientGetUserDelegationKeyResponse{}, err
+		}
+		result.Date = &date
+	}
+	if val := resp.Header.Get("x-ms-request-id"); val != "" {
+		result.RequestID = &val
+	}
+	if val := resp.Header.Get("x-ms-version"); val != "" {
+		result.Version = &val
+	}
+	if err := runtime.UnmarshalAsXML(resp, &result.UserDelegationKey); err != nil {
+		return ServiceClientGetUserDelegationKeyResponse{}, err
+	}
+	return result, nil
+}
+
 // NewListSharesSegmentPager - The List Shares Segment operation returns a list of the shares and share snapshots under the
 // specified account.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ServiceClientListSharesSegmentOptions contains the optional parameters for the ServiceClient.NewListSharesSegmentPager
 //     method.
 //
@@ -118,7 +191,7 @@ func (client *ServiceClient) ListSharesSegmentCreateRequest(ctx context.Context,
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.fileRequestIntent != nil {
 		req.Raw().Header["x-ms-file-request-intent"] = []string{string(*client.fileRequestIntent)}
 	}
@@ -145,7 +218,7 @@ func (client *ServiceClient) ListSharesSegmentHandleResponse(resp *http.Response
 // metrics and CORS (Cross-Origin Resource Sharing) rules.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - storageServiceProperties - The StorageService properties.
 //   - options - ServiceClientSetPropertiesOptions contains the optional parameters for the ServiceClient.SetProperties method.
 func (client *ServiceClient) SetProperties(ctx context.Context, storageServiceProperties StorageServiceProperties, options *ServiceClientSetPropertiesOptions) (ServiceClientSetPropertiesResponse, error) {
@@ -179,7 +252,7 @@ func (client *ServiceClient) setPropertiesCreateRequest(ctx context.Context, sto
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.fileRequestIntent != nil {
 		req.Raw().Header["x-ms-file-request-intent"] = []string{string(*client.fileRequestIntent)}
 	}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_share_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_share_client.go
index 590e22d184..695f612f72 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_share_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_share_client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
@@ -33,7 +30,7 @@ type ShareClient struct {
 // delete share operations.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - duration - Specifies the duration of the lease, in seconds, or negative one (-1) for a lease that never expires. A non-infinite
 //     lease can be between 15 and 60 seconds. A lease duration cannot be changed using
 //     renew or change.
@@ -77,7 +74,7 @@ func (client *ShareClient) acquireLeaseCreateRequest(ctx context.Context, durati
 	if options != nil && options.ProposedLeaseID != nil {
 		req.Raw().Header["x-ms-proposed-lease-id"] = []string{*options.ProposedLeaseID}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -127,7 +124,7 @@ func (client *ShareClient) acquireLeaseHandleResponse(resp *http.Response) (Shar
 // delete share operations.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientBreakLeaseOptions contains the optional parameters for the ShareClient.BreakLease method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *ShareClient) BreakLease(ctx context.Context, options *ShareClientBreakLeaseOptions, leaseAccessConditions *LeaseAccessConditions) (ShareClientBreakLeaseResponse, error) {
@@ -171,7 +168,7 @@ func (client *ShareClient) breakLeaseCreateRequest(ctx context.Context, options
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -229,7 +226,7 @@ func (client *ShareClient) breakLeaseHandleResponse(resp *http.Response) (ShareC
 // delete share operations.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - leaseID - Specifies the current lease ID on the resource.
 //   - options - ShareClientChangeLeaseOptions contains the optional parameters for the ShareClient.ChangeLease method.
 func (client *ShareClient) ChangeLease(ctx context.Context, leaseID string, options *ShareClientChangeLeaseOptions) (ShareClientChangeLeaseResponse, error) {
@@ -271,7 +268,7 @@ func (client *ShareClient) changeLeaseCreateRequest(ctx context.Context, leaseID
 	if options != nil && options.ProposedLeaseID != nil {
 		req.Raw().Header["x-ms-proposed-lease-id"] = []string{*options.ProposedLeaseID}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -321,7 +318,7 @@ func (client *ShareClient) changeLeaseHandleResponse(resp *http.Response) (Share
 // fails.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientCreateOptions contains the optional parameters for the ShareClient.Create method.
 func (client *ShareClient) Create(ctx context.Context, options *ShareClientCreateOptions) (ShareClientCreateResponse, error) {
 	var err error
@@ -366,7 +363,7 @@ func (client *ShareClient) createCreateRequest(ctx context.Context, options *Sha
 	if options != nil && options.AccessTier != nil {
 		req.Raw().Header["x-ms-access-tier"] = []string{string(*options.AccessTier)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.EnabledProtocols != nil {
 		req.Raw().Header["x-ms-enabled-protocols"] = []string{*options.EnabledProtocols}
 	}
@@ -394,6 +391,9 @@ func (client *ShareClient) createCreateRequest(ctx context.Context, options *Sha
 	if options != nil && options.ShareProvisionedBandwidthMibps != nil {
 		req.Raw().Header["x-ms-share-provisioned-bandwidth-mibps"] = []string{strconv.FormatInt(*options.ShareProvisionedBandwidthMibps, 10)}
 	}
+	if options != nil && options.EnableSMBDirectoryLease != nil {
+		req.Raw().Header["x-ms-enable-smb-directory-lease"] = []string{strconv.FormatBool(*options.EnableSMBDirectoryLease)}
+	}
 	req.Raw().Header["Accept"] = []string{"application/xml"}
 	return req, nil
 }
@@ -465,7 +465,7 @@ func (client *ShareClient) createHandleResponse(resp *http.Response) (ShareClien
 // CreatePermission - Create a permission (a security descriptor).
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - sharePermission - A permission (a security descriptor) at the share level.
 //   - options - ShareClientCreatePermissionOptions contains the optional parameters for the ShareClient.CreatePermission method.
 func (client *ShareClient) CreatePermission(ctx context.Context, sharePermission SharePermission, options *ShareClientCreatePermissionOptions) (ShareClientCreatePermissionResponse, error) {
@@ -499,7 +499,7 @@ func (client *ShareClient) createPermissionCreateRequest(ctx context.Context, sh
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.fileRequestIntent != nil {
 		req.Raw().Header["x-ms-file-request-intent"] = []string{string(*client.fileRequestIntent)}
 	}
@@ -535,7 +535,7 @@ func (client *ShareClient) createPermissionHandleResponse(resp *http.Response) (
 // CreateSnapshot - Creates a read-only snapshot of a share.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientCreateSnapshotOptions contains the optional parameters for the ShareClient.CreateSnapshot method.
 func (client *ShareClient) CreateSnapshot(ctx context.Context, options *ShareClientCreateSnapshotOptions) (ShareClientCreateSnapshotResponse, error) {
 	var err error
@@ -575,7 +575,7 @@ func (client *ShareClient) createSnapshotCreateRequest(ctx context.Context, opti
 			}
 		}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.fileRequestIntent != nil {
 		req.Raw().Header["x-ms-file-request-intent"] = []string{string(*client.fileRequestIntent)}
 	}
@@ -619,7 +619,7 @@ func (client *ShareClient) createSnapshotHandleResponse(resp *http.Response) (Sh
 // contained within it are later deleted during garbage collection.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientDeleteOptions contains the optional parameters for the ShareClient.Delete method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *ShareClient) Delete(ctx context.Context, options *ShareClientDeleteOptions, leaseAccessConditions *LeaseAccessConditions) (ShareClientDeleteResponse, error) {
@@ -655,7 +655,7 @@ func (client *ShareClient) deleteCreateRequest(ctx context.Context, options *Sha
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.DeleteSnapshots != nil {
 		req.Raw().Header["x-ms-delete-snapshots"] = []string{string(*options.DeleteSnapshots)}
 	}
@@ -705,7 +705,7 @@ func (client *ShareClient) deleteHandleResponse(resp *http.Response) (ShareClien
 // GetAccessPolicy - Returns information about stored access policies specified on the share.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientGetAccessPolicyOptions contains the optional parameters for the ShareClient.GetAccessPolicy method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *ShareClient) GetAccessPolicy(ctx context.Context, options *ShareClientGetAccessPolicyOptions, leaseAccessConditions *LeaseAccessConditions) (ShareClientGetAccessPolicyResponse, error) {
@@ -739,7 +739,7 @@ func (client *ShareClient) getAccessPolicyCreateRequest(ctx context.Context, opt
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -785,7 +785,7 @@ func (client *ShareClient) getAccessPolicyHandleResponse(resp *http.Response) (S
 // GetPermission - Returns the permission (security descriptor) for a given key
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - filePermissionKey - Key of the permission to be set for the directory/file.
 //   - options - ShareClientGetPermissionOptions contains the optional parameters for the ShareClient.GetPermission method.
 func (client *ShareClient) GetPermission(ctx context.Context, filePermissionKey string, options *ShareClientGetPermissionOptions) (ShareClientGetPermissionResponse, error) {
@@ -823,7 +823,7 @@ func (client *ShareClient) getPermissionCreateRequest(ctx context.Context, fileP
 	if options != nil && options.FilePermissionFormat != nil {
 		req.Raw().Header["x-ms-file-permission-format"] = []string{string(*options.FilePermissionFormat)}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if client.fileRequestIntent != nil {
 		req.Raw().Header["x-ms-file-request-intent"] = []string{string(*client.fileRequestIntent)}
 	}
@@ -857,7 +857,7 @@ func (client *ShareClient) getPermissionHandleResponse(resp *http.Response) (Sha
 // data returned does not include the share's list of files.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientGetPropertiesOptions contains the optional parameters for the ShareClient.GetProperties method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *ShareClient) GetProperties(ctx context.Context, options *ShareClientGetPropertiesOptions, leaseAccessConditions *LeaseAccessConditions) (ShareClientGetPropertiesResponse, error) {
@@ -893,7 +893,7 @@ func (client *ShareClient) getPropertiesCreateRequest(ctx context.Context, optio
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -930,6 +930,13 @@ func (client *ShareClient) getPropertiesHandleResponse(resp *http.Response) (Sha
 	if val := resp.Header.Get("ETag"); val != "" {
 		result.ETag = (*azcore.ETag)(&val)
 	}
+	if val := resp.Header.Get("x-ms-enable-smb-directory-lease"); val != "" {
+		enableSmbDirectoryLease, err := strconv.ParseBool(val)
+		if err != nil {
+			return ShareClientGetPropertiesResponse{}, err
+		}
+		result.EnableSMBDirectoryLease = &enableSmbDirectoryLease
+	}
 	if val := resp.Header.Get("x-ms-enable-snapshot-virtual-directory-access"); val != "" {
 		enableSnapshotVirtualDirectoryAccess, err := strconv.ParseBool(val)
 		if err != nil {
@@ -1075,7 +1082,7 @@ func (client *ShareClient) getPropertiesHandleResponse(resp *http.Response) (Sha
 // GetStatistics - Retrieves statistics related to the share.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientGetStatisticsOptions contains the optional parameters for the ShareClient.GetStatistics method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *ShareClient) GetStatistics(ctx context.Context, options *ShareClientGetStatisticsOptions, leaseAccessConditions *LeaseAccessConditions) (ShareClientGetStatisticsResponse, error) {
@@ -1109,7 +1116,7 @@ func (client *ShareClient) getStatisticsCreateRequest(ctx context.Context, optio
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -1156,7 +1163,7 @@ func (client *ShareClient) getStatisticsHandleResponse(resp *http.Response) (Sha
 // delete share operations.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - leaseID - Specifies the current lease ID on the resource.
 //   - options - ShareClientReleaseLeaseOptions contains the optional parameters for the ShareClient.ReleaseLease method.
 func (client *ShareClient) ReleaseLease(ctx context.Context, leaseID string, options *ShareClientReleaseLeaseOptions) (ShareClientReleaseLeaseResponse, error) {
@@ -1195,7 +1202,7 @@ func (client *ShareClient) releaseLeaseCreateRequest(ctx context.Context, leaseI
 	req.Raw().URL.RawQuery = reqQP.Encode()
 	req.Raw().Header["x-ms-lease-action"] = []string{"release"}
 	req.Raw().Header["x-ms-lease-id"] = []string{leaseID}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -1242,7 +1249,7 @@ func (client *ShareClient) releaseLeaseHandleResponse(resp *http.Response) (Shar
 // delete share operations.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - leaseID - Specifies the current lease ID on the resource.
 //   - options - ShareClientRenewLeaseOptions contains the optional parameters for the ShareClient.RenewLease method.
 func (client *ShareClient) RenewLease(ctx context.Context, leaseID string, options *ShareClientRenewLeaseOptions) (ShareClientRenewLeaseResponse, error) {
@@ -1281,7 +1288,7 @@ func (client *ShareClient) renewLeaseCreateRequest(ctx context.Context, leaseID
 	req.Raw().URL.RawQuery = reqQP.Encode()
 	req.Raw().Header["x-ms-lease-action"] = []string{"renew"}
 	req.Raw().Header["x-ms-lease-id"] = []string{leaseID}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -1330,7 +1337,7 @@ func (client *ShareClient) renewLeaseHandleResponse(resp *http.Response) (ShareC
 // Restore - Restores a previously deleted Share.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientRestoreOptions contains the optional parameters for the ShareClient.Restore method.
 func (client *ShareClient) Restore(ctx context.Context, options *ShareClientRestoreOptions) (ShareClientRestoreResponse, error) {
 	var err error
@@ -1363,7 +1370,7 @@ func (client *ShareClient) restoreCreateRequest(ctx context.Context, options *Sh
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.RequestID != nil {
 		req.Raw().Header["x-ms-client-request-id"] = []string{*options.RequestID}
 	}
@@ -1450,13 +1457,12 @@ func (client *ShareClient) restoreHandleResponse(resp *http.Response) (ShareClie
 // SetAccessPolicy - Sets a stored access policy for use with shared access signatures.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
-//   - shareACL - The ACL for the share.
+// Generated from API version 2026-02-06
 //   - options - ShareClientSetAccessPolicyOptions contains the optional parameters for the ShareClient.SetAccessPolicy method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
-func (client *ShareClient) SetAccessPolicy(ctx context.Context, shareACL []*SignedIdentifier, options *ShareClientSetAccessPolicyOptions, leaseAccessConditions *LeaseAccessConditions) (ShareClientSetAccessPolicyResponse, error) {
+func (client *ShareClient) SetAccessPolicy(ctx context.Context, options *ShareClientSetAccessPolicyOptions, leaseAccessConditions *LeaseAccessConditions) (ShareClientSetAccessPolicyResponse, error) {
 	var err error
-	req, err := client.setAccessPolicyCreateRequest(ctx, shareACL, options, leaseAccessConditions)
+	req, err := client.setAccessPolicyCreateRequest(ctx, options, leaseAccessConditions)
 	if err != nil {
 		return ShareClientSetAccessPolicyResponse{}, err
 	}
@@ -1473,7 +1479,7 @@ func (client *ShareClient) SetAccessPolicy(ctx context.Context, shareACL []*Sign
 }
 
 // setAccessPolicyCreateRequest creates the SetAccessPolicy request.
-func (client *ShareClient) setAccessPolicyCreateRequest(ctx context.Context, shareACL []*SignedIdentifier, options *ShareClientSetAccessPolicyOptions, leaseAccessConditions *LeaseAccessConditions) (*policy.Request, error) {
+func (client *ShareClient) setAccessPolicyCreateRequest(ctx context.Context, options *ShareClientSetAccessPolicyOptions, leaseAccessConditions *LeaseAccessConditions) (*policy.Request, error) {
 	req, err := runtime.NewRequest(ctx, http.MethodPut, client.endpoint)
 	if err != nil {
 		return nil, err
@@ -1485,7 +1491,7 @@ func (client *ShareClient) setAccessPolicyCreateRequest(ctx context.Context, sha
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -1497,8 +1503,11 @@ func (client *ShareClient) setAccessPolicyCreateRequest(ctx context.Context, sha
 		XMLName  xml.Name             `xml:"SignedIdentifiers"`
 		ShareACL *[]*SignedIdentifier `xml:"SignedIdentifier"`
 	}
-	if err := runtime.MarshalAsXML(req, wrapper{ShareACL: &shareACL}); err != nil {
-		return nil, err
+	if options != nil && options.ShareACL != nil {
+		if err := runtime.MarshalAsXML(req, wrapper{ShareACL: &options.ShareACL}); err != nil {
+			return nil, err
+		}
+		return req, nil
 	}
 	return req, nil
 }
@@ -1535,7 +1544,7 @@ func (client *ShareClient) setAccessPolicyHandleResponse(resp *http.Response) (S
 // SetMetadata - Sets one or more user-defined name-value pairs for the specified share.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientSetMetadataOptions contains the optional parameters for the ShareClient.SetMetadata method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *ShareClient) SetMetadata(ctx context.Context, options *ShareClientSetMetadataOptions, leaseAccessConditions *LeaseAccessConditions) (ShareClientSetMetadataResponse, error) {
@@ -1576,7 +1585,7 @@ func (client *ShareClient) setMetadataCreateRequest(ctx context.Context, options
 			}
 		}
 	}
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if leaseAccessConditions != nil && leaseAccessConditions.LeaseID != nil {
 		req.Raw().Header["x-ms-lease-id"] = []string{*leaseAccessConditions.LeaseID}
 	}
@@ -1619,7 +1628,7 @@ func (client *ShareClient) setMetadataHandleResponse(resp *http.Response) (Share
 // SetProperties - Sets properties for the specified share.
 // If the operation fails it returns an *azcore.ResponseError type.
 //
-// Generated from API version 2025-11-05
+// Generated from API version 2026-02-06
 //   - options - ShareClientSetPropertiesOptions contains the optional parameters for the ShareClient.SetProperties method.
 //   - LeaseAccessConditions - LeaseAccessConditions contains a group of parameters for the ShareClient.GetProperties method.
 func (client *ShareClient) SetProperties(ctx context.Context, options *ShareClientSetPropertiesOptions, leaseAccessConditions *LeaseAccessConditions) (ShareClientSetPropertiesResponse, error) {
@@ -1653,7 +1662,7 @@ func (client *ShareClient) setPropertiesCreateRequest(ctx context.Context, optio
 		reqQP.Set("timeout", strconv.FormatInt(int64(*options.Timeout), 10))
 	}
 	req.Raw().URL.RawQuery = reqQP.Encode()
-	req.Raw().Header["x-ms-version"] = []string{"2025-11-05"}
+	req.Raw().Header["x-ms-version"] = []string{"2026-02-06"}
 	if options != nil && options.Quota != nil {
 		req.Raw().Header["x-ms-share-quota"] = []string{strconv.FormatInt(int64(*options.Quota), 10)}
 	}
@@ -1687,6 +1696,9 @@ func (client *ShareClient) setPropertiesCreateRequest(ctx context.Context, optio
 	if options != nil && options.ShareProvisionedBandwidthMibps != nil {
 		req.Raw().Header["x-ms-share-provisioned-bandwidth-mibps"] = []string{strconv.FormatInt(*options.ShareProvisionedBandwidthMibps, 10)}
 	}
+	if options != nil && options.EnableSMBDirectoryLease != nil {
+		req.Raw().Header["x-ms-enable-smb-directory-lease"] = []string{strconv.FormatBool(*options.EnableSMBDirectoryLease)}
+	}
 	req.Raw().Header["Accept"] = []string{"application/xml"}
 	return req, nil
 }
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_time_rfc1123.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_time_rfc1123.go
index 5866503297..2e3ed10e4c 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_time_rfc1123.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_time_rfc1123.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_time_rfc3339.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_time_rfc3339.go
index 82b370133f..c2ab003070 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_time_rfc3339.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_time_rfc3339.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_xml_helper.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_xml_helper.go
index 1bd0e4de05..355d0176b3 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_xml_helper.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated/zz_xml_helper.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 // Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/batch_transfer.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/batch_transfer.go
index 12fdeadb2b..2c5cf54c07 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/batch_transfer.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/batch_transfer.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/bytes_writer.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/bytes_writer.go
index 8d4d35bdef..ed0bc2ae97 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/bytes_writer.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/bytes_writer.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/section_writer.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/section_writer.go
index c8528a2e3e..df30561cee 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/section_writer.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/section_writer.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/shared.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/shared.go
index a46b88b161..622aa0a0c0 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/shared.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared/shared.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/account.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/account.go
index 6facc516ef..fd75de6cba 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/account.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/account.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -19,6 +16,9 @@ import (
 // SharedKeyCredential contains an account's name and its primary or secondary key.
 type SharedKeyCredential = exported.SharedKeyCredential
 
+// UserDelegationCredential contains an account's name and its user delegation key.
+type UserDelegationCredential = exported.UserDelegationCredential
+
 // AccountSignatureValues is used to generate a Shared Access Signature (SAS) for an Azure Storage account.
 // For more information, see https://docs.microsoft.com/rest/api/storageservices/constructing-an-account-sas
 type AccountSignatureValues struct {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/query_params.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/query_params.go
index 12849c7e1c..45189bbd46 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/query_params.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/query_params.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -8,11 +5,12 @@ package sas
 
 import (
 	"errors"
-	"github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated"
 	"net"
 	"net/url"
 	"strings"
 	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated"
 )
 
 // timeFormat represents the format of a SAS start or expiry time. Use it when formatting/parsing a time.Time.
@@ -116,24 +114,34 @@ func (ipr *IPRange) String() string {
 // This type defines the components used by all Azure Storage resources (Containers, Blobs, Files, & Queues).
 type QueryParameters struct {
 	// All members are immutable or values so copies of this struct are goroutine-safe.
-	version            string    `param:"sv"`
-	services           string    `param:"ss"`
-	resourceTypes      string    `param:"srt"`
-	protocol           Protocol  `param:"spr"`
-	startTime          time.Time `param:"st"`
-	expiryTime         time.Time `param:"se"`
-	shareSnapshotTime  time.Time `param:"sharesnapshot"`
-	ipRange            IPRange   `param:"sip"`
-	identifier         string    `param:"si"`
-	resource           string    `param:"sr"`
-	permissions        string    `param:"sp"`
-	signature          string    `param:"sig"`
-	encryptionScope    string    `param:"ses"`
-	cacheControl       string    `param:"rscc"`
-	contentDisposition string    `param:"rscd"`
-	contentEncoding    string    `param:"rsce"`
-	contentLanguage    string    `param:"rscl"`
-	contentType        string    `param:"rsct"`
+	version                     string    `param:"sv"`
+	services                    string    `param:"ss"`
+	resourceTypes               string    `param:"srt"`
+	protocol                    Protocol  `param:"spr"`
+	startTime                   time.Time `param:"st"`
+	expiryTime                  time.Time `param:"se"`
+	shareSnapshotTime           time.Time `param:"sharesnapshot"`
+	ipRange                     IPRange   `param:"sip"`
+	identifier                  string    `param:"si"`
+	resource                    string    `param:"sr"`
+	permissions                 string    `param:"sp"`
+	signature                   string    `param:"sig"`
+	encryptionScope             string    `param:"ses"`
+	cacheControl                string    `param:"rscc"`
+	contentDisposition          string    `param:"rscd"`
+	contentEncoding             string    `param:"rsce"`
+	contentLanguage             string    `param:"rscl"`
+	contentType                 string    `param:"rsct"`
+	signedOID                   string    `param:"skoid"`
+	signedTID                   string    `param:"sktid"`
+	signedStart                 time.Time `param:"skt"`
+	signedService               string    `param:"sks"`
+	signedExpiry                time.Time `param:"ske"`
+	signedVersion               string    `param:"skv"`
+	authorizedObjectID          string    `param:"saoid"`
+	unauthorizedObjectID        string    `param:"suoid"`
+	correlationID               string    `param:"scid"`
+	signedDelegatedUserObjectID string    `param:"sduoid"`
 	// private member used for startTime and expiryTime formatting.
 	stTimeFormat string
 	seTimeFormat string
@@ -284,6 +292,26 @@ func (p *QueryParameters) Encode() string {
 	if p.contentType != "" {
 		v.Add("rsct", p.contentType)
 	}
+	if p.signedOID != "" {
+		v.Add("skoid", p.signedOID)
+		v.Add("sktid", p.signedTID)
+		v.Add("skt", formatTime(&(p.signedStart), p.stTimeFormat))
+		v.Add("ske", formatTime(&(p.signedExpiry), p.seTimeFormat))
+		v.Add("sks", p.signedService)
+		v.Add("skv", p.signedVersion)
+	}
+	if p.authorizedObjectID != "" {
+		v.Add("saoid", p.authorizedObjectID)
+	}
+	if p.unauthorizedObjectID != "" {
+		v.Add("suoid", p.unauthorizedObjectID)
+	}
+	if p.correlationID != "" {
+		v.Add("scid", p.correlationID)
+	}
+	if p.signedDelegatedUserObjectID != "" {
+		v.Add("sduoid", p.signedDelegatedUserObjectID)
+	}
 
 	return v.Encode()
 }
@@ -340,6 +368,26 @@ func NewQueryParameters(values url.Values, deleteSASParametersFromValues bool) Q
 			p.contentLanguage = val
 		case "rsct":
 			p.contentType = val
+		case "skoid":
+			p.signedOID = val
+		case "sktid":
+			p.signedTID = val
+		case "skt":
+			p.signedStart, p.stTimeFormat, _ = parseTime(val)
+		case "ske":
+			p.signedExpiry, p.seTimeFormat, _ = parseTime(val)
+		case "sks":
+			p.signedService = val
+		case "skv":
+			p.signedVersion = val
+		case "saoid":
+			p.authorizedObjectID = val
+		case "suoid":
+			p.unauthorizedObjectID = val
+		case "scid":
+			p.correlationID = val
+		case "sduoid":
+			p.signedDelegatedUserObjectID = val
 		default:
 			isSASKey = false // We didn't recognize the query parameter
 		}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/service.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/service.go
index 0dab2c302a..fcd2b4de8a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/service.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/service.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
@@ -20,21 +17,25 @@ import (
 // For more information on creating service sas, see https://docs.microsoft.com/rest/api/storageservices/constructing-a-service-sas
 // User Delegation SAS not supported for files service
 type SignatureValues struct {
-	Version            string    `param:"sv"`  // If not specified, this defaults to Version
-	Protocol           Protocol  `param:"spr"` // See the Protocol* constants
-	StartTime          time.Time `param:"st"`  // Not specified if IsZero
-	ExpiryTime         time.Time `param:"se"`  // Not specified if IsZero
-	SnapshotTime       time.Time
-	Permissions        string  `param:"sp"` // Create by initializing SharePermissions or FilePermissions and then call String()
-	IPRange            IPRange `param:"sip"`
-	Identifier         string  `param:"si"`
-	ShareName          string
-	FilePath           string // Ex: "directory/FileName". Use "" to create a Share SAS and file path for File SAS.
-	CacheControl       string // rscc
-	ContentDisposition string // rscd
-	ContentEncoding    string // rsce
-	ContentLanguage    string // rscl
-	ContentType        string // rsct
+	Version                     string    `param:"sv"`  // If not specified, this defaults to Version
+	Protocol                    Protocol  `param:"spr"` // See the Protocol* constants
+	StartTime                   time.Time `param:"st"`  // Not specified if IsZero
+	ExpiryTime                  time.Time `param:"se"`  // Not specified if IsZero
+	SnapshotTime                time.Time
+	Permissions                 string  `param:"sp"` // Create by initializing SharePermissions or FilePermissions and then call String()
+	IPRange                     IPRange `param:"sip"`
+	Identifier                  string  `param:"si"`
+	ShareName                   string
+	FilePath                    string // Ex: "directory/FileName". Use "" to create a Share SAS and file path for File SAS.
+	CacheControl                string // rscc
+	ContentDisposition          string // rscd
+	ContentEncoding             string // rsce
+	ContentLanguage             string // rscl
+	ContentType                 string // rsct
+	AuthorizedObjectID          string // saoid
+	UnauthorizedObjectID        string // suoid
+	CorrelationID               string // scid
+	SignedDelegatedUserObjectID string // sduoid
 }
 
 // SignWithSharedKey uses an account's SharedKeyCredential to sign this signature values to produce the proper SAS query parameters.
@@ -113,6 +114,107 @@ func (v SignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKeyCredent
 	return p, nil
 }
 
+// SignWithUserDelegation uses an account's UserDelegationCredential to sign this signature values to produce the proper SAS query parameters.
+func (v SignatureValues) SignWithUserDelegation(userDelegationCredential *UserDelegationCredential) (QueryParameters, error) {
+	if userDelegationCredential == nil {
+		return QueryParameters{}, fmt.Errorf("cannot sign SAS query without User Delegation Key")
+	}
+
+	if v.ExpiryTime.IsZero() || v.Permissions == "" {
+		return QueryParameters{}, errors.New("user delegation SAS is missing at least one of these: ExpiryTime or Permissions")
+	}
+
+	resource := "s"
+	if v.FilePath == "" {
+		perms, err := parseSharePermissions(v.Permissions)
+		if err != nil {
+			return QueryParameters{}, err
+		}
+		v.Permissions = perms.String()
+	} else {
+		resource = "f"
+		perms, err := parseFilePermissions(v.Permissions)
+		if err != nil {
+			return QueryParameters{}, err
+		}
+		v.Permissions = perms.String()
+	}
+
+	if v.Version == "" {
+		v.Version = Version
+	}
+	startTime, expiryTime, _ := formatTimesForSigning(v.StartTime, v.ExpiryTime, v.SnapshotTime)
+
+	udk := exported.GetUDKParams(userDelegationCredential)
+	udkStart, udkExpiry, _ := formatTimesForSigning(*udk.SignedStart, *udk.SignedExpiry, time.Time{})
+
+	stringToSign := strings.Join([]string{
+		v.Permissions,
+		startTime,
+		expiryTime,
+		getCanonicalName(exported.GetAccountName(userDelegationCredential), v.ShareName, v.FilePath),
+		*udk.SignedOID,
+		*udk.SignedTID,
+		udkStart,
+		udkExpiry,
+		*udk.SignedService,
+		*udk.SignedVersion,
+		v.AuthorizedObjectID,
+		v.UnauthorizedObjectID,
+		v.CorrelationID,
+		"",
+		v.SignedDelegatedUserObjectID,
+		v.IPRange.String(),
+		string(v.Protocol),
+		v.Version,
+		resource,
+		"",
+		"",
+		v.CacheControl,
+		v.ContentDisposition,
+		v.ContentEncoding,
+		v.ContentLanguage,
+		v.ContentType},
+		"\n")
+
+	signature, err := exported.ComputeUDCHMACSHA256(userDelegationCredential, stringToSign)
+	if err != nil {
+		return QueryParameters{}, err
+	}
+
+	p := QueryParameters{
+		version:     v.Version,
+		protocol:    v.Protocol,
+		startTime:   v.StartTime,
+		expiryTime:  v.ExpiryTime,
+		permissions: v.Permissions,
+		ipRange:     v.IPRange,
+
+		resource:                    resource,
+		identifier:                  v.Identifier,
+		cacheControl:                v.CacheControl,
+		contentDisposition:          v.ContentDisposition,
+		contentEncoding:             v.ContentEncoding,
+		contentLanguage:             v.ContentLanguage,
+		contentType:                 v.ContentType,
+		shareSnapshotTime:           v.SnapshotTime,
+		authorizedObjectID:          v.AuthorizedObjectID,
+		unauthorizedObjectID:        v.UnauthorizedObjectID,
+		correlationID:               v.CorrelationID,
+		signedDelegatedUserObjectID: v.SignedDelegatedUserObjectID,
+		signature:                   signature,
+	}
+
+	p.signedOID = *udk.SignedOID
+	p.signedTID = *udk.SignedTID
+	p.signedStart = *udk.SignedStart
+	p.signedExpiry = *udk.SignedExpiry
+	p.signedService = *udk.SignedService
+	p.signedVersion = *udk.SignedVersion
+
+	return p, nil
+}
+
 // getCanonicalName computes the canonical name for a share or file resource for SAS signing.
 func getCanonicalName(account string, shareName string, filePath string) string {
 	// Share: "/file/account/sharename"
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/url_parts.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/url_parts.go
index 4e69359f56..92023ab675 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/url_parts.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/sas/url_parts.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/client.go
index 10da68e2e5..62a3810ffc 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -131,6 +128,22 @@ func (s *Client) URL() string {
 	return s.generated().Endpoint()
 }
 
+// GetUserDelegationCredential obtains a UserDelegationKey object using the base ServiceURL object.
+// OAuth is required for this call, as well as any role that can delegate access to the storage account.
+func (s *Client) GetUserDelegationCredential(ctx context.Context, info KeyInfo, o *GetUserDelegationCredentialOptions) (*UserDelegationCredential, error) {
+	url := s.URL()
+	parts := strings.Split(strings.TrimPrefix(url, "https://"), ".")
+	account := parts[0]
+
+	getUserDelegationKeyOptions := o.format()
+	udk, err := s.generated().GetUserDelegationKey(ctx, info, getUserDelegationKeyOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	return exported.NewUserDelegationCredential(account, udk.UserDelegationKey), nil
+}
+
 // NewShareClient creates a new share.Client object by concatenating shareName to the end of this Client's URL.
 // The new share.Client uses the same request policy pipeline as the Client.
 func (s *Client) NewShareClient(shareName string) *share.Client {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/constants.go
index 4908f03111..6cfbb1896a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/constants.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/models.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/models.go
index 0a529af872..16c8985c0c 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/models.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/models.go
@@ -1,23 +1,34 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 package service
 
 import (
+	"time"
+
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/exported"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/generated"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/internal/shared"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share"
-	"time"
 )
 
 // SharedKeyCredential contains an account's name and its primary or secondary key.
 type SharedKeyCredential = exported.SharedKeyCredential
 
+// UserDelegationCredential contains an account's name and its user delegation key.
+type UserDelegationCredential = exported.UserDelegationCredential
+
+// KeyInfo contains KeyInfo struct.
+type KeyInfo = generated.KeyInfo
+
+// GetUserDelegationCredentialOptions contains optional parameters for GetUserDelegationKey method.
+type GetUserDelegationCredentialOptions struct{}
+
+func (o *GetUserDelegationCredentialOptions) format() *generated.ServiceClientGetUserDelegationKeyOptions {
+	return nil
+}
+
 // NewSharedKeyCredential creates an immutable SharedKeyCredential containing the
 // storage account's name and either its primary or secondary key.
 func NewSharedKeyCredential(accountName, accountKey string) (*SharedKeyCredential, error) {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/responses.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/responses.go
index fad91de635..d7f5056478 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/responses.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/service/responses.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/client.go
index a333ab07b8..9ada6a31d5 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/client.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -227,12 +224,12 @@ func (s *Client) GetAccessPolicy(ctx context.Context, options *GetAccessPolicyOp
 // SetAccessPolicy operation sets a stored access policy for use with shared access signatures.
 // For more information, see https://learn.microsoft.com/en-us/rest/api/storageservices/set-share-acl.
 func (s *Client) SetAccessPolicy(ctx context.Context, options *SetAccessPolicyOptions) (SetAccessPolicyResponse, error) {
-	opts, acl, leaseAccessConditions, err := options.format()
+	opts, leaseAccessConditions, err := options.format()
 	if err != nil {
 		return SetAccessPolicyResponse{}, err
 	}
 
-	resp, err := s.generated().SetAccessPolicy(ctx, acl, opts, leaseAccessConditions)
+	resp, err := s.generated().SetAccessPolicy(ctx, opts, leaseAccessConditions)
 	return resp, err
 }
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/constants.go
index ff605467d3..ded3fef68d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/constants.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/models.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/models.go
index ad6046488f..e0da3f54b7 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/models.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/models.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
@@ -38,6 +35,10 @@ type CreateOptions struct {
 	// Specifies whether the snapshot virtual directory should be accessible at the root of share mount point
 	// when NFS is enabled.
 	EnableSnapshotVirtualDirectoryAccess *bool
+
+	// EnableSMBDirectoryLease contains the information returned from the x-ms-enable-smb-directory-lease header response.
+	EnableSMBDirectoryLease *bool
+
 	// Optional. Boolean. Default if not specified is false. This property enables paid bursting.
 	PaidBurstingEnabled *bool
 
@@ -70,6 +71,7 @@ func (o *CreateOptions) format() *generated.ShareClientCreateOptions {
 		Quota:                                o.Quota,
 		RootSquash:                           o.RootSquash,
 		EnableSnapshotVirtualDirectoryAccess: o.EnableSnapshotVirtualDirectoryAccess,
+		EnableSMBDirectoryLease:              o.EnableSMBDirectoryLease,
 		PaidBurstingEnabled:                  o.PaidBurstingEnabled,
 		PaidBurstingMaxBandwidthMibps:        o.PaidBurstingMaxBandwidthMibps,
 		PaidBurstingMaxIops:                  o.PaidBurstingMaxIops,
@@ -146,6 +148,8 @@ type SetPropertiesOptions struct {
 	// Specifies whether the snapshot virtual directory should be accessible at the root of share mount point
 	// when NFS is enabled.
 	EnableSnapshotVirtualDirectoryAccess *bool
+	// EnableSMBDirectoryLease contains the information returned from the x-ms-enable-smb-directory-lease header response.
+	EnableSMBDirectoryLease *bool
 	// Optional. Boolean. Default if not specified is false. This property enables paid bursting.
 	PaidBurstingEnabled *bool
 	// Optional. Integer. Default if not specified is the maximum throughput the file share can support. Current maximum for a
@@ -173,6 +177,7 @@ func (o *SetPropertiesOptions) format() (*generated.ShareClientSetPropertiesOpti
 		Quota:                                o.Quota,
 		RootSquash:                           o.RootSquash,
 		EnableSnapshotVirtualDirectoryAccess: o.EnableSnapshotVirtualDirectoryAccess,
+		EnableSMBDirectoryLease:              o.EnableSMBDirectoryLease,
 		PaidBurstingEnabled:                  o.PaidBurstingEnabled,
 		PaidBurstingMaxBandwidthMibps:        o.PaidBurstingMaxBandwidthMibps,
 		PaidBurstingMaxIops:                  o.PaidBurstingMaxIops,
@@ -235,21 +240,23 @@ type SetAccessPolicyOptions struct {
 	LeaseAccessConditions *LeaseAccessConditions
 }
 
-func (o *SetAccessPolicyOptions) format() (*generated.ShareClientSetAccessPolicyOptions, []*SignedIdentifier, *LeaseAccessConditions, error) {
+func (o *SetAccessPolicyOptions) format() (*generated.ShareClientSetAccessPolicyOptions, *LeaseAccessConditions, error) {
 	if o == nil {
-		return nil, nil, nil, nil
+		return nil, nil, nil
 	}
 
 	if o.ShareACL != nil {
 		for _, si := range o.ShareACL {
 			err := formatTime(si)
 			if err != nil {
-				return nil, nil, nil, err
+				return nil, nil, err
 			}
 		}
 	}
 
-	return nil, o.ShareACL, o.LeaseAccessConditions, nil
+	return &generated.ShareClientSetAccessPolicyOptions{
+		ShareACL: o.ShareACL,
+	}, o.LeaseAccessConditions, nil
 }
 
 func formatTime(si *SignedIdentifier) error {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/responses.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/responses.go
index 2932e7ec93..ddc594812e 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/responses.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share/responses.go
@@ -1,6 +1,3 @@
-//go:build go1.18
-// +build go1.18
-
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go
index 549d68ab99..29c004320d 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go
@@ -596,6 +596,11 @@ func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts
 		return AuthResult{}, errors.New("call another AcquireToken method to request a new token having these claims")
 	}
 
+	// For service principal scenarios, require WithSilentAccount for public API
+	if o.account.IsZero() {
+		return AuthResult{}, errors.New("WithSilentAccount option is required")
+	}
+
 	silentParameters := base.AcquireTokenSilentParameters{
 		Scopes:      scopes,
 		Account:     o.account,
@@ -604,8 +609,15 @@ func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts
 		IsAppCache:  o.account.IsZero(),
 		TenantID:    o.tenantID,
 		AuthnScheme: o.authnScheme,
+		Claims:      o.claims,
 	}
 
+	return cca.acquireTokenSilentInternal(ctx, silentParameters)
+}
+
+// acquireTokenSilentInternal is the internal implementation shared by AcquireTokenSilent and AcquireTokenByCredential
+func (cca Client) acquireTokenSilentInternal(ctx context.Context, silentParameters base.AcquireTokenSilentParameters) (AuthResult, error) {
+
 	return cca.base.AcquireTokenSilent(ctx, silentParameters)
 }
 
@@ -708,8 +720,10 @@ func (cca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redir
 
 // acquireTokenByCredentialOptions contains optional configuration for AcquireTokenByCredential
 type acquireTokenByCredentialOptions struct {
-	claims, tenantID string
-	authnScheme      AuthenticationScheme
+	claims, tenantID    string
+	authnScheme         AuthenticationScheme
+	extraBodyParameters map[string]string
+	cacheKeyComponents  map[string]string
 }
 
 // AcquireByCredentialOption is implemented by options for AcquireTokenByCredential
@@ -719,7 +733,7 @@ type AcquireByCredentialOption interface {
 
 // AcquireTokenByCredential acquires a security token from the authority, using the client credentials grant.
 //
-// Options: [WithClaims], [WithTenantID]
+// Options: [WithClaims], [WithTenantID], [WithFMIPath], [WithAttribute]
 func (cca Client) AcquireTokenByCredential(ctx context.Context, scopes []string, opts ...AcquireByCredentialOption) (AuthResult, error) {
 	o := acquireTokenByCredentialOptions{}
 	err := options.ApplyOptions(&o, opts)
@@ -736,6 +750,29 @@ func (cca Client) AcquireTokenByCredential(ctx context.Context, scopes []string,
 	if o.authnScheme != nil {
 		authParams.AuthnScheme = o.authnScheme
 	}
+	authParams.ExtraBodyParameters = o.extraBodyParameters
+	authParams.CacheKeyComponents = o.cacheKeyComponents
+	if o.claims == "" {
+		silentParameters := base.AcquireTokenSilentParameters{
+			Scopes:              scopes,
+			Account:             Account{}, // empty account for app token
+			RequestType:         accesstokens.ATConfidential,
+			Credential:          cca.cred,
+			IsAppCache:          true,
+			TenantID:            o.tenantID,
+			AuthnScheme:         o.authnScheme,
+			Claims:              o.claims,
+			ExtraBodyParameters: o.extraBodyParameters,
+			CacheKeyComponents:  o.cacheKeyComponents,
+		}
+
+		// Use internal method with empty account (service principal scenario)
+		cache, err := cca.acquireTokenSilentInternal(ctx, silentParameters)
+		if err == nil {
+			return cache, nil
+		}
+	}
+
 	token, err := cca.base.Token.Credential(ctx, authParams, cca.cred)
 	if err != nil {
 		return AuthResult{}, err
@@ -781,3 +818,63 @@ func (cca Client) Account(ctx context.Context, accountID string) (Account, error
 func (cca Client) RemoveAccount(ctx context.Context, account Account) error {
 	return cca.base.RemoveAccount(ctx, account)
 }
+
+// WithFMIPath specifies the path to a federated managed identity.
+// The path should point to a valid FMI configuration file that contains the necessary
+// identity information for authentication.
+func WithFMIPath(path string) interface {
+	AcquireByCredentialOption
+	options.CallOption
+} {
+	return struct {
+		AcquireByCredentialOption
+		options.CallOption
+	}{
+		CallOption: options.NewCallOption(
+			func(a any) error {
+				switch t := a.(type) {
+				case *acquireTokenByCredentialOptions:
+					if t.extraBodyParameters == nil {
+						t.extraBodyParameters = make(map[string]string)
+					}
+					if t.cacheKeyComponents == nil {
+						t.cacheKeyComponents = make(map[string]string)
+					}
+					t.cacheKeyComponents["fmi_path"] = path
+					t.extraBodyParameters["fmi_path"] = path
+				default:
+					return fmt.Errorf("unexpected options type %T", a)
+				}
+				return nil
+			},
+		),
+	}
+}
+
+// WithAttribute specifies an identity attribute to include in the token request.
+// The attribute is sent as "attributes" in the request body and returned as "xmc_attr"
+// in the access token claims. This is sometimes used withFMIPath
+func WithAttribute(attrValue string) interface {
+	AcquireByCredentialOption
+	options.CallOption
+} {
+	return struct {
+		AcquireByCredentialOption
+		options.CallOption
+	}{
+		CallOption: options.NewCallOption(
+			func(a any) error {
+				switch t := a.(type) {
+				case *acquireTokenByCredentialOptions:
+					if t.extraBodyParameters == nil {
+						t.extraBodyParameters = make(map[string]string)
+					}
+					t.extraBodyParameters["attributes"] = attrValue
+				default:
+					return fmt.Errorf("unexpected options type %T", a)
+				}
+				return nil
+			},
+		),
+	}
+}
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go
index 61c1c4cec1..abf54f7e50 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go
@@ -46,16 +46,18 @@ type accountManager interface {
 
 // AcquireTokenSilentParameters contains the parameters to acquire a token silently (from cache).
 type AcquireTokenSilentParameters struct {
-	Scopes            []string
-	Account           shared.Account
-	RequestType       accesstokens.AppType
-	Credential        *accesstokens.Credential
-	IsAppCache        bool
-	TenantID          string
-	UserAssertion     string
-	AuthorizationType authority.AuthorizeType
-	Claims            string
-	AuthnScheme       authority.AuthenticationScheme
+	Scopes              []string
+	Account             shared.Account
+	RequestType         accesstokens.AppType
+	Credential          *accesstokens.Credential
+	IsAppCache          bool
+	TenantID            string
+	UserAssertion       string
+	AuthorizationType   authority.AuthorizeType
+	Claims              string
+	AuthnScheme         authority.AuthenticationScheme
+	ExtraBodyParameters map[string]string
+	CacheKeyComponents  map[string]string
 }
 
 // AcquireTokenAuthCodeParameters contains the parameters required to acquire an access token using the auth code flow.
@@ -327,7 +329,12 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen
 	if silent.AuthnScheme != nil {
 		authParams.AuthnScheme = silent.AuthnScheme
 	}
-
+	if silent.CacheKeyComponents != nil {
+		authParams.CacheKeyComponents = silent.CacheKeyComponents
+	}
+	if silent.ExtraBodyParameters != nil {
+		authParams.ExtraBodyParameters = silent.ExtraBodyParameters
+	}
 	m := b.pmanager
 	if authParams.AuthorizationType != authority.ATOnBehalfOf {
 		authParams.AuthorizationType = authority.ATRefreshToken
@@ -367,8 +374,19 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen
 					// If the token is not same, we don't need to refresh it.
 					// Which means it refreshed.
 					if str, err := m.Read(ctx, authParams); err == nil && str.AccessToken.Secret == ar.AccessToken {
-						if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil {
-							return b.AuthResultFromToken(ctx, authParams, tr)
+						switch silent.RequestType {
+						case accesstokens.ATConfidential:
+							if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil {
+								return b.AuthResultFromToken(ctx, authParams, tr)
+							}
+						case accesstokens.ATPublic:
+							token, err := b.Token.Refresh(ctx, silent.RequestType, authParams, silent.Credential, storageTokenResponse.RefreshToken)
+							if err != nil {
+								return ar, err
+							}
+							return b.AuthResultFromToken(ctx, authParams, token)
+						case accesstokens.ATUnknown:
+							return ar, errors.New("silent request type cannot be ATUnknown")
 						}
 					}
 				}
@@ -446,6 +464,9 @@ func (b Client) AcquireTokenOnBehalfOf(ctx context.Context, onBehalfOfParams Acq
 	authParams.Claims = onBehalfOfParams.Claims
 	authParams.Scopes = onBehalfOfParams.Scopes
 	authParams.UserAssertion = onBehalfOfParams.UserAssertion
+	if authParams.ExtraBodyParameters != nil {
+		authParams.ExtraBodyParameters = silentParameters.ExtraBodyParameters
+	}
 	token, err := b.Token.OnBehalfOf(ctx, authParams, onBehalfOfParams.Credential)
 	if err == nil {
 		ar, err = b.AuthResultFromToken(ctx, authParams, token)
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go
index 7379e2233c..b7d1a670b1 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go
@@ -79,6 +79,7 @@ type AccessToken struct {
 	UserAssertionHash string            `json:"user_assertion_hash,omitempty"`
 	TokenType         string            `json:"token_type,omitempty"`
 	AuthnSchemeKeyID  string            `json:"keyid,omitempty"`
+	ExtCacheKey       string            `json:"ext_cache_key,omitempty"`
 
 	AdditionalFields map[string]interface{}
 }
@@ -105,15 +106,21 @@ func NewAccessToken(homeID, env, realm, clientID string, cachedAt, refreshOn, ex
 // Key outputs the key that can be used to uniquely look up this entry in a map.
 func (a AccessToken) Key() string {
 	ks := []string{a.HomeAccountID, a.Environment, a.CredentialType, a.ClientID, a.Realm, a.Scopes}
-	key := strings.Join(
-		ks,
-		shared.CacheKeySeparator,
-	)
+
 	// add token type to key for new access tokens types. skip for bearer token type to
 	// preserve fwd and back compat between a common cache and msal clients
 	if !strings.EqualFold(a.TokenType, authority.AccessTokenTypeBearer) {
-		key = strings.Join([]string{key, a.TokenType}, shared.CacheKeySeparator)
+		ks = append(ks, a.TokenType)
 	}
+	// add extra body param hash to key if present
+	if a.ExtCacheKey != "" {
+		ks[2] = "atext" // if the there is extra cache we add "atext" to the key replacing accesstoken
+		ks = append(ks, a.ExtCacheKey)
+	}
+	key := strings.Join(
+		ks,
+		shared.CacheKeySeparator,
+	)
 	return strings.ToLower(key)
 }
 
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go
index 84a234967f..825d8a0f66 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go
@@ -135,7 +135,8 @@ func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams)
 		aliases = metadata.Aliases
 	}
 
-	accessToken := m.readAccessToken(homeAccountID, aliases, realm, clientID, scopes, tokenType, authnSchemeKeyID)
+	accessToken := m.readAccessToken(homeAccountID, aliases, realm, clientID, scopes, tokenType, authnSchemeKeyID, authParameters.CacheExtKeyGenerator())
+
 	tr.AccessToken = accessToken
 
 	if homeAccountID == "" {
@@ -203,6 +204,7 @@ func (m *Manager) Write(authParameters authority.AuthParams, tokenResponse acces
 			authnSchemeKeyID,
 		)
 
+		accessToken.ExtCacheKey = authParameters.CacheExtKeyGenerator()
 		// Since we have a valid access token, cache it before moving on.
 		if err := accessToken.Validate(); err == nil {
 			if err := m.writeAccessToken(accessToken); err != nil {
@@ -291,26 +293,49 @@ func (m *Manager) aadMetadata(ctx context.Context, authorityInfo authority.Info)
 	return m.aadCache[authorityInfo.Host], nil
 }
 
-func (m *Manager) readAccessToken(homeID string, envAliases []string, realm, clientID string, scopes []string, tokenType, authnSchemeKeyID string) AccessToken {
+func (m *Manager) readAccessToken(homeID string, envAliases []string, realm, clientID string, scopes []string, tokenType, authnSchemeKeyID, extCacheKey string) AccessToken {
 	m.contractMu.RLock()
-	// TODO: linear search (over a map no less) is slow for a large number (thousands) of tokens.
-	// this shows up as the dominating node in a profile. for real-world scenarios this likely isn't
-	// an issue, however if it does become a problem then we know where to look.
-	for k, at := range m.contract.AccessTokens {
+
+	tokensToSearch := m.contract.AccessTokens
+
+	for k, at := range tokensToSearch {
+		// TODO: linear search (over a map no less) is slow for a large number (thousands) of tokens.
+		// this shows up as the dominating node in a profile. for real-world scenarios this likely isn't
+		// an issue, however if it does become a problem then we know where to look.
 		if at.HomeAccountID == homeID && at.Realm == realm && at.ClientID == clientID {
-			if (strings.EqualFold(at.TokenType, tokenType) && at.AuthnSchemeKeyID == authnSchemeKeyID) || (at.TokenType == "" && (tokenType == "" || tokenType == "Bearer")) {
-				if checkAlias(at.Environment, envAliases) && isMatchingScopes(scopes, at.Scopes) {
-					m.contractMu.RUnlock()
-					if needsUpgrade(k) {
-						m.contractMu.Lock()
-						defer m.contractMu.Unlock()
-						at = upgrade(m.contract.AccessTokens, k)
+			// Match token type and authentication scheme
+			tokenTypeMatch := (strings.EqualFold(at.TokenType, tokenType) && at.AuthnSchemeKeyID == authnSchemeKeyID) ||
+				(at.TokenType == "" && (tokenType == "" || tokenType == "Bearer"))
+			environmentAndScopesMatch := checkAlias(at.Environment, envAliases) && isMatchingScopes(scopes, at.Scopes)
+
+			if tokenTypeMatch && environmentAndScopesMatch {
+				// For hashed tokens, check that the key contains the hash
+				if extCacheKey != "" {
+					if !strings.Contains(k, extCacheKey) {
+						continue // Skip this token if the key doesn't contain the hash
+					}
+				} else {
+					// If no extCacheKey is provided, only match tokens that also have no extCacheKey
+					if at.ExtCacheKey != "" {
+						continue // Skip tokens that require a hash when no hash is provided
 					}
+				}
+				// Handle token upgrade if needed
+				if needsUpgrade(k) {
+					m.contractMu.RUnlock()
+					m.contractMu.Lock()
+					at = upgrade(tokensToSearch, k)
+					m.contractMu.Unlock()
 					return at
 				}
+
+				m.contractMu.RUnlock()
+				return at
 			}
 		}
 	}
+
+	// No token found, unlock and return empty token
 	m.contractMu.RUnlock()
 	return AccessToken{}
 }
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go
index d738c7591e..481f9e4341 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go
@@ -281,6 +281,9 @@ func (c Client) FromClientSecret(ctx context.Context, authParameters authority.A
 	qv.Set(clientID, authParameters.ClientID)
 	addScopeQueryParam(qv, authParameters)
 
+	// Add extra body parameters if provided
+	addExtraBodyParameters(ctx, qv, authParameters)
+
 	return c.doTokenResp(ctx, authParameters, qv)
 }
 
@@ -296,6 +299,9 @@ func (c Client) FromAssertion(ctx context.Context, authParameters authority.Auth
 	qv.Set(clientInfo, clientInfoVal)
 	addScopeQueryParam(qv, authParameters)
 
+	// Add extra body parameters if provided
+	addExtraBodyParameters(ctx, qv, authParameters)
+
 	return c.doTokenResp(ctx, authParameters, qv)
 }
 
@@ -329,6 +335,8 @@ func (c Client) FromUserAssertionClientCertificate(ctx context.Context, authPara
 	qv.Set("requested_token_use", "on_behalf_of")
 	addScopeQueryParam(qv, authParameters)
 
+	// Add extra body parameters if provided
+	addExtraBodyParameters(ctx, qv, authParameters)
 	return c.doTokenResp(ctx, authParameters, qv)
 }
 
@@ -466,3 +474,12 @@ func addScopeQueryParam(queryParams url.Values, authParameters authority.AuthPar
 	scopes := AppendDefaultScopes(authParameters)
 	queryParams.Set("scope", strings.Join(scopes, " "))
 }
+
+// addExtraBodyParameters evaluates and adds extra body parameters to the request
+func addExtraBodyParameters(ctx context.Context, v url.Values, ap authority.AuthParams) {
+	for key, value := range ap.ExtraBodyParameters {
+		if value != "" {
+			v.Set(key, value)
+		}
+	}
+}
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
index 3f40374640..debd465dba 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
@@ -15,6 +15,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"sort"
 	"strings"
 	"time"
 
@@ -47,6 +48,8 @@ type jsonCaller interface {
 }
 
 // For backward compatibility, accept both old and new China endpoints for a transition period.
+// This list is derived from the AAD instance discovery metadata and represents all known trusted hosts
+// across different Azure clouds (Public, China, Germany, US Government, etc.)
 var aadTrustedHostList = map[string]bool{
 	"login.windows.net":                true, // Microsoft Azure Worldwide - Used in validation scenarios where host is not this list
 	"login.partner.microsoftonline.cn": true, // Microsoft Azure China (new)
@@ -55,6 +58,9 @@ var aadTrustedHostList = map[string]bool{
 	"login-us.microsoftonline.com":     true, // Microsoft Azure US Government - Legacy
 	"login.microsoftonline.us":         true, // Microsoft Azure US Government
 	"login.microsoftonline.com":        true, // Microsoft Azure Worldwide
+	"login.microsoft.com":              true,
+	"sts.windows.net":                  true,
+	"login.usgovcloudapi.net":          true,
 }
 
 // TrustedHost checks if an AAD host is trusted/valid.
@@ -103,36 +109,46 @@ func (r *TenantDiscoveryResponse) Validate() error {
 // ValidateIssuerMatchesAuthority validates that the issuer in the TenantDiscoveryResponse matches the authority.
 // This is used to identity security or configuration issues in authorities and the OIDC endpoint
 func (r *TenantDiscoveryResponse) ValidateIssuerMatchesAuthority(authorityURI string, aliases map[string]bool) error {
-
 	if authorityURI == "" {
 		return errors.New("TenantDiscoveryResponse: empty authorityURI provided for validation")
 	}
+	if r.Issuer == "" {
+		return errors.New("TenantDiscoveryResponse: empty issuer in response")
+	}
 
-	// Parse the issuer URL
 	issuerURL, err := url.Parse(r.Issuer)
 	if err != nil {
 		return fmt.Errorf("TenantDiscoveryResponse: failed to parse issuer URL: %w", err)
 	}
+	authorityURL, err := url.Parse(authorityURI)
+	if err != nil {
+		return fmt.Errorf("TenantDiscoveryResponse: failed to parse authority URL: %w", err)
+	}
+
+	// Fast path: exact scheme + host match
+	if issuerURL.Scheme == authorityURL.Scheme && issuerURL.Host == authorityURL.Host {
+		return nil
+	}
 
-	// Even if it doesn't match the authority, issuers from known and trusted hosts are valid
+	// Alias-based acceptance
 	if aliases != nil && aliases[issuerURL.Host] {
 		return nil
 	}
 
-	// Parse the authority URL for comparison
-	authorityURL, err := url.Parse(authorityURI)
-	if err != nil {
-		return fmt.Errorf("TenantDiscoveryResponse: failed to parse authority URL: %w", err)
+	issuerHost := issuerURL.Host
+	authorityHost := authorityURL.Host
+
+	// Accept if issuer host is trusted
+	if TrustedHost(issuerHost) {
+		return nil
 	}
 
-	// Check if the scheme and host match (paths can be ignored when validating the issuer)
-	if issuerURL.Scheme == authorityURL.Scheme && issuerURL.Host == authorityURL.Host {
+	// Accept if authority is a regional variant ending with "."
+	if strings.HasSuffix(authorityHost, "."+issuerHost) {
 		return nil
 	}
 
-	// If we get here, validation failed
-	return fmt.Errorf("TenantDiscoveryResponse: issuer from OIDC discovery '%s' does not match authority '%s' or a known pattern",
-		r.Issuer, authorityURI)
+	return fmt.Errorf("TenantDiscoveryResponse: issuer '%s' does not match authority '%s' or any trusted/alias rule", r.Issuer, authorityURI)
 }
 
 type InstanceDiscoveryMetadata struct {
@@ -256,6 +272,12 @@ type AuthParams struct {
 	DomainHint string
 	// AuthnScheme is an optional scheme for formatting access tokens
 	AuthnScheme AuthenticationScheme
+	// ExtraBodyParameters are additional parameters to include in token requests.
+	// The functions are evaluated at request time to get the parameter values.
+	// These parameters are also included in the cache key.
+	ExtraBodyParameters map[string]string
+	// CacheKeyComponents are additional components to include in the cache key.
+	CacheKeyComponents map[string]string
 }
 
 // NewAuthParams creates an authorization parameters object.
@@ -642,8 +664,42 @@ func (a *AuthParams) AssertionHash() string {
 }
 
 func (a *AuthParams) AppKey() string {
+	baseKey := a.ClientID + "_"
 	if a.AuthorityInfo.Tenant != "" {
-		return fmt.Sprintf("%s_%s_AppTokenCache", a.ClientID, a.AuthorityInfo.Tenant)
+		baseKey += a.AuthorityInfo.Tenant
+	}
+
+	// Include extra body parameters in the cache key
+	paramHash := a.CacheExtKeyGenerator()
+	if paramHash != "" {
+		baseKey = fmt.Sprintf("%s_%s", baseKey, paramHash)
+	}
+
+	return baseKey + "_AppTokenCache"
+}
+
+// CacheExtKeyGenerator computes a hash of the Cache key components key and values
+// to include in the cache key. This ensures tokens acquired with different
+// parameters are cached separately.
+func (a *AuthParams) CacheExtKeyGenerator() string {
+	if len(a.CacheKeyComponents) == 0 {
+		return ""
+	}
+
+	// Sort keys to ensure consistent hashing
+	keys := make([]string, 0, len(a.CacheKeyComponents))
+	for k := range a.CacheKeyComponents {
+		keys = append(keys, k)
 	}
-	return fmt.Sprintf("%s__AppTokenCache", a.ClientID)
+	sort.Strings(keys)
+
+	// Create a string by concatenating key+value pairs
+	keyStr := ""
+	for _, key := range keys {
+		// Append key followed by its value with no separator
+		keyStr += key + a.CacheKeyComponents[key]
+	}
+
+	hash := sha256.Sum256([]byte(keyStr))
+	return strings.ToLower(base64.RawURLEncoding.EncodeToString(hash[:]))
 }
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go
index 7beed26174..797c086cb8 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go
@@ -368,9 +368,9 @@ type AcquireByUsernamePasswordOption interface {
 	acquireByUsernamePasswordOption()
 }
 
-// AcquireTokenByUsernamePassword acquires a security token from the authority, via Username/Password Authentication.
-// NOTE: this flow is NOT recommended.
+// Deprecated: This API will be removed in a future release. Use a more secure flow instead. Follow this migration guide: https://aka.ms/msal-ropc-migration
 //
+// AcquireTokenByUsernamePassword acquires a security token from the authority, via Username/Password Authentication.
 // Options: [WithClaims], [WithTenantID]
 func (pca Client) AcquireTokenByUsernamePassword(ctx context.Context, scopes []string, username, password string, opts ...AcquireByUsernamePasswordOption) (AuthResult, error) {
 	o := acquireTokenByUsernamePasswordOptions{}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/COPYING.md b/vendor/github.com/cyphar/filepath-securejoin/COPYING.md
new file mode 100644
index 0000000000..520e822b18
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/COPYING.md
@@ -0,0 +1,447 @@
+## COPYING ##
+
+`SPDX-License-Identifier: BSD-3-Clause AND MPL-2.0`
+
+This project is made up of code licensed under different licenses. Which code
+you use will have an impact on whether only one or both licenses apply to your
+usage of this library.
+
+Note that **each file** in this project individually has a code comment at the
+start describing the license of that particular file -- this is the most
+accurate license information of this project; in case there is any conflict
+between this document and the comment at the start of a file, the comment shall
+take precedence. The only purpose of this document is to work around [a known
+technical limitation of pkg.go.dev's license checking tool when dealing with
+non-trivial project licenses][go75067].
+
+[go75067]: https://go.dev/issue/75067
+
+### `BSD-3-Clause` ###
+
+At time of writing, the following files and directories are licensed under the
+BSD-3-Clause license:
+
+ * `doc.go`
+ * `join*.go`
+ * `vfs.go`
+ * `internal/consts/*.go`
+ * `pathrs-lite/internal/gocompat/*.go`
+ * `pathrs-lite/internal/kernelversion/*.go`
+
+The text of the BSD-3-Clause license used by this project is the following (the
+text is also available from the [`LICENSE.BSD`](./LICENSE.BSD) file):
+
+```
+Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+```
+
+### `MPL-2.0` ###
+
+All other files (unless otherwise marked) are licensed under the Mozilla Public
+License (version 2.0).
+
+The text of the Mozilla Public License (version 2.0) is the following (the text
+is also available from the [`LICENSE.MPL-2.0`](./LICENSE.MPL-2.0) file):
+
+```
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
+```
diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE.BSD b/vendor/github.com/cyphar/filepath-securejoin/LICENSE.BSD
new file mode 100644
index 0000000000..cb1ab88da0
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE.BSD
@@ -0,0 +1,28 @@
+Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE.MPL-2.0 b/vendor/github.com/cyphar/filepath-securejoin/LICENSE.MPL-2.0
new file mode 100644
index 0000000000..d0a1fa1482
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE.MPL-2.0
@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
diff --git a/vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go b/vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go
new file mode 100644
index 0000000000..c69c4da91e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go
@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+// Copyright (C) 2017-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package consts contains the definitions of internal constants used
+// throughout filepath-securejoin.
+package consts
+
+// MaxSymlinkLimit is the maximum number of symlinks that can be encountered
+// during a single lookup before returning -ELOOP. At time of writing, Linux
+// has an internal limit of 40.
+const MaxSymlinkLimit = 255
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/README.md b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/README.md
new file mode 100644
index 0000000000..bb95b028c6
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/README.md
@@ -0,0 +1,35 @@
+## `pathrs-lite` ##
+
+`github.com/cyphar/filepath-securejoin/pathrs-lite` provides a minimal **pure
+Go** implementation of the core bits of [libpathrs][]. This is not intended to
+be a complete replacement for libpathrs, instead it is mainly intended to be
+useful as a transition tool for existing Go projects.
+
+`pathrs-lite` also provides a very easy way to switch to `libpathrs` (even for
+downstreams where `pathrs-lite` is being used in a third-party package and is
+not interested in using CGo). At build time, if you use the `libpathrs` build
+tag then `pathrs-lite` will use `libpathrs` directly instead of the pure Go
+implementation. The two backends are functionally equivalent (and we have
+integration tests to verify this), so this migration should be very easy with
+no user-visible impact.
+
+[libpathrs]: https://github.com/cyphar/libpathrs
+
+### License ###
+
+Most of this subpackage is licensed under the Mozilla Public License (version
+2.0). For more information, see the top-level [COPYING.md][] and
+[LICENSE.MPL-2.0][] files, as well as the individual license headers for each
+file.
+
+```
+Copyright (C) 2024-2025 Aleksa Sarai 
+Copyright (C) 2024-2025 SUSE LLC
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at https://mozilla.org/MPL/2.0/.
+```
+
+[COPYING.md]: ../COPYING.md
+[LICENSE.MPL-2.0]: ../LICENSE.MPL-2.0
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/doc.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/doc.go
new file mode 100644
index 0000000000..61411da37a
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/doc.go
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package pathrs (pathrs-lite) is a less complete pure Go implementation of
+// some of the APIs provided by [libpathrs].
+//
+// [libpathrs]: https://github.com/cyphar/libpathrs
+package pathrs
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go
new file mode 100644
index 0000000000..595dfbf1ac
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go
@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: MPL-2.0
+
+// Copyright (C) 2025 Aleksa Sarai 
+// Copyright (C) 2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package assert provides some basic assertion helpers for Go.
+package assert
+
+import (
+	"fmt"
+)
+
+// Assert panics if the predicate is false with the provided argument.
+func Assert(predicate bool, msg any) {
+	if !predicate {
+		panic(msg)
+	}
+}
+
+// Assertf panics if the predicate is false and formats the message using the
+// same formatting as [fmt.Printf].
+//
+// [fmt.Printf]: https://pkg.go.dev/fmt#Printf
+func Assertf(predicate bool, fmtMsg string, args ...any) {
+	Assert(predicate, fmt.Sprintf(fmtMsg, args...))
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go
new file mode 100644
index 0000000000..d0b200f4f9
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go
@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package internal contains unexported common code for filepath-securejoin.
+package internal
+
+import (
+	"errors"
+
+	"golang.org/x/sys/unix"
+)
+
+type xdevErrorish struct {
+	description string
+}
+
+func (err xdevErrorish) Error() string        { return err.description }
+func (err xdevErrorish) Is(target error) bool { return target == unix.EXDEV }
+
+var (
+	// ErrPossibleAttack indicates that some attack was detected.
+	ErrPossibleAttack error = xdevErrorish{"possible attack detected"}
+
+	// ErrPossibleBreakout indicates that during an operation we ended up in a
+	// state that could be a breakout but we detected it.
+	ErrPossibleBreakout error = xdevErrorish{"possible breakout detected"}
+
+	// ErrInvalidDirectory indicates an unlinked directory.
+	ErrInvalidDirectory = errors.New("wandered into deleted directory")
+
+	// ErrDeletedInode indicates an unlinked file (non-directory).
+	ErrDeletedInode = errors.New("cannot verify path of deleted inode")
+)
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go
new file mode 100644
index 0000000000..0910549130
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go
@@ -0,0 +1,148 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package fd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+)
+
+// prepareAtWith returns -EBADF (an invalid fd) if dir is nil, otherwise using
+// the dir.Fd(). We use -EBADF because in filepath-securejoin we generally
+// don't want to allow relative-to-cwd paths. The returned path is an
+// *informational* string that describes a reasonable pathname for the given
+// *at(2) arguments. You must not use the full path for any actual filesystem
+// operations.
+func prepareAt(dir Fd, path string) (dirFd int, unsafeUnmaskedPath string) {
+	dirFd, dirPath := -int(unix.EBADF), "."
+	if dir != nil {
+		dirFd, dirPath = int(dir.Fd()), dir.Name()
+	}
+	if !filepath.IsAbs(path) {
+		// only prepend the dirfd path for relative paths
+		path = dirPath + "/" + path
+	}
+	// NOTE: If path is "." or "", the returned path won't be filepath.Clean,
+	// but that's okay since this path is either used for errors (in which case
+	// a trailing "/" or "/." is important information) or will be
+	// filepath.Clean'd later (in the case of fd.Openat).
+	return dirFd, path
+}
+
+// Openat is an [Fd]-based wrapper around unix.Openat.
+func Openat(dir Fd, path string, flags int, mode int) (*os.File, error) { //nolint:unparam // wrapper func
+	dirFd, fullPath := prepareAt(dir, path)
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.O_CLOEXEC
+	fd, err := unix.Openat(dirFd, path, flags, uint32(mode))
+	if err != nil {
+		return nil, &os.PathError{Op: "openat", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	// openat is only used with lexically-safe paths so we can use
+	// filepath.Clean here, and also the path itself is not going to be used
+	// for actual path operations.
+	fullPath = filepath.Clean(fullPath)
+	return os.NewFile(uintptr(fd), fullPath), nil
+}
+
+// Fstatat is an [Fd]-based wrapper around unix.Fstatat.
+func Fstatat(dir Fd, path string, flags int) (unix.Stat_t, error) {
+	dirFd, fullPath := prepareAt(dir, path)
+	var stat unix.Stat_t
+	if err := unix.Fstatat(dirFd, path, &stat, flags); err != nil {
+		return stat, &os.PathError{Op: "fstatat", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	return stat, nil
+}
+
+// Faccessat is an [Fd]-based wrapper around unix.Faccessat.
+func Faccessat(dir Fd, path string, mode uint32, flags int) error {
+	dirFd, fullPath := prepareAt(dir, path)
+	err := unix.Faccessat(dirFd, path, mode, flags)
+	if err != nil {
+		err = &os.PathError{Op: "faccessat", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	return err
+}
+
+// Readlinkat is an [Fd]-based wrapper around unix.Readlinkat.
+func Readlinkat(dir Fd, path string) (string, error) {
+	dirFd, fullPath := prepareAt(dir, path)
+	size := 4096
+	for {
+		linkBuf := make([]byte, size)
+		n, err := unix.Readlinkat(dirFd, path, linkBuf)
+		if err != nil {
+			return "", &os.PathError{Op: "readlinkat", Path: fullPath, Err: err}
+		}
+		runtime.KeepAlive(dir)
+		if n != size {
+			return string(linkBuf[:n]), nil
+		}
+		// Possible truncation, resize the buffer.
+		size *= 2
+	}
+}
+
+const (
+	// STATX_MNT_ID_UNIQUE is provided in golang.org/x/sys@v0.20.0, but in order to
+	// avoid bumping the requirement for a single constant we can just define it
+	// ourselves.
+	_STATX_MNT_ID_UNIQUE = 0x4000 //nolint:revive // unix.* name
+
+	// We don't care which mount ID we get. The kernel will give us the unique
+	// one if it is supported. If the kernel doesn't support
+	// STATX_MNT_ID_UNIQUE, the bit is ignored and the returned request mask
+	// will only contain STATX_MNT_ID (if supported).
+	wantStatxMntMask = _STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
+)
+
+var hasStatxMountID = gocompat.SyncOnceValue(func() bool {
+	var stx unix.Statx_t
+	err := unix.Statx(-int(unix.EBADF), "/", 0, wantStatxMntMask, &stx)
+	return err == nil && stx.Mask&wantStatxMntMask != 0
+})
+
+// GetMountID gets the mount identifier associated with the fd and path
+// combination. It is effectively a wrapper around fetching
+// STATX_MNT_ID{,_UNIQUE} with unix.Statx, but with a fallback to 0 if the
+// kernel doesn't support the feature.
+func GetMountID(dir Fd, path string) (uint64, error) {
+	// If we don't have statx(STATX_MNT_ID*) support, we can't do anything.
+	if !hasStatxMountID() {
+		return 0, nil
+	}
+
+	dirFd, fullPath := prepareAt(dir, path)
+
+	var stx unix.Statx_t
+	err := unix.Statx(dirFd, path, unix.AT_EMPTY_PATH|unix.AT_SYMLINK_NOFOLLOW, wantStatxMntMask, &stx)
+	if stx.Mask&wantStatxMntMask == 0 {
+		// It's not a kernel limitation, for some reason we couldn't get a
+		// mount ID. Assume it's some kind of attack.
+		err = fmt.Errorf("could not get mount id: %w", err)
+	}
+	if err != nil {
+		return 0, &os.PathError{Op: "statx(STATX_MNT_ID_...)", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	return stx.Mnt_id, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go
new file mode 100644
index 0000000000..d2206a386f
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: MPL-2.0
+
+// Copyright (C) 2025 Aleksa Sarai 
+// Copyright (C) 2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package fd provides a drop-in interface-based replacement of [*os.File] that
+// allows for things like noop-Close wrappers to be used.
+//
+// [*os.File]: https://pkg.go.dev/os#File
+package fd
+
+import (
+	"io"
+	"os"
+)
+
+// Fd is an interface that mirrors most of the API of [*os.File], allowing you
+// to create wrappers that can be used in place of [*os.File].
+//
+// [*os.File]: https://pkg.go.dev/os#File
+type Fd interface {
+	io.Closer
+	Name() string
+	Fd() uintptr
+}
+
+// Compile-time interface checks.
+var (
+	_ Fd = (*os.File)(nil)
+	_ Fd = noClose{}
+)
+
+type noClose struct{ inner Fd }
+
+func (f noClose) Name() string { return f.inner.Name() }
+func (f noClose) Fd() uintptr  { return f.inner.Fd() }
+
+func (f noClose) Close() error { return nil }
+
+// NopCloser returns an [*os.File]-like object where the [Close] method is now
+// a no-op.
+//
+// Note that for [*os.File] and similar objects, the Go garbage collector will
+// still call [Close] on the underlying file unless you use
+// [runtime.SetFinalizer] to disable this behaviour. This is up to the caller
+// to do (if necessary).
+//
+// [*os.File]: https://pkg.go.dev/os#File
+// [Close]: https://pkg.go.dev/io#Closer
+// [runtime.SetFinalizer]: https://pkg.go.dev/runtime#SetFinalizer
+func NopCloser(f Fd) Fd { return noClose{inner: f} }
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go
new file mode 100644
index 0000000000..e1ec3c0b8e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go
@@ -0,0 +1,78 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package fd
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal"
+)
+
+// DupWithName creates a new file descriptor referencing the same underlying
+// file, but with the provided name instead of fd.Name().
+func DupWithName(fd Fd, name string) (*os.File, error) {
+	fd2, err := unix.FcntlInt(fd.Fd(), unix.F_DUPFD_CLOEXEC, 0)
+	if err != nil {
+		return nil, os.NewSyscallError("fcntl(F_DUPFD_CLOEXEC)", err)
+	}
+	runtime.KeepAlive(fd)
+	return os.NewFile(uintptr(fd2), name), nil
+}
+
+// Dup creates a new file description referencing the same underlying file.
+func Dup(fd Fd) (*os.File, error) {
+	return DupWithName(fd, fd.Name())
+}
+
+// Fstat is an [Fd]-based wrapper around unix.Fstat.
+func Fstat(fd Fd) (unix.Stat_t, error) {
+	var stat unix.Stat_t
+	if err := unix.Fstat(int(fd.Fd()), &stat); err != nil {
+		return stat, &os.PathError{Op: "fstat", Path: fd.Name(), Err: err}
+	}
+	runtime.KeepAlive(fd)
+	return stat, nil
+}
+
+// Fstatfs is an [Fd]-based wrapper around unix.Fstatfs.
+func Fstatfs(fd Fd) (unix.Statfs_t, error) {
+	var statfs unix.Statfs_t
+	if err := unix.Fstatfs(int(fd.Fd()), &statfs); err != nil {
+		return statfs, &os.PathError{Op: "fstatfs", Path: fd.Name(), Err: err}
+	}
+	runtime.KeepAlive(fd)
+	return statfs, nil
+}
+
+// IsDeadInode detects whether the file has been unlinked from a filesystem and
+// is thus a "dead inode" from the kernel's perspective.
+func IsDeadInode(file Fd) error {
+	// If the nlink of a file drops to 0, there is an attacker deleting
+	// directories during our walk, which could result in weird /proc values.
+	// It's better to error out in this case.
+	stat, err := Fstat(file)
+	if err != nil {
+		return fmt.Errorf("check for dead inode: %w", err)
+	}
+	if stat.Nlink == 0 {
+		err := internal.ErrDeletedInode
+		if stat.Mode&unix.S_IFMT == unix.S_IFDIR {
+			err = internal.ErrInvalidDirectory
+		}
+		return fmt.Errorf("%w %q", err, file.Name())
+	}
+	return nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go
new file mode 100644
index 0000000000..77549c7a99
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package fd
+
+import (
+	"os"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+)
+
+// Fsopen is an [Fd]-based wrapper around unix.Fsopen.
+func Fsopen(fsName string, flags int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSOPEN_CLOEXEC
+	fd, err := unix.Fsopen(fsName, flags)
+	if err != nil {
+		return nil, os.NewSyscallError("fsopen "+fsName, err)
+	}
+	return os.NewFile(uintptr(fd), "fscontext:"+fsName), nil
+}
+
+// Fsmount is an [Fd]-based wrapper around unix.Fsmount.
+func Fsmount(ctx Fd, flags, mountAttrs int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSMOUNT_CLOEXEC
+	fd, err := unix.Fsmount(int(ctx.Fd()), flags, mountAttrs)
+	if err != nil {
+		return nil, os.NewSyscallError("fsmount "+ctx.Name(), err)
+	}
+	return os.NewFile(uintptr(fd), "fsmount:"+ctx.Name()), nil
+}
+
+// OpenTree is an [Fd]-based wrapper around unix.OpenTree.
+func OpenTree(dir Fd, path string, flags uint) (*os.File, error) {
+	dirFd, fullPath := prepareAt(dir, path)
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.OPEN_TREE_CLOEXEC
+	fd, err := unix.OpenTree(dirFd, path, flags)
+	if err != nil {
+		return nil, &os.PathError{Op: "open_tree", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	return os.NewFile(uintptr(fd), fullPath), nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go
new file mode 100644
index 0000000000..3e937fe3c1
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go
@@ -0,0 +1,62 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package fd
+
+import (
+	"errors"
+	"os"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+)
+
+func scopedLookupShouldRetry(how *unix.OpenHow, err error) bool {
+	// RESOLVE_IN_ROOT (and RESOLVE_BENEATH) can return -EAGAIN if we resolve
+	// ".." while a mount or rename occurs anywhere on the system. This could
+	// happen spuriously, or as the result of an attacker trying to mess with
+	// us during lookup.
+	//
+	// In addition, scoped lookups have a "safety check" at the end of
+	// complete_walk which will return -EXDEV if the final path is not in the
+	// root.
+	return how.Resolve&(unix.RESOLVE_IN_ROOT|unix.RESOLVE_BENEATH) != 0 &&
+		(errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EXDEV))
+}
+
+// This is a fairly arbitrary limit we have just to avoid an attacker being
+// able to make us spin in an infinite retry loop -- callers can choose to
+// retry on EAGAIN if they prefer.
+const scopedLookupMaxRetries = 128
+
+// Openat2 is an [Fd]-based wrapper around unix.Openat2, but with some retry
+// logic in case of EAGAIN errors.
+func Openat2(dir Fd, path string, how *unix.OpenHow) (*os.File, error) {
+	dirFd, fullPath := prepareAt(dir, path)
+	// Make sure we always set O_CLOEXEC.
+	how.Flags |= unix.O_CLOEXEC
+	var tries int
+	for {
+		fd, err := unix.Openat2(dirFd, path, how)
+		if err != nil {
+			if scopedLookupShouldRetry(how, err) && tries < scopedLookupMaxRetries {
+				// We retry a couple of times to avoid the spurious errors, and
+				// if we are being attacked then returning -EAGAIN is the best
+				// we can do.
+				tries++
+				continue
+			}
+			return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: err}
+		}
+		runtime.KeepAlive(dir)
+		return os.NewFile(uintptr(fd), fullPath), nil
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/README.md b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/README.md
new file mode 100644
index 0000000000..5dcb6ae007
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/README.md
@@ -0,0 +1,10 @@
+## gocompat ##
+
+This directory contains backports of stdlib functions from later Go versions so
+the filepath-securejoin can continue to be used by projects that are stuck with
+Go 1.18 support. Note that often filepath-securejoin is added in security
+patches for old releases, so avoiding the need to bump Go compiler requirements
+is a huge plus to downstreams.
+
+The source code is licensed under the same license as the Go stdlib. See the
+source files for the precise license information.
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/doc.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/doc.go
new file mode 100644
index 0000000000..4b1803f580
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/doc.go
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: BSD-3-Clause
+//go:build linux && go1.20
+
+// Copyright (C) 2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package gocompat includes compatibility shims (backported from future Go
+// stdlib versions) to permit filepath-securejoin to be used with older Go
+// versions (often filepath-securejoin is added in security patches for old
+// releases, so avoiding the need to bump Go compiler requirements is a huge
+// plus to downstreams).
+package gocompat
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go
new file mode 100644
index 0000000000..4a114bd3da
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go
@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: BSD-3-Clause
+//go:build linux && go1.20
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocompat
+
+import (
+	"fmt"
+)
+
+// WrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
+// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap)
+// is only guaranteed to give you baseErr.
+func WrapBaseError(baseErr, extraErr error) error {
+	return fmt.Errorf("%w: %w", extraErr, baseErr)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_unsupported.go
new file mode 100644
index 0000000000..3061016a6a
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_unsupported.go
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && !go1.20
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocompat
+
+import (
+	"fmt"
+)
+
+type wrappedError struct {
+	inner   error
+	isError error
+}
+
+func (err wrappedError) Is(target error) bool {
+	return err.isError == target
+}
+
+func (err wrappedError) Unwrap() error {
+	return err.inner
+}
+
+func (err wrappedError) Error() string {
+	return fmt.Sprintf("%v: %v", err.isError, err.inner)
+}
+
+// WrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
+// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap)
+// is only guaranteed to give you baseErr.
+func WrapBaseError(baseErr, extraErr error) error {
+	return wrappedError{
+		inner:   baseErr,
+		isError: extraErr,
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go
new file mode 100644
index 0000000000..d4a938186e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go
@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && go1.21
+
+// Copyright (C) 2024-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocompat
+
+import (
+	"cmp"
+	"slices"
+	"sync"
+)
+
+// SlicesDeleteFunc is equivalent to Go 1.21's slices.DeleteFunc.
+func SlicesDeleteFunc[S ~[]E, E any](slice S, delFn func(E) bool) S {
+	return slices.DeleteFunc(slice, delFn)
+}
+
+// SlicesContains is equivalent to Go 1.21's slices.Contains.
+func SlicesContains[S ~[]E, E comparable](slice S, val E) bool {
+	return slices.Contains(slice, val)
+}
+
+// SlicesClone is equivalent to Go 1.21's slices.Clone.
+func SlicesClone[S ~[]E, E any](slice S) S {
+	return slices.Clone(slice)
+}
+
+// SyncOnceValue is equivalent to Go 1.21's sync.OnceValue.
+func SyncOnceValue[T any](f func() T) func() T {
+	return sync.OnceValue(f)
+}
+
+// SyncOnceValues is equivalent to Go 1.21's sync.OnceValues.
+func SyncOnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	return sync.OnceValues(f)
+}
+
+// CmpOrdered is equivalent to Go 1.21's cmp.Ordered generic type definition.
+type CmpOrdered = cmp.Ordered
+
+// CmpCompare is equivalent to Go 1.21's cmp.Compare.
+func CmpCompare[T CmpOrdered](x, y T) int {
+	return cmp.Compare(x, y)
+}
+
+// Max2 is equivalent to Go 1.21's max builtin (but only for two parameters).
+func Max2[T CmpOrdered](x, y T) T {
+	return max(x, y)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_unsupported.go
new file mode 100644
index 0000000000..0ea6218aa6
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_unsupported.go
@@ -0,0 +1,187 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && !go1.21
+
+// Copyright (C) 2021, 2022 The Go Authors. All rights reserved.
+// Copyright (C) 2024-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE.BSD file.
+
+package gocompat
+
+import (
+	"sync"
+)
+
+// These are very minimal implementations of functions that appear in Go 1.21's
+// stdlib, included so that we can build on older Go versions. Most are
+// borrowed directly from the stdlib, and a few are modified to be "obviously
+// correct" without needing to copy too many other helpers.
+
+// clearSlice is equivalent to Go 1.21's builtin clear.
+// Copied from the Go 1.24 stdlib implementation.
+func clearSlice[S ~[]E, E any](slice S) {
+	var zero E
+	for i := range slice {
+		slice[i] = zero
+	}
+}
+
+// slicesIndexFunc is equivalent to Go 1.21's slices.IndexFunc.
+// Copied from the Go 1.24 stdlib implementation.
+func slicesIndexFunc[S ~[]E, E any](s S, f func(E) bool) int {
+	for i := range s {
+		if f(s[i]) {
+			return i
+		}
+	}
+	return -1
+}
+
+// SlicesDeleteFunc is equivalent to Go 1.21's slices.DeleteFunc.
+// Copied from the Go 1.24 stdlib implementation.
+func SlicesDeleteFunc[S ~[]E, E any](s S, del func(E) bool) S {
+	i := slicesIndexFunc(s, del)
+	if i == -1 {
+		return s
+	}
+	// Don't start copying elements until we find one to delete.
+	for j := i + 1; j < len(s); j++ {
+		if v := s[j]; !del(v) {
+			s[i] = v
+			i++
+		}
+	}
+	clearSlice(s[i:]) // zero/nil out the obsolete elements, for GC
+	return s[:i]
+}
+
+// SlicesContains is equivalent to Go 1.21's slices.Contains.
+// Similar to the stdlib slices.Contains, except that we don't have
+// slices.Index so we need to use slices.IndexFunc for this non-Func helper.
+func SlicesContains[S ~[]E, E comparable](s S, v E) bool {
+	return slicesIndexFunc(s, func(e E) bool { return e == v }) >= 0
+}
+
+// SlicesClone is equivalent to Go 1.21's slices.Clone.
+// Copied from the Go 1.24 stdlib implementation.
+func SlicesClone[S ~[]E, E any](s S) S {
+	// Preserve nil in case it matters.
+	if s == nil {
+		return nil
+	}
+	return append(S([]E{}), s...)
+}
+
+// SyncOnceValue is equivalent to Go 1.21's sync.OnceValue.
+// Copied from the Go 1.25 stdlib implementation.
+func SyncOnceValue[T any](f func() T) func() T {
+	// Use a struct so that there's a single heap allocation.
+	d := struct {
+		f      func() T
+		once   sync.Once
+		valid  bool
+		p      any
+		result T
+	}{
+		f: f,
+	}
+	return func() T {
+		d.once.Do(func() {
+			defer func() {
+				d.f = nil
+				d.p = recover()
+				if !d.valid {
+					panic(d.p)
+				}
+			}()
+			d.result = d.f()
+			d.valid = true
+		})
+		if !d.valid {
+			panic(d.p)
+		}
+		return d.result
+	}
+}
+
+// SyncOnceValues is equivalent to Go 1.21's sync.OnceValues.
+// Copied from the Go 1.25 stdlib implementation.
+func SyncOnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	// Use a struct so that there's a single heap allocation.
+	d := struct {
+		f     func() (T1, T2)
+		once  sync.Once
+		valid bool
+		p     any
+		r1    T1
+		r2    T2
+	}{
+		f: f,
+	}
+	return func() (T1, T2) {
+		d.once.Do(func() {
+			defer func() {
+				d.f = nil
+				d.p = recover()
+				if !d.valid {
+					panic(d.p)
+				}
+			}()
+			d.r1, d.r2 = d.f()
+			d.valid = true
+		})
+		if !d.valid {
+			panic(d.p)
+		}
+		return d.r1, d.r2
+	}
+}
+
+// CmpOrdered is equivalent to Go 1.21's cmp.Ordered generic type definition.
+// Copied from the Go 1.25 stdlib implementation.
+type CmpOrdered interface {
+	~int | ~int8 | ~int16 | ~int32 | ~int64 |
+		~uint | ~uint8 | ~uint16 | ~uint32 | ~uint64 | ~uintptr |
+		~float32 | ~float64 |
+		~string
+}
+
+// isNaN reports whether x is a NaN without requiring the math package.
+// This will always return false if T is not floating-point.
+// Copied from the Go 1.25 stdlib implementation.
+func isNaN[T CmpOrdered](x T) bool {
+	return x != x
+}
+
+// CmpCompare is equivalent to Go 1.21's cmp.Compare.
+// Copied from the Go 1.25 stdlib implementation.
+func CmpCompare[T CmpOrdered](x, y T) int {
+	xNaN := isNaN(x)
+	yNaN := isNaN(y)
+	if xNaN {
+		if yNaN {
+			return 0
+		}
+		return -1
+	}
+	if yNaN {
+		return +1
+	}
+	if x < y {
+		return -1
+	}
+	if x > y {
+		return +1
+	}
+	return 0
+}
+
+// Max2 is equivalent to Go 1.21's max builtin for two parameters.
+func Max2[T CmpOrdered](x, y T) T {
+	m := x
+	if y > m {
+		m = y
+	}
+	return m
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/doc.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/doc.go
new file mode 100644
index 0000000000..2ddb71e844
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/doc.go
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package gopathrs is a less complete pure Go implementation of some of the
+// APIs provided by [libpathrs].
+//
+// [libpathrs]: https://github.com/cyphar/libpathrs
+package gopathrs
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go
new file mode 100644
index 0000000000..56480f0cee
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go
@@ -0,0 +1,399 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package gopathrs
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/internal/consts"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs"
+)
+
+type symlinkStackEntry struct {
+	// (dir, remainingPath) is what we would've returned if the link didn't
+	// exist. This matches what openat2(RESOLVE_IN_ROOT) would return in
+	// this case.
+	dir           *os.File
+	remainingPath string
+	// linkUnwalked is the remaining path components from the original
+	// Readlink which we have yet to walk. When this slice is empty, we
+	// drop the link from the stack.
+	linkUnwalked []string
+}
+
+func (se symlinkStackEntry) String() string {
+	return fmt.Sprintf("<%s>/%s [->%s]", se.dir.Name(), se.remainingPath, strings.Join(se.linkUnwalked, "/"))
+}
+
+func (se symlinkStackEntry) Close() {
+	_ = se.dir.Close()
+}
+
+type symlinkStack []*symlinkStackEntry
+
+func (s *symlinkStack) IsEmpty() bool {
+	return s == nil || len(*s) == 0
+}
+
+func (s *symlinkStack) Close() {
+	if s != nil {
+		for _, link := range *s {
+			link.Close()
+		}
+		// TODO: Switch to clear once we switch to Go 1.21.
+		*s = nil
+	}
+}
+
+var (
+	errEmptyStack         = errors.New("[internal] stack is empty")
+	errBrokenSymlinkStack = errors.New("[internal error] broken symlink stack")
+)
+
+func (s *symlinkStack) popPart(part string) error {
+	if s == nil || s.IsEmpty() {
+		// If there is nothing in the symlink stack, then the part was from the
+		// real path provided by the user, and this is a no-op.
+		return errEmptyStack
+	}
+	if part == "." {
+		// "." components are no-ops -- we drop them when doing SwapLink.
+		return nil
+	}
+
+	tailEntry := (*s)[len(*s)-1]
+
+	// Double-check that we are popping the component we expect.
+	if len(tailEntry.linkUnwalked) == 0 {
+		return fmt.Errorf("%w: trying to pop component %q of empty stack entry %s", errBrokenSymlinkStack, part, tailEntry)
+	}
+	headPart := tailEntry.linkUnwalked[0]
+	if headPart != part {
+		return fmt.Errorf("%w: trying to pop component %q but the last stack entry is %s (%q)", errBrokenSymlinkStack, part, tailEntry, headPart)
+	}
+
+	// Drop the component, but keep the entry around in case we are dealing
+	// with a "tail-chained" symlink.
+	tailEntry.linkUnwalked = tailEntry.linkUnwalked[1:]
+	return nil
+}
+
+func (s *symlinkStack) PopPart(part string) error {
+	if err := s.popPart(part); err != nil {
+		if errors.Is(err, errEmptyStack) {
+			// Skip empty stacks.
+			err = nil
+		}
+		return err
+	}
+
+	// Clean up any of the trailing stack entries that are empty.
+	for lastGood := len(*s) - 1; lastGood >= 0; lastGood-- {
+		entry := (*s)[lastGood]
+		if len(entry.linkUnwalked) > 0 {
+			break
+		}
+		entry.Close()
+		(*s) = (*s)[:lastGood]
+	}
+	return nil
+}
+
+func (s *symlinkStack) push(dir *os.File, remainingPath, linkTarget string) error {
+	if s == nil {
+		return nil
+	}
+	// Split the link target and clean up any "" parts.
+	linkTargetParts := gocompat.SlicesDeleteFunc(
+		strings.Split(linkTarget, "/"),
+		func(part string) bool { return part == "" || part == "." })
+
+	// Copy the directory so the caller doesn't close our copy.
+	dirCopy, err := fd.Dup(dir)
+	if err != nil {
+		return err
+	}
+
+	// Add to the stack.
+	*s = append(*s, &symlinkStackEntry{
+		dir:           dirCopy,
+		remainingPath: remainingPath,
+		linkUnwalked:  linkTargetParts,
+	})
+	return nil
+}
+
+func (s *symlinkStack) SwapLink(linkPart string, dir *os.File, remainingPath, linkTarget string) error {
+	// If we are currently inside a symlink resolution, remove the symlink
+	// component from the last symlink entry, but don't remove the entry even
+	// if it's empty. If we are a "tail-chained" symlink (a trailing symlink we
+	// hit during a symlink resolution) we need to keep the old symlink until
+	// we finish the resolution.
+	if err := s.popPart(linkPart); err != nil {
+		if !errors.Is(err, errEmptyStack) {
+			return err
+		}
+		// Push the component regardless of whether the stack was empty.
+	}
+	return s.push(dir, remainingPath, linkTarget)
+}
+
+func (s *symlinkStack) PopTopSymlink() (*os.File, string, bool) {
+	if s == nil || s.IsEmpty() {
+		return nil, "", false
+	}
+	tailEntry := (*s)[0]
+	*s = (*s)[1:]
+	return tailEntry.dir, tailEntry.remainingPath, true
+}
+
+// PartialLookupInRoot tries to lookup as much of the request path as possible
+// within the provided root (a-la RESOLVE_IN_ROOT) and opens the final existing
+// component of the requested path, returning a file handle to the final
+// existing component and a string containing the remaining path components.
+func PartialLookupInRoot(root fd.Fd, unsafePath string) (*os.File, string, error) {
+	return lookupInRoot(root, unsafePath, true)
+}
+
+func completeLookupInRoot(root fd.Fd, unsafePath string) (*os.File, error) {
+	handle, remainingPath, err := lookupInRoot(root, unsafePath, false)
+	if remainingPath != "" && err == nil {
+		// should never happen
+		err = fmt.Errorf("[bug] non-empty remaining path when doing a non-partial lookup: %q", remainingPath)
+	}
+	// lookupInRoot(partial=false) will always close the handle if an error is
+	// returned, so no need to double-check here.
+	return handle, err
+}
+
+func lookupInRoot(root fd.Fd, unsafePath string, partial bool) (Handle *os.File, _ string, _ error) {
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+
+	// This is very similar to SecureJoin, except that we operate on the
+	// components using file descriptors. We then return the last component we
+	// managed open, along with the remaining path components not opened.
+
+	// Try to use openat2 if possible.
+	if linux.HasOpenat2() {
+		return lookupOpenat2(root, unsafePath, partial)
+	}
+
+	// Get the "actual" root path from /proc/self/fd. This is necessary if the
+	// root is some magic-link like /proc/$pid/root, in which case we want to
+	// make sure when we do procfs.CheckProcSelfFdPath that we are using the
+	// correct root path.
+	logicalRootPath, err := procfs.ProcSelfFdReadlink(root)
+	if err != nil {
+		return nil, "", fmt.Errorf("get real root path: %w", err)
+	}
+
+	currentDir, err := fd.Dup(root)
+	if err != nil {
+		return nil, "", fmt.Errorf("clone root fd: %w", err)
+	}
+	defer func() {
+		// If a handle is not returned, close the internal handle.
+		if Handle == nil {
+			_ = currentDir.Close()
+		}
+	}()
+
+	// symlinkStack is used to emulate how openat2(RESOLVE_IN_ROOT) treats
+	// dangling symlinks. If we hit a non-existent path while resolving a
+	// symlink, we need to return the (dir, remainingPath) that we had when we
+	// hit the symlink (treating the symlink as though it were a regular file).
+	// The set of (dir, remainingPath) sets is stored within the symlinkStack
+	// and we add and remove parts when we hit symlink and non-symlink
+	// components respectively. We need a stack because of recursive symlinks
+	// (symlinks that contain symlink components in their target).
+	//
+	// Note that the stack is ONLY used for book-keeping. All of the actual
+	// path walking logic is still based on currentPath/remainingPath and
+	// currentDir (as in SecureJoin).
+	var symStack *symlinkStack
+	if partial {
+		symStack = new(symlinkStack)
+		defer symStack.Close()
+	}
+
+	var (
+		linksWalked   int
+		currentPath   string
+		remainingPath = unsafePath
+	)
+	for remainingPath != "" {
+		// Save the current remaining path so if the part is not real we can
+		// return the path including the component.
+		oldRemainingPath := remainingPath
+
+		// Get the next path component.
+		var part string
+		if i := strings.IndexByte(remainingPath, '/'); i == -1 {
+			part, remainingPath = remainingPath, ""
+		} else {
+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
+		}
+		// If we hit an empty component, we need to treat it as though it is
+		// "." so that trailing "/" and "//" components on a non-directory
+		// correctly return the right error code.
+		if part == "" {
+			part = "."
+		}
+
+		// Apply the component lexically to the path we are building.
+		// currentPath does not contain any symlinks, and we are lexically
+		// dealing with a single component, so it's okay to do a filepath.Clean
+		// here.
+		nextPath := path.Join("/", currentPath, part)
+		// If we logically hit the root, just clone the root rather than
+		// opening the part and doing all of the other checks.
+		if nextPath == "/" {
+			if err := symStack.PopPart(part); err != nil {
+				return nil, "", fmt.Errorf("walking into root with part %q failed: %w", part, err)
+			}
+			// Jump to root.
+			rootClone, err := fd.Dup(root)
+			if err != nil {
+				return nil, "", fmt.Errorf("clone root fd: %w", err)
+			}
+			_ = currentDir.Close()
+			currentDir = rootClone
+			currentPath = nextPath
+			continue
+		}
+
+		// Try to open the next component.
+		nextDir, err := fd.Openat(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		switch err {
+		case nil:
+			st, err := nextDir.Stat()
+			if err != nil {
+				_ = nextDir.Close()
+				return nil, "", fmt.Errorf("stat component %q: %w", part, err)
+			}
+
+			switch st.Mode() & os.ModeType { //nolint:exhaustive // just a glorified if statement
+			case os.ModeSymlink:
+				// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See
+				// Linux commit 65cfc6722361 ("readlinkat(), fchownat() and
+				// fstatat() with empty relative pathnames").
+				linkDest, err := fd.Readlinkat(nextDir, "")
+				// We don't need the handle anymore.
+				_ = nextDir.Close()
+				if err != nil {
+					return nil, "", err
+				}
+
+				linksWalked++
+				if linksWalked > consts.MaxSymlinkLimit {
+					return nil, "", &os.PathError{Op: "securejoin.lookupInRoot", Path: logicalRootPath + "/" + unsafePath, Err: unix.ELOOP}
+				}
+
+				// Swap out the symlink's component for the link entry itself.
+				if err := symStack.SwapLink(part, currentDir, oldRemainingPath, linkDest); err != nil {
+					return nil, "", fmt.Errorf("walking into symlink %q failed: push symlink: %w", part, err)
+				}
+
+				// Update our logical remaining path.
+				remainingPath = linkDest + "/" + remainingPath
+				// Absolute symlinks reset any work we've already done.
+				if path.IsAbs(linkDest) {
+					// Jump to root.
+					rootClone, err := fd.Dup(root)
+					if err != nil {
+						return nil, "", fmt.Errorf("clone root fd: %w", err)
+					}
+					_ = currentDir.Close()
+					currentDir = rootClone
+					currentPath = "/"
+				}
+
+			default:
+				// If we are dealing with a directory, simply walk into it.
+				_ = currentDir.Close()
+				currentDir = nextDir
+				currentPath = nextPath
+
+				// The part was real, so drop it from the symlink stack.
+				if err := symStack.PopPart(part); err != nil {
+					return nil, "", fmt.Errorf("walking into directory %q failed: %w", part, err)
+				}
+
+				// If we are operating on a .., make sure we haven't escaped.
+				// We only have to check for ".." here because walking down
+				// into a regular component component cannot cause you to
+				// escape. This mirrors the logic in RESOLVE_IN_ROOT, except we
+				// have to check every ".." rather than only checking after a
+				// rename or mount on the system.
+				if part == ".." {
+					// Make sure the root hasn't moved.
+					if err := procfs.CheckProcSelfFdPath(logicalRootPath, root); err != nil {
+						return nil, "", fmt.Errorf("root path moved during lookup: %w", err)
+					}
+					// Make sure the path is what we expect.
+					fullPath := logicalRootPath + nextPath
+					if err := procfs.CheckProcSelfFdPath(fullPath, currentDir); err != nil {
+						return nil, "", fmt.Errorf("walking into %q had unexpected result: %w", part, err)
+					}
+				}
+			}
+
+		default:
+			if !partial {
+				return nil, "", err
+			}
+			// If there are any remaining components in the symlink stack, we
+			// are still within a symlink resolution and thus we hit a dangling
+			// symlink. So pretend that the first symlink in the stack we hit
+			// was an ENOENT (to match openat2).
+			if oldDir, remainingPath, ok := symStack.PopTopSymlink(); ok {
+				_ = currentDir.Close()
+				return oldDir, remainingPath, err
+			}
+			// We have hit a final component that doesn't exist, so we have our
+			// partial open result. Note that we have to use the OLD remaining
+			// path, since the lookup failed.
+			return currentDir, oldRemainingPath, err
+		}
+	}
+
+	// If the unsafePath had a trailing slash, we need to make sure we try to
+	// do a relative "." open so that we will correctly return an error when
+	// the final component is a non-directory (to match openat2). In the
+	// context of openat2, a trailing slash and a trailing "/." are completely
+	// equivalent.
+	if strings.HasSuffix(unsafePath, "/") {
+		nextDir, err := fd.Openat(currentDir, ".", unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		if err != nil {
+			if !partial {
+				_ = currentDir.Close()
+				currentDir = nil
+			}
+			return currentDir, "", err
+		}
+		_ = currentDir.Close()
+		currentDir = nextDir
+	}
+
+	// All of the components existed!
+	return currentDir, "", nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/mkdir_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/mkdir_linux.go
new file mode 100644
index 0000000000..21a5593f44
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/mkdir_linux.go
@@ -0,0 +1,212 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package gopathrs
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs"
+)
+
+// ErrInvalidMode is returned from [MkdirAll] when the requested mode is
+// invalid.
+var ErrInvalidMode = errors.New("invalid permission mode")
+
+// modePermExt is like os.ModePerm except that it also includes the set[ug]id
+// and sticky bits.
+const modePermExt = os.ModePerm | os.ModeSetuid | os.ModeSetgid | os.ModeSticky
+
+//nolint:cyclop // this function needs to handle a lot of cases
+func toUnixMode(mode os.FileMode) (uint32, error) {
+	sysMode := uint32(mode.Perm())
+	if mode&os.ModeSetuid != 0 {
+		sysMode |= unix.S_ISUID
+	}
+	if mode&os.ModeSetgid != 0 {
+		sysMode |= unix.S_ISGID
+	}
+	if mode&os.ModeSticky != 0 {
+		sysMode |= unix.S_ISVTX
+	}
+	// We don't allow file type bits.
+	if mode&os.ModeType != 0 {
+		return 0, fmt.Errorf("%w %+.3o (%s): type bits not permitted", ErrInvalidMode, mode, mode)
+	}
+	// We don't allow other unknown modes.
+	if mode&^modePermExt != 0 || sysMode&unix.S_IFMT != 0 {
+		return 0, fmt.Errorf("%w %+.3o (%s): unknown mode bits", ErrInvalidMode, mode, mode)
+	}
+	return sysMode, nil
+}
+
+// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
+// in two respects:
+//
+//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with [os.MkdirAll].
+//
+//   - Once all of the directories have been created, an *[os.File] O_PATH handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     [MkdirAll].
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
+// doing [MkdirAll]. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (_ *os.File, Err error) {
+	unixMode, err := toUnixMode(mode)
+	if err != nil {
+		return nil, err
+	}
+	// On Linux, mkdirat(2) (and os.Mkdir) silently ignore the suid and sgid
+	// bits. We could also silently ignore them but since we have very few
+	// users it seems more prudent to return an error so users notice that
+	// these bits will not be set.
+	if unixMode&^0o1777 != 0 {
+		return nil, fmt.Errorf("%w for mkdir %+.3o: suid and sgid are ignored by mkdir", ErrInvalidMode, mode)
+	}
+
+	// Try to open as much of the path as possible.
+	currentDir, remainingPath, err := PartialLookupInRoot(root, unsafePath)
+	defer func() {
+		if Err != nil {
+			_ = currentDir.Close()
+		}
+	}()
+	if err != nil && !errors.Is(err, unix.ENOENT) {
+		return nil, fmt.Errorf("find existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// If there is an attacker deleting directories as we walk into them,
+	// detect this proactively. Note this is guaranteed to detect if the
+	// attacker deleted any part of the tree up to currentDir.
+	//
+	// Once we walk into a dead directory, partialLookupInRoot would not be
+	// able to walk further down the tree (directories must be empty before
+	// they are deleted), and if the attacker has removed the entire tree we
+	// can be sure that anything that was originally inside a dead directory
+	// must also be deleted and thus is a dead directory in its own right.
+	//
+	// This is mostly a quality-of-life check, because mkdir will simply fail
+	// later if the attacker deletes the tree after this check.
+	if err := fd.IsDeadInode(currentDir); err != nil {
+		return nil, fmt.Errorf("finding existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// Re-open the path to match the O_DIRECTORY reopen loop later (so that we
+	// always return a non-O_PATH handle). We also check that we actually got a
+	// directory.
+	if reopenDir, err := procfs.ReopenFd(currentDir, unix.O_DIRECTORY|unix.O_CLOEXEC); errors.Is(err, unix.ENOTDIR) {
+		return nil, fmt.Errorf("cannot create subdirectories in %q: %w", currentDir.Name(), unix.ENOTDIR)
+	} else if err != nil {
+		return nil, fmt.Errorf("re-opening handle to %q: %w", currentDir.Name(), err)
+	} else { //nolint:revive // indent-error-flow lint doesn't make sense here
+		_ = currentDir.Close()
+		currentDir = reopenDir
+	}
+
+	remainingParts := strings.Split(remainingPath, string(filepath.Separator))
+	if gocompat.SlicesContains(remainingParts, "..") {
+		// The path contained ".." components after the end of the "real"
+		// components. We could try to safely resolve ".." here but that would
+		// add a bunch of extra logic for something that it's not clear even
+		// needs to be supported. So just return an error.
+		//
+		// If we do filepath.Clean(remainingPath) then we end up with the
+		// problem that ".." can erase a trailing dangling symlink and produce
+		// a path that doesn't quite match what the user asked for.
+		return nil, fmt.Errorf("%w: yet-to-be-created path %q contains '..' components", unix.ENOENT, remainingPath)
+	}
+
+	// Create the remaining components.
+	for _, part := range remainingParts {
+		switch part {
+		case "", ".":
+			// Skip over no-op paths.
+			continue
+		}
+
+		// NOTE: mkdir(2) will not follow trailing symlinks, so we can safely
+		// create the final component without worrying about symlink-exchange
+		// attacks.
+		//
+		// If we get -EEXIST, it's possible that another program created the
+		// directory at the same time as us. In that case, just continue on as
+		// if we created it (if the created inode is not a directory, the
+		// following open call will fail).
+		if err := unix.Mkdirat(int(currentDir.Fd()), part, unixMode); err != nil && !errors.Is(err, unix.EEXIST) {
+			err = &os.PathError{Op: "mkdirat", Path: currentDir.Name() + "/" + part, Err: err}
+			// Make the error a bit nicer if the directory is dead.
+			if deadErr := fd.IsDeadInode(currentDir); deadErr != nil {
+				// TODO: Once we bump the minimum Go version to 1.20, we can use
+				// multiple %w verbs for this wrapping. For now we need to use a
+				// compatibility shim for older Go versions.
+				// err = fmt.Errorf("%w (%w)", err, deadErr)
+				err = gocompat.WrapBaseError(err, deadErr)
+			}
+			return nil, err
+		}
+
+		// Get a handle to the next component. O_DIRECTORY means we don't need
+		// to use O_PATH.
+		var nextDir *os.File
+		if linux.HasOpenat2() {
+			nextDir, err = openat2(currentDir, part, &unix.OpenHow{
+				Flags:   unix.O_NOFOLLOW | unix.O_DIRECTORY | unix.O_CLOEXEC,
+				Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_NO_XDEV,
+			})
+		} else {
+			nextDir, err = fd.Openat(currentDir, part, unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+		}
+		if err != nil {
+			return nil, err
+		}
+		_ = currentDir.Close()
+		currentDir = nextDir
+
+		// It's possible that the directory we just opened was swapped by an
+		// attacker. Unfortunately there isn't much we can do to protect
+		// against this, and MkdirAll's behaviour is that we will reuse
+		// existing directories anyway so the need to protect against this is
+		// incredibly limited (and arguably doesn't even deserve mention here).
+		//
+		// Ideally we might want to check that the owner and mode match what we
+		// would've created -- unfortunately, it is non-trivial to verify that
+		// the owner and mode of the created directory match. While plain Unix
+		// DAC rules seem simple enough to emulate, there are a bunch of other
+		// factors that can change the mode or owner of created directories
+		// (default POSIX ACLs, mount options like uid=1,gid=2,umask=0 on
+		// filesystems like vfat, etc etc). We used to try to verify this but
+		// it just lead to a series of spurious errors.
+		//
+		// We could also check that the directory is non-empty, but
+		// unfortunately some pseduofilesystems (like cgroupfs) create
+		// non-empty directories, which would result in different spurious
+		// errors.
+	}
+	return currentDir, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/open_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/open_linux.go
new file mode 100644
index 0000000000..cd9632a958
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/open_linux.go
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package gopathrs
+
+import (
+	"os"
+)
+
+// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
+// using an *[os.File] handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	handle, err := completeLookupInRoot(root, unsafePath)
+	if err != nil {
+		return nil, &os.PathError{Op: "securejoin.OpenInRoot", Path: unsafePath, Err: err}
+	}
+	return handle, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go
new file mode 100644
index 0000000000..b80ecd0895
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go
@@ -0,0 +1,101 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package gopathrs
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
+)
+
+func openat2(dir fd.Fd, path string, how *unix.OpenHow) (*os.File, error) {
+	file, err := fd.Openat2(dir, path, how)
+	if err != nil {
+		return nil, err
+	}
+	// If we are using RESOLVE_IN_ROOT, the name we generated may be wrong.
+	if how.Resolve&unix.RESOLVE_IN_ROOT == unix.RESOLVE_IN_ROOT {
+		if actualPath, err := procfs.ProcSelfFdReadlink(file); err == nil {
+			// TODO: Ideally we would not need to dup the fd, but you cannot
+			//       easily just swap an *os.File with one from the same fd
+			//       (the GC will close the old one, and you cannot clear the
+			//       finaliser easily because it is associated with an internal
+			//       field of *os.File not *os.File itself).
+			newFile, err := fd.DupWithName(file, actualPath)
+			if err != nil {
+				return nil, err
+			}
+			file = newFile
+		}
+	}
+	return file, nil
+}
+
+func lookupOpenat2(root fd.Fd, unsafePath string, partial bool) (*os.File, string, error) {
+	if !partial {
+		file, err := openat2(root, unsafePath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		return file, "", err
+	}
+	return partialLookupOpenat2(root, unsafePath)
+}
+
+// partialLookupOpenat2 is an alternative implementation of
+// partialLookupInRoot, using openat2(RESOLVE_IN_ROOT) to more safely get a
+// handle to the deepest existing child of the requested path within the root.
+func partialLookupOpenat2(root fd.Fd, unsafePath string) (*os.File, string, error) {
+	// TODO: Implement this as a git-bisect-like binary search.
+
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+	endIdx := len(unsafePath)
+	var lastError error
+	for endIdx > 0 {
+		subpath := unsafePath[:endIdx]
+
+		handle, err := openat2(root, subpath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err == nil {
+			// Jump over the slash if we have a non-"" remainingPath.
+			if endIdx < len(unsafePath) {
+				endIdx++
+			}
+			// We found a subpath!
+			return handle, unsafePath[endIdx:], lastError
+		}
+		if errors.Is(err, unix.ENOENT) || errors.Is(err, unix.ENOTDIR) {
+			// That path doesn't exist, let's try the next directory up.
+			endIdx = strings.LastIndexByte(subpath, '/')
+			lastError = err
+			continue
+		}
+		return nil, "", fmt.Errorf("open subpath: %w", err)
+	}
+	// If we couldn't open anything, the whole subpath is missing. Return a
+	// copy of the root fd so that the caller doesn't close this one by
+	// accident.
+	rootClone, err := fd.Dup(root)
+	if err != nil {
+		return nil, "", err
+	}
+	return rootClone, unsafePath, lastError
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go
new file mode 100644
index 0000000000..cb6de41861
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Copyright (C) 2022 The Go Authors. All rights reserved.
+// Copyright (C) 2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE.BSD file.
+
+// The parsing logic is very loosely based on the Go stdlib's
+// src/internal/syscall/unix/kernel_version_linux.go but with an API that looks
+// a bit like runc's libcontainer/system/kernelversion.
+//
+// TODO(cyphar): This API has been copied around to a lot of different projects
+// (Docker, containerd, runc, and now filepath-securejoin) -- maybe we should
+// put it in a separate project?
+
+// Package kernelversion provides a simple mechanism for checking whether the
+// running kernel is at least as new as some baseline kernel version. This is
+// often useful when checking for features that would be too complicated to
+// test support for (or in cases where we know that some kernel features in
+// backport-heavy kernels are broken and need to be avoided).
+package kernelversion
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+)
+
+// KernelVersion is a numeric representation of the key numerical elements of a
+// kernel version (for instance, "4.1.2-default-1" would be represented as
+// KernelVersion{4, 1, 2}).
+type KernelVersion []uint64
+
+func (kver KernelVersion) String() string {
+	var str strings.Builder
+	for idx, elem := range kver {
+		if idx != 0 {
+			_, _ = str.WriteRune('.')
+		}
+		_, _ = str.WriteString(strconv.FormatUint(elem, 10))
+	}
+	return str.String()
+}
+
+var errInvalidKernelVersion = errors.New("invalid kernel version")
+
+// parseKernelVersion parses a string and creates a KernelVersion based on it.
+func parseKernelVersion(kverStr string) (KernelVersion, error) {
+	kver := make(KernelVersion, 1, 3)
+	for idx, ch := range kverStr {
+		if '0' <= ch && ch <= '9' {
+			v := &kver[len(kver)-1]
+			*v = (*v * 10) + uint64(ch-'0')
+		} else {
+			if idx == 0 || kverStr[idx-1] < '0' || '9' < kverStr[idx-1] {
+				// "." must be preceded by a digit while in version section
+				return nil, fmt.Errorf("%w %q: kernel version has dot(s) followed by non-digit in version section", errInvalidKernelVersion, kverStr)
+			}
+			if ch != '.' {
+				break
+			}
+			kver = append(kver, 0)
+		}
+	}
+	if len(kver) < 2 {
+		return nil, fmt.Errorf("%w %q: kernel versions must contain at least two components", errInvalidKernelVersion, kverStr)
+	}
+	return kver, nil
+}
+
+// getKernelVersion gets the current kernel version.
+var getKernelVersion = gocompat.SyncOnceValues(func() (KernelVersion, error) {
+	var uts unix.Utsname
+	if err := unix.Uname(&uts); err != nil {
+		return nil, err
+	}
+	// Remove the \x00 from the release.
+	release := uts.Release[:]
+	return parseKernelVersion(string(release[:bytes.IndexByte(release, 0)]))
+})
+
+// GreaterEqualThan returns true if the the host kernel version is greater than
+// or equal to the provided [KernelVersion]. When doing this comparison, any
+// non-numerical suffixes of the host kernel version are ignored.
+//
+// If the number of components provided is not equal to the number of numerical
+// components of the host kernel version, any missing components are treated as
+// 0. This means that GreaterEqualThan(KernelVersion{4}) will be treated the
+// same as GreaterEqualThan(KernelVersion{4, 0, 0, ..., 0, 0}), and that if the
+// host kernel version is "4" then GreaterEqualThan(KernelVersion{4, 1}) will
+// return false (because the host version will be treated as "4.0").
+func GreaterEqualThan(wantKver KernelVersion) (bool, error) {
+	hostKver, err := getKernelVersion()
+	if err != nil {
+		return false, err
+	}
+
+	// Pad out the kernel version lengths to match one another.
+	cmpLen := gocompat.Max2(len(hostKver), len(wantKver))
+	hostKver = append(hostKver, make(KernelVersion, cmpLen-len(hostKver))...)
+	wantKver = append(wantKver, make(KernelVersion, cmpLen-len(wantKver))...)
+
+	for i := 0; i < cmpLen; i++ {
+		switch gocompat.CmpCompare(hostKver[i], wantKver[i]) {
+		case -1:
+			// host < want
+			return false, nil
+		case +1:
+			// host > want
+			return true, nil
+		case 0:
+			continue
+		}
+	}
+	// equal version values
+	return true, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/doc.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/doc.go
new file mode 100644
index 0000000000..4635714f62
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/doc.go
@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: MPL-2.0
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package linux returns information about what features are supported on the
+// running kernel.
+package linux
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go
new file mode 100644
index 0000000000..b29905bff6
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go
@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package linux
+
+import (
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion"
+)
+
+// HasNewMountAPI returns whether the new fsopen(2) mount API is supported on
+// the running kernel.
+var HasNewMountAPI = gocompat.SyncOnceValue(func() bool {
+	// All of the pieces of the new mount API we use (fsopen, fsconfig,
+	// fsmount, open_tree) were added together in Linux 5.2[1,2], so we can
+	// just check for one of the syscalls and the others should also be
+	// available.
+	//
+	// Just try to use open_tree(2) to open a file without OPEN_TREE_CLONE.
+	// This is equivalent to openat(2), but tells us if open_tree is
+	// available (and thus all of the other basic new mount API syscalls).
+	// open_tree(2) is most light-weight syscall to test here.
+	//
+	// [1]: merge commit 400913252d09
+	// [2]: 
+	fd, err := unix.OpenTree(-int(unix.EBADF), "/", unix.OPEN_TREE_CLOEXEC)
+	if err != nil {
+		return false
+	}
+	_ = unix.Close(fd)
+
+	// RHEL 8 has a backport of fsopen(2) that appears to have some very
+	// difficult to debug performance pathology. As such, it seems prudent to
+	// simply reject pre-5.2 kernels.
+	isNotBackport, _ := kernelversion.GreaterEqualThan(kernelversion.KernelVersion{5, 2})
+	return isNotBackport
+})
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go
new file mode 100644
index 0000000000..399609dc36
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go
@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package linux
+
+import (
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+)
+
+// HasOpenat2 returns whether openat2(2) is supported on the running kernel.
+var HasOpenat2 = gocompat.SyncOnceValue(func() bool {
+	fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{
+		Flags:   unix.O_PATH | unix.O_CLOEXEC,
+		Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT,
+	})
+	if err != nil {
+		return false
+	}
+	_ = unix.Close(fd)
+	return true
+})
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go
new file mode 100644
index 0000000000..21e0a62e8e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go
@@ -0,0 +1,544 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package procfs provides a safe API for operating on /proc on Linux. Note
+// that this is the *internal* procfs API, mainy needed due to Go's
+// restrictions on cyclic dependencies and its incredibly minimal visibility
+// system without making a separate internal/ package.
+package procfs
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"runtime"
+	"strconv"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux"
+)
+
+// The kernel guarantees that the root inode of a procfs mount has an
+// f_type of PROC_SUPER_MAGIC and st_ino of PROC_ROOT_INO.
+const (
+	procSuperMagic = 0x9fa0 // PROC_SUPER_MAGIC
+	procRootIno    = 1      // PROC_ROOT_INO
+)
+
+// verifyProcHandle checks that the handle is from a procfs filesystem.
+// Contrast this to [verifyProcRoot], which also verifies that the handle is
+// the root of a procfs mount.
+func verifyProcHandle(procHandle fd.Fd) error {
+	if statfs, err := fd.Fstatfs(procHandle); err != nil {
+		return err
+	} else if statfs.Type != procSuperMagic {
+		return fmt.Errorf("%w: incorrect procfs root filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
+	}
+	return nil
+}
+
+// verifyProcRoot verifies that the handle is the root of a procfs filesystem.
+// Contrast this to [verifyProcHandle], which only verifies if the handle is
+// some file on procfs (regardless of what file it is).
+func verifyProcRoot(procRoot fd.Fd) error {
+	if err := verifyProcHandle(procRoot); err != nil {
+		return err
+	}
+	if stat, err := fd.Fstat(procRoot); err != nil {
+		return err
+	} else if stat.Ino != procRootIno {
+		return fmt.Errorf("%w: incorrect procfs root inode number %d", errUnsafeProcfs, stat.Ino)
+	}
+	return nil
+}
+
+type procfsFeatures struct {
+	// hasSubsetPid was added in Linux 5.8, along with hidepid=ptraceable (and
+	// string-based hidepid= values). Before this patchset, it was not really
+	// safe to try to modify procfs superblock flags because the superblock was
+	// shared -- so if this feature is not available, **you should not set any
+	// superblock flags**.
+	//
+	// 6814ef2d992a ("proc: add option to mount only a pids subset")
+	// fa10fed30f25 ("proc: allow to mount many instances of proc in one pid namespace")
+	// 24a71ce5c47f ("proc: instantiate only pids that we can ptrace on 'hidepid=4' mount option")
+	// 1c6c4d112e81 ("proc: use human-readable values for hidepid")
+	// 9ff7258575d5 ("Merge branch 'proc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace")
+	hasSubsetPid bool
+}
+
+var getProcfsFeatures = gocompat.SyncOnceValue(func() procfsFeatures {
+	if !linux.HasNewMountAPI() {
+		return procfsFeatures{}
+	}
+	procfsCtx, err := fd.Fsopen("proc", unix.FSOPEN_CLOEXEC)
+	if err != nil {
+		return procfsFeatures{}
+	}
+	defer procfsCtx.Close() //nolint:errcheck // close failures aren't critical here
+
+	return procfsFeatures{
+		hasSubsetPid: unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid") == nil,
+	}
+})
+
+func newPrivateProcMount(subset bool) (_ *Handle, Err error) {
+	procfsCtx, err := fd.Fsopen("proc", unix.FSOPEN_CLOEXEC)
+	if err != nil {
+		return nil, err
+	}
+	defer procfsCtx.Close() //nolint:errcheck // close failures aren't critical here
+
+	if subset && getProcfsFeatures().hasSubsetPid {
+		// Try to configure hidepid=ptraceable,subset=pid if possible, but
+		// ignore errors.
+		_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "hidepid", "ptraceable")
+		_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid")
+	}
+
+	// Get an actual handle.
+	if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil {
+		return nil, os.NewSyscallError("fsconfig create procfs", err)
+	}
+	// TODO: Output any information from the fscontext log to debug logs.
+	procRoot, err := fd.Fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if Err != nil {
+			_ = procRoot.Close()
+		}
+	}()
+	return newHandle(procRoot)
+}
+
+func clonePrivateProcMount() (_ *Handle, Err error) {
+	// Try to make a clone without using AT_RECURSIVE if we can. If this works,
+	// we can be sure there are no over-mounts and so if the root is valid then
+	// we're golden. Otherwise, we have to deal with over-mounts.
+	procRoot, err := fd.OpenTree(nil, "/proc", unix.OPEN_TREE_CLONE)
+	if err != nil || hookForcePrivateProcRootOpenTreeAtRecursive(procRoot) {
+		procRoot, err = fd.OpenTree(nil, "/proc", unix.OPEN_TREE_CLONE|unix.AT_RECURSIVE)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("creating a detached procfs clone: %w", err)
+	}
+	defer func() {
+		if Err != nil {
+			_ = procRoot.Close()
+		}
+	}()
+	return newHandle(procRoot)
+}
+
+func privateProcRoot(subset bool) (*Handle, error) {
+	if !linux.HasNewMountAPI() || hookForceGetProcRootUnsafe() {
+		return nil, fmt.Errorf("new mount api: %w", unix.ENOTSUP)
+	}
+	// Try to create a new procfs mount from scratch if we can. This ensures we
+	// can get a procfs mount even if /proc is fake (for whatever reason).
+	procRoot, err := newPrivateProcMount(subset)
+	if err != nil || hookForcePrivateProcRootOpenTree(procRoot) {
+		// Try to clone /proc then...
+		procRoot, err = clonePrivateProcMount()
+	}
+	return procRoot, err
+}
+
+func unsafeHostProcRoot() (_ *Handle, Err error) {
+	procRoot, err := os.OpenFile("/proc", unix.O_PATH|unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if Err != nil {
+			_ = procRoot.Close()
+		}
+	}()
+	return newHandle(procRoot)
+}
+
+// Handle is a wrapper around an *os.File handle to "/proc", which can be used
+// to do further procfs-related operations in a safe way.
+type Handle struct {
+	Inner fd.Fd
+	// Does this handle have subset=pid set?
+	isSubset bool
+}
+
+func newHandle(procRoot fd.Fd) (*Handle, error) {
+	if err := verifyProcRoot(procRoot); err != nil {
+		// This is only used in methods that
+		_ = procRoot.Close()
+		return nil, err
+	}
+	proc := &Handle{Inner: procRoot}
+	// With subset=pid we can be sure that /proc/uptime will not exist.
+	if err := fd.Faccessat(proc.Inner, "uptime", unix.F_OK, unix.AT_SYMLINK_NOFOLLOW); err != nil {
+		proc.isSubset = errors.Is(err, os.ErrNotExist)
+	}
+	return proc, nil
+}
+
+// Close closes the underlying file for the Handle.
+func (proc *Handle) Close() error { return proc.Inner.Close() }
+
+var getCachedProcRoot = gocompat.SyncOnceValue(func() *Handle {
+	procRoot, err := getProcRoot(true)
+	if err != nil {
+		return nil // just don't cache if we see an error
+	}
+	if !procRoot.isSubset {
+		return nil // we only cache verified subset=pid handles
+	}
+
+	// Disarm (*Handle).Close() to stop someone from accidentally closing
+	// the global handle.
+	procRoot.Inner = fd.NopCloser(procRoot.Inner)
+	return procRoot
+})
+
+// OpenProcRoot tries to open a "safer" handle to "/proc".
+func OpenProcRoot() (*Handle, error) {
+	if proc := getCachedProcRoot(); proc != nil {
+		return proc, nil
+	}
+	return getProcRoot(true)
+}
+
+// OpenUnsafeProcRoot opens a handle to "/proc" without any overmounts or
+// masked paths (but also without "subset=pid").
+func OpenUnsafeProcRoot() (*Handle, error) { return getProcRoot(false) }
+
+func getProcRoot(subset bool) (*Handle, error) {
+	proc, err := privateProcRoot(subset)
+	if err != nil {
+		// Fall back to using a /proc handle if making a private mount failed.
+		// If we have openat2, at least we can avoid some kinds of over-mount
+		// attacks, but without openat2 there's not much we can do.
+		proc, err = unsafeHostProcRoot()
+	}
+	return proc, err
+}
+
+var hasProcThreadSelf = gocompat.SyncOnceValue(func() bool {
+	return unix.Access("/proc/thread-self/", unix.F_OK) == nil
+})
+
+var errUnsafeProcfs = errors.New("unsafe procfs detected")
+
+// lookup is a very minimal wrapper around [procfsLookupInRoot] which is
+// intended to be called from the external API.
+func (proc *Handle) lookup(subpath string) (*os.File, error) {
+	handle, err := procfsLookupInRoot(proc.Inner, subpath)
+	if err != nil {
+		return nil, err
+	}
+	return handle, nil
+}
+
+// procfsBase is an enum indicating the prefix of a subpath in operations
+// involving [Handle]s.
+type procfsBase string
+
+const (
+	// ProcRoot refers to the root of the procfs (i.e., "/proc/").
+	ProcRoot procfsBase = "/proc"
+	// ProcSelf refers to the current process' subdirectory (i.e.,
+	// "/proc/self/").
+	ProcSelf procfsBase = "/proc/self"
+	// ProcThreadSelf refers to the current thread's subdirectory (i.e.,
+	// "/proc/thread-self/"). In multi-threaded programs (i.e., all Go
+	// programs) where one thread has a different CLONE_FS, it is possible for
+	// "/proc/self" to point the wrong thread and so "/proc/thread-self" may be
+	// necessary. Note that on pre-3.17 kernels, "/proc/thread-self" doesn't
+	// exist and so a fallback will be used in that case.
+	ProcThreadSelf procfsBase = "/proc/thread-self"
+	// TODO: Switch to an interface setup so we can have a more type-safe
+	// version of ProcPid and remove the need to worry about invalid string
+	// values.
+)
+
+// prefix returns a prefix that can be used with the given [Handle].
+func (base procfsBase) prefix(proc *Handle) (string, error) {
+	switch base {
+	case ProcRoot:
+		return ".", nil
+	case ProcSelf:
+		return "self", nil
+	case ProcThreadSelf:
+		threadSelf := "thread-self"
+		if !hasProcThreadSelf() || hookForceProcSelfTask() {
+			// Pre-3.17 kernels don't have /proc/thread-self, so do it
+			// manually.
+			threadSelf = "self/task/" + strconv.Itoa(unix.Gettid())
+			if err := fd.Faccessat(proc.Inner, threadSelf, unix.F_OK, unix.AT_SYMLINK_NOFOLLOW); err != nil || hookForceProcSelf() {
+				// In this case, we running in a pid namespace that doesn't
+				// match the /proc mount we have. This can happen inside runc.
+				//
+				// Unfortunately, there is no nice way to get the correct TID
+				// to use here because of the age of the kernel, so we have to
+				// just use /proc/self and hope that it works.
+				threadSelf = "self"
+			}
+		}
+		return threadSelf, nil
+	}
+	return "", fmt.Errorf("invalid procfs base %q", base)
+}
+
+// ProcThreadSelfCloser is a callback that needs to be called when you are done
+// operating on an [os.File] fetched using [ProcThreadSelf].
+//
+// [os.File]: https://pkg.go.dev/os#File
+type ProcThreadSelfCloser func()
+
+// open is the core lookup operation for [Handle]. It returns a handle to
+// "/proc//". If the returned [ProcThreadSelfCloser] is non-nil,
+// you should call it after you are done interacting with the returned handle.
+//
+// In general you should use prefer to use the other helpers, as they remove
+// the need to interact with [procfsBase] and do not return a nil
+// [ProcThreadSelfCloser] for [procfsBase] values other than [ProcThreadSelf]
+// where it is necessary.
+func (proc *Handle) open(base procfsBase, subpath string) (_ *os.File, closer ProcThreadSelfCloser, Err error) {
+	prefix, err := base.prefix(proc)
+	if err != nil {
+		return nil, nil, err
+	}
+	subpath = prefix + "/" + subpath
+
+	switch base {
+	case ProcRoot:
+		file, err := proc.lookup(subpath)
+		if errors.Is(err, os.ErrNotExist) {
+			// The Handle handle in use might be a subset=pid one, which will
+			// result in spurious errors. In this case, just open a temporary
+			// unmasked procfs handle for this operation.
+			proc, err2 := OpenUnsafeProcRoot() // !subset=pid
+			if err2 != nil {
+				return nil, nil, err
+			}
+			defer proc.Close() //nolint:errcheck // close failures aren't critical here
+
+			file, err = proc.lookup(subpath)
+		}
+		return file, nil, err
+
+	case ProcSelf:
+		file, err := proc.lookup(subpath)
+		return file, nil, err
+
+	case ProcThreadSelf:
+		// We need to lock our thread until the caller is done with the handle
+		// because between getting the handle and using it we could get
+		// interrupted by the Go runtime and hit the case where the underlying
+		// thread is swapped out and the original thread is killed, resulting
+		// in pull-your-hair-out-hard-to-debug issues in the caller.
+		runtime.LockOSThread()
+		defer func() {
+			if Err != nil {
+				runtime.UnlockOSThread()
+				closer = nil
+			}
+		}()
+
+		file, err := proc.lookup(subpath)
+		return file, runtime.UnlockOSThread, err
+	}
+	// should never be reached
+	return nil, nil, fmt.Errorf("[internal error] invalid procfs base %q", base)
+}
+
+// OpenThreadSelf returns a handle to "/proc/thread-self/" (or an
+// equivalent handle on older kernels where "/proc/thread-self" doesn't exist).
+// Once finished with the handle, you must call the returned closer function
+// (runtime.UnlockOSThread). You must not pass the returned *os.File to other
+// Go threads or use the handle after calling the closer.
+func (proc *Handle) OpenThreadSelf(subpath string) (_ *os.File, _ ProcThreadSelfCloser, Err error) {
+	return proc.open(ProcThreadSelf, subpath)
+}
+
+// OpenSelf returns a handle to /proc/self/.
+func (proc *Handle) OpenSelf(subpath string) (*os.File, error) {
+	file, closer, err := proc.open(ProcSelf, subpath)
+	assert.Assert(closer == nil, "closer for ProcSelf must be nil")
+	return file, err
+}
+
+// OpenRoot returns a handle to /proc/.
+func (proc *Handle) OpenRoot(subpath string) (*os.File, error) {
+	file, closer, err := proc.open(ProcRoot, subpath)
+	assert.Assert(closer == nil, "closer for ProcRoot must be nil")
+	return file, err
+}
+
+// OpenPid returns a handle to /proc/$pid/ (pid can be a pid or tid).
+// This is mainly intended for usage when operating on other processes.
+func (proc *Handle) OpenPid(pid int, subpath string) (*os.File, error) {
+	return proc.OpenRoot(strconv.Itoa(pid) + "/" + subpath)
+}
+
+// checkSubpathOvermount checks if the dirfd and path combination is on the
+// same mount as the given root.
+func checkSubpathOvermount(root, dir fd.Fd, path string) error {
+	// Get the mntID of our procfs handle.
+	expectedMountID, err := fd.GetMountID(root, "")
+	if err != nil {
+		return fmt.Errorf("get root mount id: %w", err)
+	}
+	// Get the mntID of the target magic-link.
+	gotMountID, err := fd.GetMountID(dir, path)
+	if err != nil {
+		return fmt.Errorf("get subpath mount id: %w", err)
+	}
+	// As long as the directory mount is alive, even with wrapping mount IDs,
+	// we would expect to see a different mount ID here. (Of course, if we're
+	// using unsafeHostProcRoot() then an attaker could change this after we
+	// did this check.)
+	if expectedMountID != gotMountID {
+		return fmt.Errorf("%w: subpath %s/%s has an overmount obscuring the real path (mount ids do not match %d != %d)",
+			errUnsafeProcfs, dir.Name(), path, expectedMountID, gotMountID)
+	}
+	return nil
+}
+
+// Readlink performs a readlink operation on "/proc//" in a way
+// that should be free from race attacks. This is most commonly used to get the
+// real path of a file by looking at "/proc/self/fd/$n", with the same safety
+// protections as [Open] (as well as some additional checks against
+// overmounts).
+func (proc *Handle) Readlink(base procfsBase, subpath string) (string, error) {
+	link, closer, err := proc.open(base, subpath)
+	if closer != nil {
+		defer closer()
+	}
+	if err != nil {
+		return "", fmt.Errorf("get safe %s/%s handle: %w", base, subpath, err)
+	}
+	defer link.Close() //nolint:errcheck // close failures aren't critical here
+
+	// Try to detect if there is a mount on top of the magic-link. This should
+	// be safe in general (a mount on top of the path afterwards would not
+	// affect the handle itself) and will definitely be safe if we are using
+	// privateProcRoot() (at least since Linux 5.12[1], when anonymous mount
+	// namespaces were completely isolated from external mounts including mount
+	// propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	if err := checkSubpathOvermount(proc.Inner, link, ""); err != nil {
+		return "", fmt.Errorf("check safety of %s/%s magiclink: %w", base, subpath, err)
+	}
+
+	// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See Linux commit
+	// 65cfc6722361 ("readlinkat(), fchownat() and fstatat() with empty
+	// relative pathnames").
+	return fd.Readlinkat(link, "")
+}
+
+// ProcSelfFdReadlink gets the real path of the given file by looking at
+// readlink(/proc/thread-self/fd/$n).
+//
+// This is just a wrapper around [Handle.Readlink].
+func ProcSelfFdReadlink(fd fd.Fd) (string, error) {
+	procRoot, err := OpenProcRoot() // subset=pid
+	if err != nil {
+		return "", err
+	}
+	defer procRoot.Close() //nolint:errcheck // close failures aren't critical here
+
+	fdPath := "fd/" + strconv.Itoa(int(fd.Fd()))
+	return procRoot.Readlink(ProcThreadSelf, fdPath)
+}
+
+// CheckProcSelfFdPath returns whether the given file handle matches the
+// expected path. (This is inherently racy.)
+func CheckProcSelfFdPath(path string, file fd.Fd) error {
+	if err := fd.IsDeadInode(file); err != nil {
+		return err
+	}
+	actualPath, err := ProcSelfFdReadlink(file)
+	if err != nil {
+		return fmt.Errorf("get path of handle: %w", err)
+	}
+	if actualPath != path {
+		return fmt.Errorf("%w: handle path %q doesn't match expected path %q", internal.ErrPossibleBreakout, actualPath, path)
+	}
+	return nil
+}
+
+// ReopenFd takes an existing file descriptor and "re-opens" it through
+// /proc/thread-self/fd/. This allows for O_PATH file descriptors to be
+// upgraded to regular file descriptors, as well as changing the open mode of a
+// regular file descriptor. Some filesystems have unique handling of open(2)
+// which make this incredibly useful (such as /dev/ptmx).
+func ReopenFd(handle fd.Fd, flags int) (*os.File, error) {
+	procRoot, err := OpenProcRoot() // subset=pid
+	if err != nil {
+		return nil, err
+	}
+	defer procRoot.Close() //nolint:errcheck // close failures aren't critical here
+
+	// We can't operate on /proc/thread-self/fd/$n directly when doing a
+	// re-open, so we need to open /proc/thread-self/fd and then open a single
+	// final component.
+	procFdDir, closer, err := procRoot.OpenThreadSelf("fd/")
+	if err != nil {
+		return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err)
+	}
+	defer procFdDir.Close() //nolint:errcheck // close failures aren't critical here
+	defer closer()
+
+	// Try to detect if there is a mount on top of the magic-link we are about
+	// to open. If we are using unsafeHostProcRoot(), this could change after
+	// we check it (and there's nothing we can do about that) but for
+	// privateProcRoot() this should be guaranteed to be safe (at least since
+	// Linux 5.12[1], when anonymous mount namespaces were completely isolated
+	// from external mounts including mount propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	fdStr := strconv.Itoa(int(handle.Fd()))
+	if err := checkSubpathOvermount(procRoot.Inner, procFdDir, fdStr); err != nil {
+		return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
+	}
+
+	flags |= unix.O_CLOEXEC
+	// Rather than just wrapping fd.Openat, open-code it so we can copy
+	// handle.Name().
+	reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0)
+	if err != nil {
+		return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err)
+	}
+	return os.NewFile(uintptr(reopenFd), handle.Name()), nil
+}
+
+// Test hooks used in the procfs tests to verify that the fallback logic works.
+// See testing_mocks_linux_test.go and procfs_linux_test.go for more details.
+var (
+	hookForcePrivateProcRootOpenTree            = hookDummyFile
+	hookForcePrivateProcRootOpenTreeAtRecursive = hookDummyFile
+	hookForceGetProcRootUnsafe                  = hookDummy
+
+	hookForceProcSelfTask = hookDummy
+	hookForceProcSelf     = hookDummy
+)
+
+func hookDummy() bool                { return false }
+func hookDummyFile(_ io.Closer) bool { return false }
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go
new file mode 100644
index 0000000000..1ad1f18eee
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go
@@ -0,0 +1,222 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// This code is adapted to be a minimal version of the libpathrs proc resolver
+// .
+// As we only need O_PATH|O_NOFOLLOW support, this is not too much to port.
+
+package procfs
+
+import (
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/internal/consts"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux"
+)
+
+// procfsLookupInRoot is a stripped down version of completeLookupInRoot,
+// entirely designed to support the very small set of features necessary to
+// make procfs handling work. Unlike completeLookupInRoot, we always have
+// O_PATH|O_NOFOLLOW behaviour for trailing symlinks.
+//
+// The main restrictions are:
+//
+//   - ".." is not supported (as it requires either os.Root-style replays,
+//     which is more bug-prone; or procfs verification, which is not possible
+//     due to re-entrancy issues).
+//   - Absolute symlinks for the same reason (and all absolute symlinks in
+//     procfs are magic-links, which we want to skip anyway).
+//   - If statx is supported (checkSymlinkOvermount), any mount-point crossings
+//     (which is the main attack of concern against /proc).
+//   - Partial lookups are not supported, so the symlink stack is not needed.
+//   - Trailing slash special handling is not necessary in most cases (if we
+//     operating on procfs, it's usually with programmer-controlled strings
+//     that will then be re-opened), so we skip it since whatever re-opens it
+//     can deal with it. It's a creature comfort anyway.
+//
+// If the system supports openat2(), this is implemented using equivalent flags
+// (RESOLVE_BENEATH | RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS).
+func procfsLookupInRoot(procRoot fd.Fd, unsafePath string) (Handle *os.File, _ error) {
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+
+	// Make sure that an empty unsafe path still returns something sane, even
+	// with openat2 (which doesn't have AT_EMPTY_PATH semantics yet).
+	if unsafePath == "" {
+		unsafePath = "."
+	}
+
+	// This is already checked by getProcRoot, but make sure here since the
+	// core security of this lookup is based on this assumption.
+	if err := verifyProcRoot(procRoot); err != nil {
+		return nil, err
+	}
+
+	if linux.HasOpenat2() {
+		// We prefer being able to use RESOLVE_NO_XDEV if we can, to be
+		// absolutely sure we are operating on a clean /proc handle that
+		// doesn't have any cheeky overmounts that could trick us (including
+		// symlink mounts on top of /proc/thread-self). RESOLVE_BENEATH isn't
+		// strictly needed, but just use it since we have it.
+		//
+		// NOTE: /proc/self is technically a magic-link (the contents of the
+		//       symlink are generated dynamically), but it doesn't use
+		//       nd_jump_link() so RESOLVE_NO_MAGICLINKS allows it.
+		//
+		// TODO: It would be nice to have RESOLVE_NO_DOTDOT, purely for
+		//       self-consistency with the backup O_PATH resolver.
+		handle, err := fd.Openat2(procRoot, unsafePath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_NOFOLLOW | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err != nil {
+			// TODO: Once we bump the minimum Go version to 1.20, we can use
+			// multiple %w verbs for this wrapping. For now we need to use a
+			// compatibility shim for older Go versions.
+			// err = fmt.Errorf("%w: %w", errUnsafeProcfs, err)
+			return nil, gocompat.WrapBaseError(err, errUnsafeProcfs)
+		}
+		return handle, nil
+	}
+
+	// To mirror openat2(RESOLVE_BENEATH), we need to return an error if the
+	// path is absolute.
+	if path.IsAbs(unsafePath) {
+		return nil, fmt.Errorf("%w: cannot resolve absolute paths in procfs resolver", internal.ErrPossibleBreakout)
+	}
+
+	currentDir, err := fd.Dup(procRoot)
+	if err != nil {
+		return nil, fmt.Errorf("clone root fd: %w", err)
+	}
+	defer func() {
+		// If a handle is not returned, close the internal handle.
+		if Handle == nil {
+			_ = currentDir.Close()
+		}
+	}()
+
+	var (
+		linksWalked   int
+		currentPath   string
+		remainingPath = unsafePath
+	)
+	for remainingPath != "" {
+		// Get the next path component.
+		var part string
+		if i := strings.IndexByte(remainingPath, '/'); i == -1 {
+			part, remainingPath = remainingPath, ""
+		} else {
+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
+		}
+		if part == "" {
+			// no-op component, but treat it the same as "."
+			part = "."
+		}
+		if part == ".." {
+			// not permitted
+			return nil, fmt.Errorf("%w: cannot walk into '..' in procfs resolver", internal.ErrPossibleBreakout)
+		}
+
+		// Apply the component lexically to the path we are building.
+		// currentPath does not contain any symlinks, and we are lexically
+		// dealing with a single component, so it's okay to do a filepath.Clean
+		// here. (Not to mention that ".." isn't allowed.)
+		nextPath := path.Join("/", currentPath, part)
+		// If we logically hit the root, just clone the root rather than
+		// opening the part and doing all of the other checks.
+		if nextPath == "/" {
+			// Jump to root.
+			rootClone, err := fd.Dup(procRoot)
+			if err != nil {
+				return nil, fmt.Errorf("clone root fd: %w", err)
+			}
+			_ = currentDir.Close()
+			currentDir = rootClone
+			currentPath = nextPath
+			continue
+		}
+
+		// Try to open the next component.
+		nextDir, err := fd.Openat(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		if err != nil {
+			return nil, err
+		}
+
+		// Make sure we are still on procfs and haven't crossed mounts.
+		if err := verifyProcHandle(nextDir); err != nil {
+			_ = nextDir.Close()
+			return nil, fmt.Errorf("check %q component is on procfs: %w", part, err)
+		}
+		if err := checkSubpathOvermount(procRoot, nextDir, ""); err != nil {
+			_ = nextDir.Close()
+			return nil, fmt.Errorf("check %q component is not overmounted: %w", part, err)
+		}
+
+		// We are emulating O_PATH|O_NOFOLLOW, so we only need to traverse into
+		// trailing symlinks if we are not the final component. Otherwise we
+		// can just return the currentDir.
+		if remainingPath != "" {
+			st, err := nextDir.Stat()
+			if err != nil {
+				_ = nextDir.Close()
+				return nil, fmt.Errorf("stat component %q: %w", part, err)
+			}
+
+			if st.Mode()&os.ModeType == os.ModeSymlink {
+				// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See
+				// Linux commit 65cfc6722361 ("readlinkat(), fchownat() and
+				// fstatat() with empty relative pathnames").
+				linkDest, err := fd.Readlinkat(nextDir, "")
+				// We don't need the handle anymore.
+				_ = nextDir.Close()
+				if err != nil {
+					return nil, err
+				}
+
+				linksWalked++
+				if linksWalked > consts.MaxSymlinkLimit {
+					return nil, &os.PathError{Op: "securejoin.procfsLookupInRoot", Path: "/proc/" + unsafePath, Err: unix.ELOOP}
+				}
+
+				// Update our logical remaining path.
+				remainingPath = linkDest + "/" + remainingPath
+				// Absolute symlinks are probably magiclinks, we reject them.
+				if path.IsAbs(linkDest) {
+					return nil, fmt.Errorf("%w: cannot jump to / in procfs resolver -- possible magiclink", internal.ErrPossibleBreakout)
+				}
+				continue
+			}
+		}
+
+		// Walk into the next component.
+		_ = currentDir.Close()
+		currentDir = nextDir
+		currentPath = nextPath
+	}
+
+	// One final sanity-check.
+	if err := verifyProcHandle(currentDir); err != nil {
+		return nil, fmt.Errorf("check final handle is on procfs: %w", err)
+	}
+	if err := checkSubpathOvermount(procRoot, currentDir, ""); err != nil {
+		return nil, fmt.Errorf("check final handle is not overmounted: %w", err)
+	}
+	return currentDir, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir.go
new file mode 100644
index 0000000000..b43169564a
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir.go
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+// MkdirAll is a race-safe alternative to the [os.MkdirAll] function,
+// where the new directory is guaranteed to be within the root directory (if an
+// attacker can move directories from inside the root to outside the root, the
+// created directory tree might be outside of the root but the key constraint
+// is that at no point will we walk outside of the directory tree we are
+// creating).
+//
+// Effectively, MkdirAll(root, unsafePath, mode) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	err := os.MkdirAll(path, mode)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between [SecureJoin] and [os.MkdirAll], it is
+// possible for MkdirAll to resolve unsafe symlink components and create
+// directories outside of the root.
+//
+// If you plan to open the directory after you have created it or want to use
+// an open directory handle as the root, you should use [MkdirAllHandle] instead.
+// This function is a wrapper around [MkdirAllHandle].
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func MkdirAll(root, unsafePath string, mode os.FileMode) error {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return err
+	}
+	defer rootDir.Close() //nolint:errcheck // close failures aren't critical here
+
+	f, err := MkdirAllHandle(rootDir, unsafePath, mode)
+	if err != nil {
+		return err
+	}
+	_ = f.Close()
+	return nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_libpathrs.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_libpathrs.go
new file mode 100644
index 0000000000..f864dbc8f3
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_libpathrs.go
@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"cyphar.com/go-pathrs"
+)
+
+// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
+// in two respects:
+//
+//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with [os.MkdirAll].
+//
+//   - Once all of the directories have been created, an *[os.File] O_PATH handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     [MkdirAll].
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
+// doing [MkdirAll]. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (*os.File, error) {
+	rootRef, err := pathrs.RootFromFile(root)
+	if err != nil {
+		return nil, err
+	}
+	defer rootRef.Close() //nolint:errcheck // close failures aren't critical here
+
+	handle, err := rootRef.MkdirAll(unsafePath, mode)
+	if err != nil {
+		return nil, err
+	}
+	return handle.IntoFile(), nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_purego.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_purego.go
new file mode 100644
index 0000000000..0369dfe7e6
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_purego.go
@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux && !libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs"
+)
+
+// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
+// in two respects:
+//
+//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with [os.MkdirAll].
+//
+//   - Once all of the directories have been created, an *[os.File] O_PATH handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     [MkdirAll].
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
+// doing [MkdirAll]. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (*os.File, error) {
+	return gopathrs.MkdirAllHandle(root, unsafePath, mode)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open.go
new file mode 100644
index 0000000000..41b628907e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open.go
@@ -0,0 +1,45 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+// OpenInRoot safely opens the provided unsafePath within the root.
+// Effectively, OpenInRoot(root, unsafePath) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	handle, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between [SecureJoin] and [os.OpenFile], it is
+// possible for the returned file to be outside of the root.
+//
+// Note that the returned handle is an O_PATH handle, meaning that only a very
+// limited set of operations will work on the handle. This is done to avoid
+// accidentally opening an untrusted file that could cause issues (such as a
+// disconnected TTY that could cause a DoS, or some other issue). In order to
+// use the returned handle, you can "upgrade" it to a proper handle using
+// [Reopen].
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func OpenInRoot(root, unsafePath string) (*os.File, error) {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer rootDir.Close() //nolint:errcheck // close failures aren't critical here
+	return OpenatInRoot(rootDir, unsafePath)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_libpathrs.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_libpathrs.go
new file mode 100644
index 0000000000..53352000e6
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_libpathrs.go
@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"cyphar.com/go-pathrs"
+)
+
+// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
+// using an *[os.File] handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	rootRef, err := pathrs.RootFromFile(root)
+	if err != nil {
+		return nil, err
+	}
+	defer rootRef.Close() //nolint:errcheck // close failures aren't critical here
+
+	handle, err := rootRef.Resolve(unsafePath)
+	if err != nil {
+		return nil, err
+	}
+	return handle.IntoFile(), nil
+}
+
+// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd.
+// Reopen(file, flags) is effectively equivalent to
+//
+//	fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
+//	os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
+//
+// But with some extra hardenings to ensure that we are not tricked by a
+// maliciously-configured /proc mount. While this attack scenario is not
+// common, in container runtimes it is possible for higher-level runtimes to be
+// tricked into configuring an unsafe /proc that can be used to attack file
+// operations. See [CVE-2019-19921] for more details.
+//
+// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
+func Reopen(file *os.File, flags int) (*os.File, error) {
+	handle, err := pathrs.HandleFromFile(file)
+	if err != nil {
+		return nil, err
+	}
+	defer handle.Close() //nolint:errcheck // close failures aren't critical here
+
+	return handle.OpenFile(flags)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_purego.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_purego.go
new file mode 100644
index 0000000000..6d1be12ce5
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_purego.go
@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux && !libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs"
+)
+
+// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
+// using an *[os.File] handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	return gopathrs.OpenatInRoot(root, unsafePath)
+}
+
+// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd.
+// Reopen(file, flags) is effectively equivalent to
+//
+//	fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
+//	os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
+//
+// But with some extra hardenings to ensure that we are not tricked by a
+// maliciously-configured /proc mount. While this attack scenario is not
+// common, in container runtimes it is possible for higher-level runtimes to be
+// tricked into configuring an unsafe /proc that can be used to attack file
+// operations. See [CVE-2019-19921] for more details.
+//
+// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
+func Reopen(handle *os.File, flags int) (*os.File, error) {
+	return procfs.ReopenFd(handle, flags)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_libpathrs.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_libpathrs.go
new file mode 100644
index 0000000000..6c4df3763b
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_libpathrs.go
@@ -0,0 +1,161 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package procfs provides a safe API for operating on /proc on Linux.
+package procfs
+
+import (
+	"os"
+	"strconv"
+
+	"cyphar.com/go-pathrs/procfs"
+	"golang.org/x/sys/unix"
+)
+
+// ProcThreadSelfCloser is a callback that needs to be called when you are done
+// operating on an [os.File] fetched using [Handle.OpenThreadSelf].
+//
+// [os.File]: https://pkg.go.dev/os#File
+type ProcThreadSelfCloser = procfs.ThreadCloser
+
+// Handle is a wrapper around an *os.File handle to "/proc", which can be used
+// to do further procfs-related operations in a safe way.
+type Handle struct {
+	inner *procfs.Handle
+}
+
+// Close close the resources associated with this [Handle]. Note that if this
+// [Handle] was created with [OpenProcRoot], on some kernels the underlying
+// procfs handle is cached and so this Close operation may be a no-op. However,
+// you should always call Close on [Handle]s once you are done with them.
+func (proc *Handle) Close() error { return proc.inner.Close() }
+
+// OpenProcRoot tries to open a "safer" handle to "/proc" (i.e., one with the
+// "subset=pid" mount option applied, available from Linux 5.8). Unless you
+// plan to do many [Handle.OpenRoot] operations, users should prefer to use
+// this over [OpenUnsafeProcRoot] which is far more dangerous to keep open.
+//
+// If a safe handle cannot be opened, OpenProcRoot will fall back to opening a
+// regular "/proc" handle.
+//
+// Note that using [Handle.OpenRoot] will still work with handles returned by
+// this function. If a subpath cannot be operated on with a safe "/proc"
+// handle, then [OpenUnsafeProcRoot] will be called internally and a temporary
+// unsafe handle will be used.
+func OpenProcRoot() (*Handle, error) {
+	proc, err := procfs.Open()
+	if err != nil {
+		return nil, err
+	}
+	return &Handle{inner: proc}, nil
+}
+
+// OpenUnsafeProcRoot opens a handle to "/proc" without any overmounts or
+// masked paths. You must be extremely careful to make sure this handle is
+// never leaked to a container and that you program cannot be tricked into
+// writing to arbitrary paths within it.
+//
+// This is not necessary if you just wish to use [Handle.OpenRoot], as handles
+// returned by [OpenProcRoot] will fall back to using a *temporary* unsafe
+// handle in that case. You should only really use this if you need to do many
+// operations with [Handle.OpenRoot] and the performance overhead of making
+// many procfs handles is an issue. If you do use OpenUnsafeProcRoot, you
+// should make sure to close the handle as soon as possible to avoid
+// known-fd-number attacks.
+func OpenUnsafeProcRoot() (*Handle, error) {
+	proc, err := procfs.Open(procfs.UnmaskedProcRoot)
+	if err != nil {
+		return nil, err
+	}
+	return &Handle{inner: proc}, nil
+}
+
+// OpenThreadSelf returns a handle to "/proc/thread-self/" (or an
+// equivalent handle on older kernels where "/proc/thread-self" doesn't exist).
+// Once finished with the handle, you must call the returned closer function
+// ([runtime.UnlockOSThread]). You must not pass the returned *os.File to other
+// Go threads or use the handle after calling the closer.
+//
+// [runtime.UnlockOSThread]: https://pkg.go.dev/runtime#UnlockOSThread
+func (proc *Handle) OpenThreadSelf(subpath string) (*os.File, ProcThreadSelfCloser, error) {
+	return proc.inner.OpenThreadSelf(subpath, unix.O_PATH|unix.O_NOFOLLOW)
+}
+
+// OpenSelf returns a handle to /proc/self/.
+//
+// Note that in Go programs with non-homogenous threads, this may result in
+// spurious errors. If you are monkeying around with APIs that are
+// thread-specific, you probably want to use [Handle.OpenThreadSelf] instead
+// which will guarantee that the handle refers to the same thread as the caller
+// is executing on.
+func (proc *Handle) OpenSelf(subpath string) (*os.File, error) {
+	return proc.inner.OpenSelf(subpath, unix.O_PATH|unix.O_NOFOLLOW)
+}
+
+// OpenRoot returns a handle to /proc/.
+//
+// You should only use this when you need to operate on global procfs files
+// (such as sysctls in /proc/sys). Unlike [Handle.OpenThreadSelf],
+// [Handle.OpenSelf], and [Handle.OpenPid], the procfs handle used internally
+// for this operation will never use "subset=pid", which makes it a more juicy
+// target for [CVE-2024-21626]-style attacks (and doing something like opening
+// a directory with OpenRoot effectively leaks [OpenUnsafeProcRoot] as long as
+// the file descriptor is open).
+//
+// [CVE-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
+func (proc *Handle) OpenRoot(subpath string) (*os.File, error) {
+	return proc.inner.OpenRoot(subpath, unix.O_PATH|unix.O_NOFOLLOW)
+}
+
+// OpenPid returns a handle to /proc/$pid/ (pid can be a pid or tid).
+// This is mainly intended for usage when operating on other processes.
+//
+// You should not use this for the current thread, as special handling is
+// needed for /proc/thread-self (or /proc/self/task/) when dealing with
+// goroutine scheduling -- use [Handle.OpenThreadSelf] instead.
+//
+// To refer to the current thread-group, you should use prefer
+// [Handle.OpenSelf] to passing os.Getpid as the pid argument.
+func (proc *Handle) OpenPid(pid int, subpath string) (*os.File, error) {
+	return proc.inner.OpenPid(pid, subpath, unix.O_PATH|unix.O_NOFOLLOW)
+}
+
+// ProcSelfFdReadlink gets the real path of the given file by looking at
+// /proc/self/fd/ with [readlink]. It is effectively just shorthand for
+// something along the lines of:
+//
+//	proc, err := procfs.OpenProcRoot()
+//	if err != nil {
+//		return err
+//	}
+//	link, err := proc.OpenThreadSelf(fmt.Sprintf("fd/%d", f.Fd()))
+//	if err != nil {
+//		return err
+//	}
+//	defer link.Close()
+//	var buf [4096]byte
+//	n, err := unix.Readlinkat(int(link.Fd()), "", buf[:])
+//	if err != nil {
+//		return err
+//	}
+//	pathname := buf[:n]
+//
+// [readlink]: https://pkg.go.dev/golang.org/x/sys/unix#Readlinkat
+func ProcSelfFdReadlink(f *os.File) (string, error) {
+	proc, err := procfs.Open()
+	if err != nil {
+		return "", err
+	}
+	defer proc.Close() //nolint:errcheck // close failures aren't critical here
+
+	fdPath := "fd/" + strconv.Itoa(int(f.Fd()))
+	return proc.Readlink(procfs.ProcThreadSelf, fdPath)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_purego.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_purego.go
new file mode 100644
index 0000000000..9383002f9a
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_purego.go
@@ -0,0 +1,157 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux && !libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai 
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package procfs provides a safe API for operating on /proc on Linux.
+package procfs
+
+import (
+	"os"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs"
+)
+
+// This package mostly just wraps internal/procfs APIs. This is necessary
+// because we are forced to export some things from internal/procfs in order to
+// avoid some dependency cycle issues, but we don't want users to see or use
+// them.
+
+// ProcThreadSelfCloser is a callback that needs to be called when you are done
+// operating on an [os.File] fetched using [Handle.OpenThreadSelf].
+//
+// [os.File]: https://pkg.go.dev/os#File
+type ProcThreadSelfCloser = procfs.ProcThreadSelfCloser
+
+// Handle is a wrapper around an *os.File handle to "/proc", which can be used
+// to do further procfs-related operations in a safe way.
+type Handle struct {
+	inner *procfs.Handle
+}
+
+// Close close the resources associated with this [Handle]. Note that if this
+// [Handle] was created with [OpenProcRoot], on some kernels the underlying
+// procfs handle is cached and so this Close operation may be a no-op. However,
+// you should always call Close on [Handle]s once you are done with them.
+func (proc *Handle) Close() error { return proc.inner.Close() }
+
+// OpenProcRoot tries to open a "safer" handle to "/proc" (i.e., one with the
+// "subset=pid" mount option applied, available from Linux 5.8). Unless you
+// plan to do many [Handle.OpenRoot] operations, users should prefer to use
+// this over [OpenUnsafeProcRoot] which is far more dangerous to keep open.
+//
+// If a safe handle cannot be opened, OpenProcRoot will fall back to opening a
+// regular "/proc" handle.
+//
+// Note that using [Handle.OpenRoot] will still work with handles returned by
+// this function. If a subpath cannot be operated on with a safe "/proc"
+// handle, then [OpenUnsafeProcRoot] will be called internally and a temporary
+// unsafe handle will be used.
+func OpenProcRoot() (*Handle, error) {
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return nil, err
+	}
+	return &Handle{inner: proc}, nil
+}
+
+// OpenUnsafeProcRoot opens a handle to "/proc" without any overmounts or
+// masked paths. You must be extremely careful to make sure this handle is
+// never leaked to a container and that you program cannot be tricked into
+// writing to arbitrary paths within it.
+//
+// This is not necessary if you just wish to use [Handle.OpenRoot], as handles
+// returned by [OpenProcRoot] will fall back to using a *temporary* unsafe
+// handle in that case. You should only really use this if you need to do many
+// operations with [Handle.OpenRoot] and the performance overhead of making
+// many procfs handles is an issue. If you do use OpenUnsafeProcRoot, you
+// should make sure to close the handle as soon as possible to avoid
+// known-fd-number attacks.
+func OpenUnsafeProcRoot() (*Handle, error) {
+	proc, err := procfs.OpenUnsafeProcRoot()
+	if err != nil {
+		return nil, err
+	}
+	return &Handle{inner: proc}, nil
+}
+
+// OpenThreadSelf returns a handle to "/proc/thread-self/" (or an
+// equivalent handle on older kernels where "/proc/thread-self" doesn't exist).
+// Once finished with the handle, you must call the returned closer function
+// ([runtime.UnlockOSThread]). You must not pass the returned *os.File to other
+// Go threads or use the handle after calling the closer.
+//
+// [runtime.UnlockOSThread]: https://pkg.go.dev/runtime#UnlockOSThread
+func (proc *Handle) OpenThreadSelf(subpath string) (*os.File, ProcThreadSelfCloser, error) {
+	return proc.inner.OpenThreadSelf(subpath)
+}
+
+// OpenSelf returns a handle to /proc/self/.
+//
+// Note that in Go programs with non-homogenous threads, this may result in
+// spurious errors. If you are monkeying around with APIs that are
+// thread-specific, you probably want to use [Handle.OpenThreadSelf] instead
+// which will guarantee that the handle refers to the same thread as the caller
+// is executing on.
+func (proc *Handle) OpenSelf(subpath string) (*os.File, error) {
+	return proc.inner.OpenSelf(subpath)
+}
+
+// OpenRoot returns a handle to /proc/.
+//
+// You should only use this when you need to operate on global procfs files
+// (such as sysctls in /proc/sys). Unlike [Handle.OpenThreadSelf],
+// [Handle.OpenSelf], and [Handle.OpenPid], the procfs handle used internally
+// for this operation will never use "subset=pid", which makes it a more juicy
+// target for [CVE-2024-21626]-style attacks (and doing something like opening
+// a directory with OpenRoot effectively leaks [OpenUnsafeProcRoot] as long as
+// the file descriptor is open).
+//
+// [CVE-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
+func (proc *Handle) OpenRoot(subpath string) (*os.File, error) {
+	return proc.inner.OpenRoot(subpath)
+}
+
+// OpenPid returns a handle to /proc/$pid/ (pid can be a pid or tid).
+// This is mainly intended for usage when operating on other processes.
+//
+// You should not use this for the current thread, as special handling is
+// needed for /proc/thread-self (or /proc/self/task/) when dealing with
+// goroutine scheduling -- use [Handle.OpenThreadSelf] instead.
+//
+// To refer to the current thread-group, you should use prefer
+// [Handle.OpenSelf] to passing os.Getpid as the pid argument.
+func (proc *Handle) OpenPid(pid int, subpath string) (*os.File, error) {
+	return proc.inner.OpenPid(pid, subpath)
+}
+
+// ProcSelfFdReadlink gets the real path of the given file by looking at
+// /proc/self/fd/ with [readlink]. It is effectively just shorthand for
+// something along the lines of:
+//
+//	proc, err := procfs.OpenProcRoot()
+//	if err != nil {
+//		return err
+//	}
+//	link, err := proc.OpenThreadSelf(fmt.Sprintf("fd/%d", f.Fd()))
+//	if err != nil {
+//		return err
+//	}
+//	defer link.Close()
+//	var buf [4096]byte
+//	n, err := unix.Readlinkat(int(link.Fd()), "", buf[:])
+//	if err != nil {
+//		return err
+//	}
+//	pathname := buf[:n]
+//
+// [readlink]: https://pkg.go.dev/golang.org/x/sys/unix#Readlinkat
+func ProcSelfFdReadlink(f *os.File) (string, error) {
+	return procfs.ProcSelfFdReadlink(f)
+}
diff --git a/vendor/github.com/google/pprof/profile/profile.go b/vendor/github.com/google/pprof/profile/profile.go
index 43f561d445..18df65a8df 100644
--- a/vendor/github.com/google/pprof/profile/profile.go
+++ b/vendor/github.com/google/pprof/profile/profile.go
@@ -278,7 +278,7 @@ func (p *Profile) massageMappings() {
 
 	// Use heuristics to identify main binary and move it to the top of the list of mappings
 	for i, m := range p.Mapping {
-		file := strings.TrimSpace(strings.Replace(m.File, "(deleted)", "", -1))
+		file := strings.TrimSpace(strings.ReplaceAll(m.File, "(deleted)", ""))
 		if len(file) == 0 {
 			continue
 		}
diff --git a/vendor/github.com/google/pprof/profile/proto.go b/vendor/github.com/google/pprof/profile/proto.go
index a15696ba16..31bf6bca63 100644
--- a/vendor/github.com/google/pprof/profile/proto.go
+++ b/vendor/github.com/google/pprof/profile/proto.go
@@ -36,6 +36,7 @@ package profile
 import (
 	"errors"
 	"fmt"
+	"slices"
 )
 
 type buffer struct {
@@ -187,6 +188,16 @@ func le32(p []byte) uint32 {
 	return uint32(p[0]) | uint32(p[1])<<8 | uint32(p[2])<<16 | uint32(p[3])<<24
 }
 
+func peekNumVarints(data []byte) (numVarints int) {
+	for ; len(data) > 0; numVarints++ {
+		var err error
+		if _, data, err = decodeVarint(data); err != nil {
+			break
+		}
+	}
+	return numVarints
+}
+
 func decodeVarint(data []byte) (uint64, []byte, error) {
 	var u uint64
 	for i := 0; ; i++ {
@@ -286,6 +297,9 @@ func decodeInt64(b *buffer, x *int64) error {
 func decodeInt64s(b *buffer, x *[]int64) error {
 	if b.typ == 2 {
 		// Packed encoding
+		dataLen := peekNumVarints(b.data)
+		*x = slices.Grow(*x, dataLen)
+
 		data := b.data
 		for len(data) > 0 {
 			var u uint64
@@ -316,8 +330,11 @@ func decodeUint64(b *buffer, x *uint64) error {
 
 func decodeUint64s(b *buffer, x *[]uint64) error {
 	if b.typ == 2 {
-		data := b.data
 		// Packed encoding
+		dataLen := peekNumVarints(b.data)
+		*x = slices.Grow(*x, dataLen)
+
+		data := b.data
 		for len(data) > 0 {
 			var u uint64
 			var err error
diff --git a/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md b/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
index 0e5f23782f..9c83583344 100644
--- a/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
+++ b/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
@@ -1,3 +1,80 @@
+## 2.28.0
+
+Ginkgo's SemVer filter now supports filtering multiple components by SemVer version:
+
+```go
+It("should work in a specific version range (1.0.0, 2.0.0) and third-party dependency redis in [8.0.0, ~)", SemVerConstraint(">= 3.2.0"), ComponentSemVerConstraint("redis", ">= 8.0.0") func() {
+    // This test will only run when version is between 1.0.0 (exclusive) and 2.0.0 (exclusive) and redis version is >= 8.0.0
+})
+```
+
+can be filtered in or out with an invocation like:
+
+```bash
+ginkgo --sem-ver-filter="2.1.1, redis=8.2.0"
+```
+
+Huge thanks to @Icarus9913 for working on this!
+
+## 2.27.5
+
+### Fixes
+Don't make a new formatter for each GinkgoT(); that's just silly and uses precious memory
+
+## 2.27.4
+
+### Fixes
+- CurrentTreeConstructionNodeReport: fix for nested container nodes [59bc751]
+
+## 2.27.3
+
+### Fixes
+report exit result in case of failure [1c9f356]
+fix data race [ece19c8]
+
+## 2.27.2
+
+### Fixes
+- inline automaxprocs to simplify dependencies; this will be removed when Go 1.26 comes out [a69113a]
+
+### Maintenance
+- Fix syntax errors and typo [a99c6e0]
+- Fix paragraph position error [f993df5]
+
+## 2.27.1
+
+### Fixes
+- Fix Ginkgo Reporter slice-bounds panic [606c1cb]
+- Bug Fix: Add GinkoTBWrapper.Attr() and GinkoTBWrapper.Output() [a6463b3]
+
+## 2.27.0
+
+### Features
+
+#### Transforming Nodes during Tree Construction
+
+This release adds support for `NodeArgsTransformer`s that can be registered with `AddTreeConstructionNodeArgsTransformer`.
+
+These are called during the tree construction phase as nodes are constructed and can modify the node strings and decorators.  This enables frameworks built on top of Ginkgo to modify Ginkgo nodes and enforce conventions.
+
+Learn more [here](https://onsi.github.io/ginkgo/#advanced-transforming-node-arguments-during-tree-construction).
+
+#### Spec Prioritization
+
+A new `SpecPriority(int)` decorator has been added.  Ginkgo will honor priority when ordering specs, ensuring that higher priority specs start running before lower priority specs
+
+Learn more [here](https://onsi.github.io/ginkgo/#prioritizing-specs).
+
+### Maintenance
+- Bump rexml from 3.4.0 to 3.4.2 in /docs (#1595) [1333dae]
+- Bump github.com/gkampitakis/go-snaps from 0.5.14 to 0.5.15 (#1600) [17ae63e]
+
+## 2.26.0
+
+### Features
+
+Ginkgo can now generate json-formatted reports that are compatible with the `go test` json format.  Use `ginkgo --gojson-report=report.go.json`.  This is not intended to be a replacement for Ginkgo's native json format which is more information rich and better models Ginkgo's test structure semantics.
+
 ## 2.25.3
 
 ### Fixes
diff --git a/vendor/github.com/onsi/ginkgo/v2/README.md b/vendor/github.com/onsi/ginkgo/v2/README.md
index e3d0c13cc6..7b7ab9e39c 100644
--- a/vendor/github.com/onsi/ginkgo/v2/README.md
+++ b/vendor/github.com/onsi/ginkgo/v2/README.md
@@ -113,3 +113,13 @@ Ginkgo is MIT-Licensed
 ## Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md)
+
+## Sponsors
+
+Sponsors commit to a [sponsorship](https://github.com/sponsors/onsi) for a year.  If you're an organization that makes use of Ginkgo please consider becoming a sponsor!
+
+
Browser testing via 
+    
+        
+    
+

diff --git a/vendor/github.com/onsi/ginkgo/v2/core_dsl.go b/vendor/github.com/onsi/ginkgo/v2/core_dsl.go
index ec41e8837c..099daa4749 100644
--- a/vendor/github.com/onsi/ginkgo/v2/core_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/core_dsl.go
@@ -20,6 +20,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 
 	"github.com/go-logr/logr"
@@ -268,7 +269,7 @@ func RunSpecs(t GinkgoTestingT, description string, args ...any) bool {
 	}
 	defer global.PopClone()
 
-	suiteLabels, suiteSemVerConstraints, suiteAroundNodes := extractSuiteConfiguration(args)
+	suiteLabels, suiteSemVerConstraints, suiteComponentSemVerConstraints, suiteAroundNodes := extractSuiteConfiguration(args)
 
 	var reporter reporters.Reporter
 	if suiteConfig.ParallelTotal == 1 {
@@ -311,7 +312,7 @@ func RunSpecs(t GinkgoTestingT, description string, args ...any) bool {
 	suitePath, err = filepath.Abs(suitePath)
 	exitIfErr(err)
 
-	passed, hasFocusedTests := global.Suite.Run(description, suiteLabels, suiteSemVerConstraints, suiteAroundNodes, suitePath, global.Failer, reporter, writer, outputInterceptor, interrupt_handler.NewInterruptHandler(client), client, internal.RegisterForProgressSignal, suiteConfig)
+	passed, hasFocusedTests := global.Suite.Run(description, suiteLabels, suiteSemVerConstraints, suiteComponentSemVerConstraints, suiteAroundNodes, suitePath, global.Failer, reporter, writer, outputInterceptor, interrupt_handler.NewInterruptHandler(client), client, internal.RegisterForProgressSignal, suiteConfig)
 	outputInterceptor.Shutdown()
 
 	flagSet.ValidateDeprecations(deprecationTracker)
@@ -330,9 +331,10 @@ func RunSpecs(t GinkgoTestingT, description string, args ...any) bool {
 	return passed
 }
 
-func extractSuiteConfiguration(args []any) (Labels, SemVerConstraints, types.AroundNodes) {
+func extractSuiteConfiguration(args []any) (Labels, SemVerConstraints, ComponentSemVerConstraints, types.AroundNodes) {
 	suiteLabels := Labels{}
 	suiteSemVerConstraints := SemVerConstraints{}
+	suiteComponentSemVerConstraints := ComponentSemVerConstraints{}
 	aroundNodes := types.AroundNodes{}
 	configErrors := []error{}
 	for _, arg := range args {
@@ -345,6 +347,11 @@ func extractSuiteConfiguration(args []any) (Labels, SemVerConstraints, types.Aro
 			suiteLabels = append(suiteLabels, arg...)
 		case SemVerConstraints:
 			suiteSemVerConstraints = append(suiteSemVerConstraints, arg...)
+		case ComponentSemVerConstraints:
+			for component, constraints := range arg {
+				suiteComponentSemVerConstraints[component] = append(suiteComponentSemVerConstraints[component], constraints...)
+				suiteComponentSemVerConstraints[component] = slices.Compact(suiteComponentSemVerConstraints[component])
+			}
 		case types.AroundNodeDecorator:
 			aroundNodes = append(aroundNodes, arg)
 		default:
@@ -362,7 +369,7 @@ func extractSuiteConfiguration(args []any) (Labels, SemVerConstraints, types.Aro
 		os.Exit(1)
 	}
 
-	return suiteLabels, suiteSemVerConstraints, aroundNodes
+	return suiteLabels, suiteSemVerConstraints, suiteComponentSemVerConstraints, aroundNodes
 }
 
 func getwd() (string, error) {
@@ -385,7 +392,7 @@ func PreviewSpecs(description string, args ...any) Report {
 	}
 	defer global.PopClone()
 
-	suiteLabels, suiteSemVerConstraints, suiteAroundNodes := extractSuiteConfiguration(args)
+	suiteLabels, suiteSemVerConstraints, suiteComponentSemVerConstraints, suiteAroundNodes := extractSuiteConfiguration(args)
 	priorDryRun, priorParallelTotal, priorParallelProcess := suiteConfig.DryRun, suiteConfig.ParallelTotal, suiteConfig.ParallelProcess
 	suiteConfig.DryRun, suiteConfig.ParallelTotal, suiteConfig.ParallelProcess = true, 1, 1
 	defer func() {
@@ -403,7 +410,7 @@ func PreviewSpecs(description string, args ...any) Report {
 	suitePath, err = filepath.Abs(suitePath)
 	exitIfErr(err)
 
-	global.Suite.Run(description, suiteLabels, suiteSemVerConstraints, suiteAroundNodes, suitePath, global.Failer, reporter, writer, outputInterceptor, interrupt_handler.NewInterruptHandler(client), client, internal.RegisterForProgressSignal, suiteConfig)
+	global.Suite.Run(description, suiteLabels, suiteSemVerConstraints, suiteComponentSemVerConstraints, suiteAroundNodes, suitePath, global.Failer, reporter, writer, outputInterceptor, interrupt_handler.NewInterruptHandler(client), client, internal.RegisterForProgressSignal, suiteConfig)
 
 	return global.Suite.GetPreviewReport()
 }
@@ -501,6 +508,38 @@ func pushNode(node internal.Node, errors []error) bool {
 	return true
 }
 
+// NodeArgsTransformer is a hook which is called by the test construction DSL methods
+// before creating the new node. If it returns any error, the test suite
+// prints those errors and exits. The text and arguments can be modified,
+// which includes directly changing the args slice that is passed in.
+// Arguments have been flattened already, i.e. none of the entries in args is another []any.
+// The result may be nested.
+//
+// The node type is provided for information and remains the same.
+//
+// The offset is valid for calling NewLocation directly in the
+// implementation of TransformNodeArgs to find the location where
+// the Ginkgo DSL function is called. An additional offset supplied
+// by the caller via args is already included.
+//
+// A NodeArgsTransformer can be registered with AddTreeConstructionNodeArgsTransformer.
+type NodeArgsTransformer func(nodeType types.NodeType, offset Offset, text string, args []any) (string, []any, []error)
+
+// AddTreeConstructionNodeArgsTransformer registers a NodeArgsTransformer.
+// Only nodes which get created after registering a NodeArgsTransformer
+// are transformed by it. The returned function can be called to
+// unregister the transformer.
+//
+// Both may only be called during the construction phase.
+//
+// If there is more than one registered transformer, then the most
+// recently added ones get called first.
+func AddTreeConstructionNodeArgsTransformer(transformer NodeArgsTransformer) func() {
+	// This conversion could be avoided with a type alias, but type aliases make
+	// developer documentation less useful.
+	return internal.AddTreeConstructionNodeArgsTransformer(internal.NodeArgsTransformer(transformer))
+}
+
 /*
 Describe nodes are Container nodes that allow you to organize your specs.  A Describe node's closure can contain any number of
 Setup nodes (e.g. BeforeEach, AfterEach, JustBeforeEach), and Subject nodes (i.e. It).
@@ -512,7 +551,7 @@ You can learn more at https://onsi.github.io/ginkgo/#organizing-specs-with-conta
 In addition, container nodes can be decorated with a variety of decorators.  You can learn more here: https://onsi.github.io/ginkgo/#decorator-reference
 */
 func Describe(text string, args ...any) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, text, args...)))
 }
 
 /*
@@ -520,7 +559,7 @@ FDescribe focuses specs within the Describe block.
 */
 func FDescribe(text string, args ...any) bool {
 	args = append(args, internal.Focus)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, text, args...)))
 }
 
 /*
@@ -528,7 +567,7 @@ PDescribe marks specs within the Describe block as pending.
 */
 func PDescribe(text string, args ...any) bool {
 	args = append(args, internal.Pending)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, text, args...)))
 }
 
 /*
@@ -541,21 +580,21 @@ var XDescribe = PDescribe
 /* Context is an alias for Describe - it generates the exact same kind of Container node */
 var Context, FContext, PContext, XContext = Describe, FDescribe, PDescribe, XDescribe
 
-/* When is an alias for Describe - it generates the exact same kind of Container node */
+/* When is an alias for Describe - it generates the exact same kind of Container node with "when " as prefix for the text. */
 func When(text string, args ...any) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, "when "+text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, "when "+text, args...)))
 }
 
-/* When is an alias for Describe - it generates the exact same kind of Container node */
+/* When is an alias for Describe - it generates the exact same kind of Container node with "when " as prefix for the text. */
 func FWhen(text string, args ...any) bool {
 	args = append(args, internal.Focus)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, "when "+text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, "when "+text, args...)))
 }
 
 /* When is an alias for Describe - it generates the exact same kind of Container node */
 func PWhen(text string, args ...any) bool {
 	args = append(args, internal.Pending)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, "when "+text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, "when "+text, args...)))
 }
 
 var XWhen = PWhen
@@ -571,7 +610,7 @@ You can learn more at https://onsi.github.io/ginkgo/#spec-subjects-it
 In addition, subject nodes can be decorated with a variety of decorators.  You can learn more here: https://onsi.github.io/ginkgo/#decorator-reference
 */
 func It(text string, args ...any) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeIt, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeIt, text, args...)))
 }
 
 /*
@@ -579,7 +618,7 @@ FIt allows you to focus an individual It.
 */
 func FIt(text string, args ...any) bool {
 	args = append(args, internal.Focus)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeIt, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeIt, text, args...)))
 }
 
 /*
@@ -587,7 +626,7 @@ PIt allows you to mark an individual It as pending.
 */
 func PIt(text string, args ...any) bool {
 	args = append(args, internal.Pending)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeIt, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeIt, text, args...)))
 }
 
 /*
@@ -634,7 +673,7 @@ You can learn more here: https://onsi.github.io/ginkgo/#suite-setup-and-cleanup-
 func BeforeSuite(body any, args ...any) bool {
 	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeBeforeSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeBeforeSuite, "", combinedArgs...)))
 }
 
 /*
@@ -653,7 +692,7 @@ You can learn more here: https://onsi.github.io/ginkgo/#suite-setup-and-cleanup-
 func AfterSuite(body any, args ...any) bool {
 	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeAfterSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeAfterSuite, "", combinedArgs...)))
 }
 
 /*
@@ -691,7 +730,7 @@ func SynchronizedBeforeSuite(process1Body any, allProcessBody any, args ...any)
 	combinedArgs := []any{process1Body, allProcessBody}
 	combinedArgs = append(combinedArgs, args...)
 
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeSynchronizedBeforeSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeSynchronizedBeforeSuite, "", combinedArgs...)))
 }
 
 /*
@@ -711,7 +750,7 @@ func SynchronizedAfterSuite(allProcessBody any, process1Body any, args ...any) b
 	combinedArgs := []any{allProcessBody, process1Body}
 	combinedArgs = append(combinedArgs, args...)
 
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeSynchronizedAfterSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeSynchronizedAfterSuite, "", combinedArgs...)))
 }
 
 /*
@@ -724,7 +763,7 @@ You cannot nest any other Ginkgo nodes within a BeforeEach node's closure.
 You can learn more here: https://onsi.github.io/ginkgo/#extracting-common-setup-beforeeach
 */
 func BeforeEach(args ...any) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeBeforeEach, "", args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeBeforeEach, "", args...)))
 }
 
 /*
@@ -737,7 +776,7 @@ You cannot nest any other Ginkgo nodes within a JustBeforeEach node's closure.
 You can learn more and see some examples here: https://onsi.github.io/ginkgo/#separating-creation-and-configuration-justbeforeeach
 */
 func JustBeforeEach(args ...any) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeJustBeforeEach, "", args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeJustBeforeEach, "", args...)))
 }
 
 /*
@@ -752,7 +791,7 @@ You cannot nest any other Ginkgo nodes within an AfterEach node's closure.
 You can learn more here: https://onsi.github.io/ginkgo/#spec-cleanup-aftereach-and-defercleanup
 */
 func AfterEach(args ...any) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeAfterEach, "", args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeAfterEach, "", args...)))
 }
 
 /*
@@ -764,7 +803,7 @@ You cannot nest any other Ginkgo nodes within a JustAfterEach node's closure.
 You can learn more and see some examples here: https://onsi.github.io/ginkgo/#separating-diagnostics-collection-and-teardown-justaftereach
 */
 func JustAfterEach(args ...any) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeJustAfterEach, "", args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeJustAfterEach, "", args...)))
 }
 
 /*
@@ -779,7 +818,7 @@ You can learn more about Ordered Containers at: https://onsi.github.io/ginkgo/#o
 And you can learn more about BeforeAll at: https://onsi.github.io/ginkgo/#setup-in-ordered-containers-beforeall-and-afterall
 */
 func BeforeAll(args ...any) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeBeforeAll, "", args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeBeforeAll, "", args...)))
 }
 
 /*
@@ -796,7 +835,7 @@ You can learn more about Ordered Containers at: https://onsi.github.io/ginkgo/#o
 And you can learn more about AfterAll at: https://onsi.github.io/ginkgo/#setup-in-ordered-containers-beforeall-and-afterall
 */
 func AfterAll(args ...any) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeAfterAll, "", args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeAfterAll, "", args...)))
 }
 
 /*
diff --git a/vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go b/vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go
index 8bee5acebd..ce1d71cec8 100644
--- a/vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go
@@ -117,6 +117,27 @@ You can learn more here: https://onsi.github.io/ginkgo/#spec-semantic-version-fi
 */
 type SemVerConstraints = internal.SemVerConstraints
 
+/*
+ComponentSemVerConstraint decorates specs with ComponentSemVerConstraints. Multiple components semantic version constraints can be passed to ComponentSemVerConstraint and the component can't be empy, also the version strings must follow the semantic version constraint rules.
+ComponentSemVerConstraints can be applied to container and subject nodes, but not setup nodes. You can provide multiple ComponentSemVerConstraints to a given node and a spec's component semantic version constraints is the union of all component semantic version constraints in its node hierarchy.
+
+You can learn more here: https://onsi.github.io/ginkgo/#spec-semantic-version-filtering
+You can learn more about decorators here: https://onsi.github.io/ginkgo/#decorator-reference
+*/
+func ComponentSemVerConstraint(component string, semVerConstraints ...string) ComponentSemVerConstraints {
+	componentSemVerConstraints := ComponentSemVerConstraints{
+		component: semVerConstraints,
+	}
+
+	return componentSemVerConstraints
+}
+
+/*
+ComponentSemVerConstraints are the type for spec ComponentSemVerConstraint decorators. Use ComponentSemVerConstraint(...) to construct ComponentSemVerConstraints.
+You can learn more here: https://onsi.github.io/ginkgo/#spec-semantic-version-filtering
+*/
+type ComponentSemVerConstraints = internal.ComponentSemVerConstraints
+
 /*
 PollProgressAfter allows you to override the configured value for --poll-progress-after for a particular node.
 
@@ -154,6 +175,13 @@ Nodes that do not finish within a GracePeriod will be leaked and Ginkgo will pro
 */
 type GracePeriod = internal.GracePeriod
 
+/*
+SpecPriority allows you to assign a priority to a spec or container.
+
+Specs with higher priority will be scheduled to run before specs with lower priority.  The default priority is 0 and negative priorities are allowed.
+*/
+type SpecPriority = internal.SpecPriority
+
 /*
 SuppressProgressReporting is a decorator that allows you to disable progress reporting of a particular node.  This is useful if `ginkgo -v -progress` is generating too much noise; particularly
 if you have a `ReportAfterEach` node that is running for every skipped spec and is generating lots of progress reports.
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go
new file mode 100644
index 0000000000..ee6ac7b5f3
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go
@@ -0,0 +1,8 @@
+//go:build !go1.25
+// +build !go1.25
+
+package main
+
+import (
+	_ "github.com/onsi/ginkgo/v2/ginkgo/automaxprocs"
+)
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md
new file mode 100644
index 0000000000..e249ebe8b3
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md
@@ -0,0 +1,3 @@
+This entire directory is a lightly modified clone of https://github.com/uber-go/automaxprocs
+
+It will be removed when Go 1.26 ships and we no longer need to support Go 1.24 (which does not correctly autodetect maxprocs in containers).
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go
new file mode 100644
index 0000000000..8a762b51d6
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go
@@ -0,0 +1,71 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+// Package maxprocs lets Go programs easily configure runtime.GOMAXPROCS to
+// match the configured Linux CPU quota. Unlike the top-level automaxprocs
+// package, it lets the caller configure logging and handle errors.
+package automaxprocs
+
+import (
+	"os"
+	"runtime"
+)
+
+func init() {
+	Set()
+}
+
+const _maxProcsKey = "GOMAXPROCS"
+
+type config struct {
+	procs          func(int, func(v float64) int) (int, CPUQuotaStatus, error)
+	minGOMAXPROCS  int
+	roundQuotaFunc func(v float64) int
+}
+
+// Set GOMAXPROCS to match the Linux container CPU quota (if any), returning
+// any error encountered and an undo function.
+//
+// Set is a no-op on non-Linux systems and in Linux environments without a
+// configured CPU quota.
+func Set() error {
+	cfg := &config{
+		procs:          CPUQuotaToGOMAXPROCS,
+		roundQuotaFunc: DefaultRoundFunc,
+		minGOMAXPROCS:  1,
+	}
+
+	// Honor the GOMAXPROCS environment variable if present. Otherwise, amend
+	// `runtime.GOMAXPROCS()` with the current process' CPU quota if the OS is
+	// Linux, and guarantee a minimum value of 1. The minimum guaranteed value
+	// can be overridden using `maxprocs.Min()`.
+	if _, exists := os.LookupEnv(_maxProcsKey); exists {
+		return nil
+	}
+	maxProcs, status, err := cfg.procs(cfg.minGOMAXPROCS, cfg.roundQuotaFunc)
+	if err != nil {
+		return err
+	}
+	if status == CPUQuotaUndefined {
+		return nil
+	}
+	runtime.GOMAXPROCS(maxProcs)
+	return nil
+}
diff --git a/vendor/go.uber.org/automaxprocs/internal/cgroups/cgroup.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go
similarity index 99%
rename from vendor/go.uber.org/automaxprocs/internal/cgroups/cgroup.go
rename to vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go
index fe4ecf561e..a4676933e8 100644
--- a/vendor/go.uber.org/automaxprocs/internal/cgroups/cgroup.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go
@@ -21,7 +21,7 @@
 //go:build linux
 // +build linux
 
-package cgroups
+package automaxprocs
 
 import (
 	"bufio"
diff --git a/vendor/go.uber.org/automaxprocs/internal/cgroups/cgroups.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go
similarity index 99%
rename from vendor/go.uber.org/automaxprocs/internal/cgroups/cgroups.go
rename to vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go
index e89f543602..ed384891ef 100644
--- a/vendor/go.uber.org/automaxprocs/internal/cgroups/cgroups.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go
@@ -21,7 +21,7 @@
 //go:build linux
 // +build linux
 
-package cgroups
+package automaxprocs
 
 const (
 	// _cgroupFSType is the Linux CGroup file system type used in
diff --git a/vendor/go.uber.org/automaxprocs/internal/cgroups/cgroups2.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go
similarity index 99%
rename from vendor/go.uber.org/automaxprocs/internal/cgroups/cgroups2.go
rename to vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go
index 78556062fe..69a0be6b71 100644
--- a/vendor/go.uber.org/automaxprocs/internal/cgroups/cgroups2.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go
@@ -21,7 +21,7 @@
 //go:build linux
 // +build linux
 
-package cgroups
+package automaxprocs
 
 import (
 	"bufio"
diff --git a/vendor/go.uber.org/automaxprocs/internal/runtime/cpu_quota_linux.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go
similarity index 91%
rename from vendor/go.uber.org/automaxprocs/internal/runtime/cpu_quota_linux.go
rename to vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go
index f9057fd273..2d83343bd9 100644
--- a/vendor/go.uber.org/automaxprocs/internal/runtime/cpu_quota_linux.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go
@@ -21,12 +21,10 @@
 //go:build linux
 // +build linux
 
-package runtime
+package automaxprocs
 
 import (
 	"errors"
-
-	cg "go.uber.org/automaxprocs/internal/cgroups"
 )
 
 // CPUQuotaToGOMAXPROCS converts the CPU quota applied to the calling process
@@ -58,8 +56,8 @@ type queryer interface {
 }
 
 var (
-	_newCgroups2 = cg.NewCGroups2ForCurrentProcess
-	_newCgroups  = cg.NewCGroupsForCurrentProcess
+	_newCgroups2 = NewCGroups2ForCurrentProcess
+	_newCgroups  = NewCGroupsForCurrentProcess
 	_newQueryer  = newQueryer
 )
 
@@ -68,7 +66,7 @@ func newQueryer() (queryer, error) {
 	if err == nil {
 		return cgroups, nil
 	}
-	if errors.Is(err, cg.ErrNotV2) {
+	if errors.Is(err, ErrNotV2) {
 		return _newCgroups()
 	}
 	return nil, err
diff --git a/vendor/go.uber.org/automaxprocs/internal/runtime/cpu_quota_unsupported.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go
similarity index 98%
rename from vendor/go.uber.org/automaxprocs/internal/runtime/cpu_quota_unsupported.go
rename to vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go
index e74701508e..d2d61e8941 100644
--- a/vendor/go.uber.org/automaxprocs/internal/runtime/cpu_quota_unsupported.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go
@@ -21,7 +21,7 @@
 //go:build !linux
 // +build !linux
 
-package runtime
+package automaxprocs
 
 // CPUQuotaToGOMAXPROCS converts the CPU quota applied to the calling process
 // to a valid GOMAXPROCS value. This is Linux-specific and not supported in the
diff --git a/vendor/go.uber.org/automaxprocs/internal/cgroups/errors.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go
similarity index 98%
rename from vendor/go.uber.org/automaxprocs/internal/cgroups/errors.go
rename to vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go
index 94ac75a46e..2e235d7d65 100644
--- a/vendor/go.uber.org/automaxprocs/internal/cgroups/errors.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go
@@ -21,7 +21,7 @@
 //go:build linux
 // +build linux
 
-package cgroups
+package automaxprocs
 
 import "fmt"
 
diff --git a/vendor/go.uber.org/automaxprocs/internal/cgroups/mountpoint.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go
similarity index 99%
rename from vendor/go.uber.org/automaxprocs/internal/cgroups/mountpoint.go
rename to vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go
index f3877f78aa..7c3fa306ef 100644
--- a/vendor/go.uber.org/automaxprocs/internal/cgroups/mountpoint.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go
@@ -21,7 +21,7 @@
 //go:build linux
 // +build linux
 
-package cgroups
+package automaxprocs
 
 import (
 	"bufio"
diff --git a/vendor/go.uber.org/automaxprocs/internal/runtime/runtime.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go
similarity index 98%
rename from vendor/go.uber.org/automaxprocs/internal/runtime/runtime.go
rename to vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go
index f8a2834ac0..b8ec7e502a 100644
--- a/vendor/go.uber.org/automaxprocs/internal/runtime/runtime.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go
@@ -18,7 +18,7 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 // THE SOFTWARE.
 
-package runtime
+package automaxprocs
 
 import "math"
 
diff --git a/vendor/go.uber.org/automaxprocs/internal/cgroups/subsys.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go
similarity index 99%
rename from vendor/go.uber.org/automaxprocs/internal/cgroups/subsys.go
rename to vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go
index cddc3eaec3..881ebd5902 100644
--- a/vendor/go.uber.org/automaxprocs/internal/cgroups/subsys.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go
@@ -21,7 +21,7 @@
 //go:build linux
 // +build linux
 
-package cgroups
+package automaxprocs
 
 import (
 	"bufio"
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
index 8e16d2bb03..f3439a3f0c 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
@@ -90,6 +90,9 @@ func FinalizeProfilesAndReportsForSuites(suites TestSuites, cliConfig types.CLIC
 	if reporterConfig.JSONReport != "" {
 		reportFormats = append(reportFormats, reportFormat{ReportName: reporterConfig.JSONReport, GenerateFunc: reporters.GenerateJSONReport, MergeFunc: reporters.MergeAndCleanupJSONReports})
 	}
+	if reporterConfig.GoJSONReport != "" {
+		reportFormats = append(reportFormats, reportFormat{ReportName: reporterConfig.GoJSONReport, GenerateFunc: reporters.GenerateGoTestJSONReport, MergeFunc: reporters.MergeAndCleanupGoTestJSONReports})
+	}
 	if reporterConfig.JUnitReport != "" {
 		reportFormats = append(reportFormats, reportFormat{ReportName: reporterConfig.JUnitReport, GenerateFunc: reporters.GenerateJUnitReport, MergeFunc: reporters.MergeAndCleanupJUnitReports})
 	}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go
index 41052ea19d..48c69a1d83 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go
@@ -9,6 +9,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+	"sync/atomic"
 	"syscall"
 	"time"
 
@@ -107,6 +108,9 @@ func runSerial(suite TestSuite, ginkgoConfig types.SuiteConfig, reporterConfig t
 	if reporterConfig.JSONReport != "" {
 		reporterConfig.JSONReport = AbsPathForGeneratedAsset(reporterConfig.JSONReport, suite, cliConfig, 0)
 	}
+	if reporterConfig.GoJSONReport != "" {
+		reporterConfig.GoJSONReport = AbsPathForGeneratedAsset(reporterConfig.GoJSONReport, suite, cliConfig, 0)
+	}
 	if reporterConfig.JUnitReport != "" {
 		reporterConfig.JUnitReport = AbsPathForGeneratedAsset(reporterConfig.JUnitReport, suite, cliConfig, 0)
 	}
@@ -156,12 +160,15 @@ func runSerial(suite TestSuite, ginkgoConfig types.SuiteConfig, reporterConfig t
 
 func runParallel(suite TestSuite, ginkgoConfig types.SuiteConfig, reporterConfig types.ReporterConfig, cliConfig types.CLIConfig, goFlagsConfig types.GoFlagsConfig, additionalArgs []string) TestSuite {
 	type procResult struct {
+		proc                 int
+		exitResult           string
 		passed               bool
 		hasProgrammaticFocus bool
 	}
 
 	numProcs := cliConfig.ComputedProcs()
 	procOutput := make([]*bytes.Buffer, numProcs)
+	procExitResult := make([]string, numProcs)
 	coverProfiles := []string{}
 
 	blockProfiles := []string{}
@@ -179,6 +186,9 @@ func runParallel(suite TestSuite, ginkgoConfig types.SuiteConfig, reporterConfig
 	if reporterConfig.JSONReport != "" {
 		reporterConfig.JSONReport = AbsPathForGeneratedAsset(reporterConfig.JSONReport, suite, cliConfig, 0)
 	}
+	if reporterConfig.GoJSONReport != "" {
+		reporterConfig.GoJSONReport = AbsPathForGeneratedAsset(reporterConfig.GoJSONReport, suite, cliConfig, 0)
+	}
 	if reporterConfig.JUnitReport != "" {
 		reporterConfig.JUnitReport = AbsPathForGeneratedAsset(reporterConfig.JUnitReport, suite, cliConfig, 0)
 	}
@@ -218,16 +228,20 @@ func runParallel(suite TestSuite, ginkgoConfig types.SuiteConfig, reporterConfig
 		args = append(args, additionalArgs...)
 
 		cmd, buf := buildAndStartCommand(suite, args, false)
+		var exited atomic.Bool
 		procOutput[proc-1] = buf
-		server.RegisterAlive(proc, func() bool { return cmd.ProcessState == nil || !cmd.ProcessState.Exited() })
+		server.RegisterAlive(proc, func() bool { return !exited.Load() })
 
 		go func() {
 			cmd.Wait()
 			exitStatus := cmd.ProcessState.Sys().(syscall.WaitStatus).ExitStatus()
 			procResults <- procResult{
+				proc:                 proc,
+				exitResult:           cmd.ProcessState.String(),
 				passed:               (exitStatus == 0) || (exitStatus == types.GINKGO_FOCUS_EXIT_CODE),
 				hasProgrammaticFocus: exitStatus == types.GINKGO_FOCUS_EXIT_CODE,
 			}
+			exited.Store(true)
 		}()
 	}
 
@@ -236,6 +250,7 @@ func runParallel(suite TestSuite, ginkgoConfig types.SuiteConfig, reporterConfig
 		result := <-procResults
 		passed = passed && result.passed
 		suite.HasProgrammaticFocus = suite.HasProgrammaticFocus || result.hasProgrammaticFocus
+		procExitResult[result.proc-1] = result.exitResult
 	}
 	if passed {
 		suite.State = TestSuiteStatePassed
@@ -255,6 +270,8 @@ func runParallel(suite TestSuite, ginkgoConfig types.SuiteConfig, reporterConfig
 		for proc := 1; proc <= cliConfig.ComputedProcs(); proc++ {
 			fmt.Fprintf(formatter.ColorableStdErr, formatter.F("{{bold}}Output from proc %d:{{/}}\n", proc))
 			fmt.Fprintln(os.Stderr, formatter.Fi(1, "%s", procOutput[proc-1].String()))
+			fmt.Fprintf(formatter.ColorableStdErr, formatter.F("{{bold}}Exit result of proc %d:{{/}}\n", proc))
+			fmt.Fprintln(os.Stderr, formatter.Fi(1, "%s\n", procExitResult[proc-1]))
 		}
 		fmt.Fprintf(os.Stderr, "** End **")
 	}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go
index bd6b8fbff3..419589b48c 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go
@@ -3,7 +3,6 @@ package main
 import (
 	"fmt"
 	"os"
-	_ "go.uber.org/automaxprocs"
 	"github.com/onsi/ginkgo/v2/ginkgo/build"
 	"github.com/onsi/ginkgo/v2/ginkgo/command"
 	"github.com/onsi/ginkgo/v2/ginkgo/generators"
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go
index 03875b9796..c5091e6de8 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go
@@ -33,7 +33,7 @@ func BuildRunCommand() command.Command {
 		Usage:         "ginkgo run   -- ",
 		ShortDoc:      "Run the tests in the passed in  (or the package in the current directory if left blank)",
 		Documentation: "Any arguments after -- will be passed to the test.",
-		DocLink:       "running-tests",
+		DocLink:       "running-specs",
 		Command: func(args []string, additionalArgs []string) {
 			var errors []error
 			cliConfig, goFlagsConfig, errors = types.VetAndInitializeCLIAndGoConfig(cliConfig, goFlagsConfig)
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go
index cabf281457..40d1e1ab5c 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go
@@ -190,3 +190,9 @@ func (g *GinkgoTBWrapper) Skipped() bool {
 func (g *GinkgoTBWrapper) TempDir() string {
 	return g.GinkgoT.TempDir()
 }
+func (g *GinkgoTBWrapper) Attr(key, value string) {
+	g.GinkgoT.Attr(key, value)
+}
+func (g *GinkgoTBWrapper) Output() io.Writer {
+	return g.GinkgoT.Output()
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/focus.go b/vendor/github.com/onsi/ginkgo/v2/internal/focus.go
index a39daf5a60..498e707dbf 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/focus.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/focus.go
@@ -56,7 +56,7 @@ This function sets the `Skip` property on specs by applying Ginkgo's focus polic
 
 *Note:* specs with pending nodes are Skipped when created by NewSpec.
 */
-func ApplyFocusToSpecs(specs Specs, description string, suiteLabels Labels, suiteSemVerConstraints SemVerConstraints, suiteConfig types.SuiteConfig) (Specs, bool) {
+func ApplyFocusToSpecs(specs Specs, description string, suiteLabels Labels, suiteSemVerConstraints SemVerConstraints, suiteComponentSemVerConstraints ComponentSemVerConstraints, suiteConfig types.SuiteConfig) (Specs, bool) {
 	focusString := strings.Join(suiteConfig.FocusStrings, "|")
 	skipString := strings.Join(suiteConfig.SkipStrings, "|")
 
@@ -87,7 +87,24 @@ func ApplyFocusToSpecs(specs Specs, description string, suiteLabels Labels, suit
 	if suiteConfig.SemVerFilter != "" {
 		semVerFilter, _ := types.ParseSemVerFilter(suiteConfig.SemVerFilter)
 		skipChecks = append(skipChecks, func(spec Spec) bool {
-			return !semVerFilter(UnionOfSemVerConstraints(suiteSemVerConstraints, spec.Nodes.UnionOfSemVerConstraints()))
+			noRun := false
+
+			// non-component-specific constraints
+			constraints := UnionOfSemVerConstraints(suiteSemVerConstraints, spec.Nodes.UnionOfSemVerConstraints())
+			if len(constraints) != 0 && semVerFilter("", constraints) == false {
+				noRun = true
+			}
+
+			// component-specific constraints
+			componentConstraints := UnionOfComponentSemVerConstraints(suiteComponentSemVerConstraints, spec.Nodes.UnionOfComponentSemVerConstraints())
+			for component, constraints := range componentConstraints {
+				if semVerFilter(component, constraints) == false {
+					noRun = true
+					break
+				}
+			}
+
+			return noRun
 		})
 	}
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/group.go b/vendor/github.com/onsi/ginkgo/v2/internal/group.go
index b88fe2060a..5e66113343 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/group.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/group.go
@@ -110,23 +110,56 @@ func newGroup(suite *Suite) *group {
 	}
 }
 
+// initialReportForSpec constructs a new SpecReport right before running the spec.
 func (g *group) initialReportForSpec(spec Spec) types.SpecReport {
 	return types.SpecReport{
-		ContainerHierarchyTexts:             spec.Nodes.WithType(types.NodeTypeContainer).Texts(),
-		ContainerHierarchyLocations:         spec.Nodes.WithType(types.NodeTypeContainer).CodeLocations(),
-		ContainerHierarchyLabels:            spec.Nodes.WithType(types.NodeTypeContainer).Labels(),
-		ContainerHierarchySemVerConstraints: spec.Nodes.WithType(types.NodeTypeContainer).SemVerConstraints(),
-		LeafNodeLocation:                    spec.FirstNodeWithType(types.NodeTypeIt).CodeLocation,
-		LeafNodeType:                        types.NodeTypeIt,
-		LeafNodeText:                        spec.FirstNodeWithType(types.NodeTypeIt).Text,
-		LeafNodeLabels:                      []string(spec.FirstNodeWithType(types.NodeTypeIt).Labels),
-		LeafNodeSemVerConstraints:           []string(spec.FirstNodeWithType(types.NodeTypeIt).SemVerConstraints),
-		ParallelProcess:                     g.suite.config.ParallelProcess,
-		RunningInParallel:                   g.suite.isRunningInParallel(),
-		IsSerial:                            spec.Nodes.HasNodeMarkedSerial(),
-		IsInOrderedContainer:                !spec.Nodes.FirstNodeMarkedOrdered().IsZero(),
-		MaxFlakeAttempts:                    spec.Nodes.GetMaxFlakeAttempts(),
-		MaxMustPassRepeatedly:               spec.Nodes.GetMaxMustPassRepeatedly(),
+		ContainerHierarchyTexts:                      spec.Nodes.WithType(types.NodeTypeContainer).Texts(),
+		ContainerHierarchyLocations:                  spec.Nodes.WithType(types.NodeTypeContainer).CodeLocations(),
+		ContainerHierarchyLabels:                     spec.Nodes.WithType(types.NodeTypeContainer).Labels(),
+		ContainerHierarchySemVerConstraints:          spec.Nodes.WithType(types.NodeTypeContainer).SemVerConstraints(),
+		ContainerHierarchyComponentSemVerConstraints: spec.Nodes.WithType(types.NodeTypeContainer).ComponentSemVerConstraints(),
+		LeafNodeLocation:                             spec.FirstNodeWithType(types.NodeTypeIt).CodeLocation,
+		LeafNodeType:                                 types.NodeTypeIt,
+		LeafNodeText:                                 spec.FirstNodeWithType(types.NodeTypeIt).Text,
+		LeafNodeLabels:                               []string(spec.FirstNodeWithType(types.NodeTypeIt).Labels),
+		LeafNodeSemVerConstraints:                    []string(spec.FirstNodeWithType(types.NodeTypeIt).SemVerConstraints),
+		LeafNodeComponentSemVerConstraints:           map[string][]string(spec.FirstNodeWithType(types.NodeTypeIt).ComponentSemVerConstraints),
+		ParallelProcess:                              g.suite.config.ParallelProcess,
+		RunningInParallel:                            g.suite.isRunningInParallel(),
+		IsSerial:                                     spec.Nodes.HasNodeMarkedSerial(),
+		IsInOrderedContainer:                         !spec.Nodes.FirstNodeMarkedOrdered().IsZero(),
+		MaxFlakeAttempts:                             spec.Nodes.GetMaxFlakeAttempts(),
+		MaxMustPassRepeatedly:                        spec.Nodes.GetMaxMustPassRepeatedly(),
+		SpecPriority:                                 spec.Nodes.GetSpecPriority(),
+	}
+}
+
+// constructionNodeReportForTreeNode constructs a new SpecReport right before invoking the body
+// of a container node during construction of the full tree.
+func constructionNodeReportForTreeNode(node *TreeNode) *types.ConstructionNodeReport {
+	var report types.ConstructionNodeReport
+	// Walk up the tree and set attributes accordingly.
+	addNodeToReportForNode(&report, node)
+	return &report
+}
+
+// addNodeToReportForNode is conceptually similar to initialReportForSpec and therefore placed here
+// although it doesn't do anything with a group.
+func addNodeToReportForNode(report *types.ConstructionNodeReport, node *TreeNode) {
+	if node.Parent != nil {
+		// First add the parent node, then the current one.
+		addNodeToReportForNode(report, node.Parent)
+	}
+	report.ContainerHierarchyTexts = append(report.ContainerHierarchyTexts, node.Node.Text)
+	report.ContainerHierarchyLocations = append(report.ContainerHierarchyLocations, node.Node.CodeLocation)
+	report.ContainerHierarchyLabels = append(report.ContainerHierarchyLabels, node.Node.Labels)
+	report.ContainerHierarchySemVerConstraints = append(report.ContainerHierarchySemVerConstraints, node.Node.SemVerConstraints)
+	report.ContainerHierarchyComponentSemVerConstraints = append(report.ContainerHierarchyComponentSemVerConstraints, node.Node.ComponentSemVerConstraints)
+	if node.Node.MarkedSerial {
+		report.IsSerial = true
+	}
+	if node.Node.MarkedOrdered {
+		report.IsInOrderedContainer = true
 	}
 }
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/node.go b/vendor/github.com/onsi/ginkgo/v2/internal/node.go
index 647368feac..b0c8de8d69 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/node.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/node.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"slices"
 	"sort"
 	"sync"
 	"time"
@@ -46,22 +47,25 @@ type Node struct {
 	ReportEachBody  func(SpecContext, types.SpecReport)
 	ReportSuiteBody func(SpecContext, types.Report)
 
-	MarkedFocus             bool
-	MarkedPending           bool
-	MarkedSerial            bool
-	MarkedOrdered           bool
-	MarkedContinueOnFailure bool
-	MarkedOncePerOrdered    bool
-	FlakeAttempts           int
-	MustPassRepeatedly      int
-	Labels                  Labels
-	SemVerConstraints       SemVerConstraints
-	PollProgressAfter       time.Duration
-	PollProgressInterval    time.Duration
-	NodeTimeout             time.Duration
-	SpecTimeout             time.Duration
-	GracePeriod             time.Duration
-	AroundNodes             types.AroundNodes
+	MarkedFocus                  bool
+	MarkedPending                bool
+	MarkedSerial                 bool
+	MarkedOrdered                bool
+	MarkedContinueOnFailure      bool
+	MarkedOncePerOrdered         bool
+	FlakeAttempts                int
+	MustPassRepeatedly           int
+	Labels                       Labels
+	SemVerConstraints            SemVerConstraints
+	ComponentSemVerConstraints   ComponentSemVerConstraints
+	PollProgressAfter            time.Duration
+	PollProgressInterval         time.Duration
+	NodeTimeout                  time.Duration
+	SpecTimeout                  time.Duration
+	GracePeriod                  time.Duration
+	AroundNodes                  types.AroundNodes
+	HasExplicitlySetSpecPriority bool
+	SpecPriority                 int
 
 	NodeIDWhereCleanupWasGenerated uint
 }
@@ -92,6 +96,7 @@ type PollProgressAfter time.Duration
 type NodeTimeout time.Duration
 type SpecTimeout time.Duration
 type GracePeriod time.Duration
+type SpecPriority int
 
 type Labels []string
 
@@ -102,7 +107,24 @@ func (l Labels) MatchesLabelFilter(query string) bool {
 type SemVerConstraints []string
 
 func (svc SemVerConstraints) MatchesSemVerFilter(version string) bool {
-	return types.MustParseSemVerFilter(version)(svc)
+	return types.MustParseSemVerFilter(version)("", svc)
+}
+
+type ComponentSemVerConstraints map[string][]string
+
+func (csvc ComponentSemVerConstraints) MatchesSemVerFilter(component, version string) bool {
+	for comp, constraints := range csvc {
+		if comp != component {
+			continue
+		}
+
+		input := version
+		if len(component) > 0 {
+			input = fmt.Sprintf("%s=%s", component, version)
+		}
+		return types.MustParseSemVerFilter(input)(component, constraints)
+	}
+	return false
 }
 
 func unionOf[S ~[]E, E comparable](slices ...S) S {
@@ -127,6 +149,16 @@ func UnionOfSemVerConstraints(semVerConstraints ...SemVerConstraints) SemVerCons
 	return unionOf(semVerConstraints...)
 }
 
+func UnionOfComponentSemVerConstraints(componentSemVerConstraintsSlice ...ComponentSemVerConstraints) ComponentSemVerConstraints {
+	unionComponentSemVerConstraints := ComponentSemVerConstraints{}
+	for _, componentSemVerConstraints := range componentSemVerConstraintsSlice {
+		for component, constraints := range componentSemVerConstraints {
+			unionComponentSemVerConstraints[component] = unionOf(unionComponentSemVerConstraints[component], constraints)
+		}
+	}
+	return unionComponentSemVerConstraints
+}
+
 func PartitionDecorations(args ...any) ([]any, []any) {
 	decorations := []any{}
 	remainingArgs := []any{}
@@ -170,6 +202,8 @@ func isDecoration(arg any) bool {
 		return true
 	case t == reflect.TypeOf(SemVerConstraints{}):
 		return true
+	case t == reflect.TypeOf(ComponentSemVerConstraints{}):
+		return true
 	case t == reflect.TypeOf(PollProgressInterval(0)):
 		return true
 	case t == reflect.TypeOf(PollProgressAfter(0)):
@@ -182,6 +216,8 @@ func isDecoration(arg any) bool {
 		return true
 	case t == reflect.TypeOf(types.AroundNodeDecorator{}):
 		return true
+	case t == reflect.TypeOf(SpecPriority(0)):
+		return true
 	case t.Kind() == reflect.Slice && isSliceOfDecorations(arg):
 		return true
 	default:
@@ -208,16 +244,17 @@ var specContextType = reflect.TypeOf(new(SpecContext)).Elem()
 func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeType, text string, args ...any) (Node, []error) {
 	baseOffset := 2
 	node := Node{
-		ID:                   UniqueNodeID(),
-		NodeType:             nodeType,
-		Text:                 text,
-		Labels:               Labels{},
-		SemVerConstraints:    SemVerConstraints{},
-		CodeLocation:         types.NewCodeLocation(baseOffset),
-		NestingLevel:         -1,
-		PollProgressAfter:    -1,
-		PollProgressInterval: -1,
-		GracePeriod:          -1,
+		ID:                         UniqueNodeID(),
+		NodeType:                   nodeType,
+		Text:                       text,
+		Labels:                     Labels{},
+		SemVerConstraints:          SemVerConstraints{},
+		ComponentSemVerConstraints: ComponentSemVerConstraints{},
+		CodeLocation:               types.NewCodeLocation(baseOffset),
+		NestingLevel:               -1,
+		PollProgressAfter:          -1,
+		PollProgressInterval:       -1,
+		GracePeriod:                -1,
 	}
 
 	errors := []error{}
@@ -227,7 +264,7 @@ func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeTy
 		}
 	}
 
-	args = unrollInterfaceSlice(args)
+	args = UnrollInterfaceSlice(args)
 
 	remainingArgs := []any{}
 	// First get the CodeLocation up-to-date
@@ -322,6 +359,12 @@ func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeTy
 			if nodeType.Is(types.NodeTypeContainer) {
 				appendError(types.GinkgoErrors.InvalidDecoratorForNodeType(node.CodeLocation, nodeType, "GracePeriod"))
 			}
+		case t == reflect.TypeOf(SpecPriority(0)):
+			if !nodeType.Is(types.NodeTypesForContainerAndIt) {
+				appendError(types.GinkgoErrors.InvalidDecoratorForNodeType(node.CodeLocation, nodeType, "SpecPriority"))
+			}
+			node.SpecPriority = int(arg.(SpecPriority))
+			node.HasExplicitlySetSpecPriority = true
 		case t == reflect.TypeOf(types.AroundNodeDecorator{}):
 			node.AroundNodes = append(node.AroundNodes, arg.(types.AroundNodeDecorator))
 		case t == reflect.TypeOf(Labels{}):
@@ -348,6 +391,36 @@ func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeTy
 					appendError(err)
 				}
 			}
+		case t == reflect.TypeOf(ComponentSemVerConstraints{}):
+			if !nodeType.Is(types.NodeTypesForContainerAndIt) {
+				appendError(types.GinkgoErrors.InvalidDecoratorForNodeType(node.CodeLocation, nodeType, "ComponentSemVerConstraint"))
+			}
+			for component, semVerConstraints := range arg.(ComponentSemVerConstraints) {
+				// while using ComponentSemVerConstraints, we should not allow empty component names.
+				// you should use SemVerConstraints for that.
+				hasErr := false
+				if len(component) == 0 {
+					appendError(types.GinkgoErrors.InvalidEmptyComponentForSemVerConstraint(node.CodeLocation))
+					hasErr = true
+				}
+				for _, semVerConstraint := range semVerConstraints {
+					_, err := types.ValidateAndCleanupSemVerConstraint(semVerConstraint, node.CodeLocation)
+					if err != nil {
+						appendError(err)
+						hasErr = true
+					}
+				}
+
+				if !hasErr {
+					// merge constraints if the component already exists
+					constraints := slices.Clone(semVerConstraints)
+					if existingConstraints, exists := node.ComponentSemVerConstraints[component]; exists {
+						constraints = UnionOfSemVerConstraints([]string(existingConstraints), constraints)
+					}
+
+					node.ComponentSemVerConstraints[component] = slices.Clone(constraints)
+				}
+			}
 		case t.Kind() == reflect.Func:
 			if nodeType.Is(types.NodeTypeContainer) {
 				if node.Body != nil {
@@ -636,7 +709,7 @@ func NewCleanupNode(deprecationTracker *types.DeprecationTracker, fail func(stri
 		})
 	}
 
-	return NewNode(deprecationTracker, types.NodeTypeCleanupInvalid, "", finalArgs...)
+	return NewNode(deprecationTracker, types.NodeTypeCleanupInvalid, "", finalArgs)
 }
 
 func (n Node) IsZero() bool {
@@ -887,6 +960,34 @@ func (n Nodes) UnionOfSemVerConstraints() []string {
 	return out
 }
 
+func (n Nodes) ComponentSemVerConstraints() []map[string][]string {
+	out := make([]map[string][]string, len(n))
+	for i := range n {
+		if n[i].ComponentSemVerConstraints == nil {
+			out[i] = map[string][]string{}
+		} else {
+			out[i] = map[string][]string(n[i].ComponentSemVerConstraints)
+		}
+	}
+	return out
+}
+
+func (n Nodes) UnionOfComponentSemVerConstraints() map[string][]string {
+	out := map[string][]string{}
+	seen := map[string]bool{}
+	for i := range n {
+		for component := range n[i].ComponentSemVerConstraints {
+			if !seen[component] {
+				seen[component] = true
+				out[component] = n[i].ComponentSemVerConstraints[component]
+			} else {
+				out[component] = UnionOfSemVerConstraints(out[component], n[i].ComponentSemVerConstraints[component])
+			}
+		}
+	}
+	return out
+}
+
 func (n Nodes) CodeLocations() []types.CodeLocation {
 	out := make([]types.CodeLocation, len(n))
 	for i := range n {
@@ -983,7 +1084,16 @@ func (n Nodes) GetMaxMustPassRepeatedly() int {
 	return maxMustPassRepeatedly
 }
 
-func unrollInterfaceSlice(args any) []any {
+func (n Nodes) GetSpecPriority() int {
+	for i := len(n) - 1; i >= 0; i-- {
+		if n[i].HasExplicitlySetSpecPriority {
+			return n[i].SpecPriority
+		}
+	}
+	return 0
+}
+
+func UnrollInterfaceSlice(args any) []any {
 	v := reflect.ValueOf(args)
 	if v.Kind() != reflect.Slice {
 		return []any{args}
@@ -992,10 +1102,66 @@ func unrollInterfaceSlice(args any) []any {
 	for i := 0; i < v.Len(); i++ {
 		el := reflect.ValueOf(v.Index(i).Interface())
 		if el.Kind() == reflect.Slice && el.Type() != reflect.TypeOf(Labels{}) && el.Type() != reflect.TypeOf(SemVerConstraints{}) {
-			out = append(out, unrollInterfaceSlice(el.Interface())...)
+			out = append(out, UnrollInterfaceSlice(el.Interface())...)
 		} else {
 			out = append(out, v.Index(i).Interface())
 		}
 	}
 	return out
 }
+
+type NodeArgsTransformer func(nodeType types.NodeType, offset Offset, text string, args []any) (string, []any, []error)
+
+func AddTreeConstructionNodeArgsTransformer(transformer NodeArgsTransformer) func() {
+	id := nodeArgsTransformerCounter
+	nodeArgsTransformerCounter++
+	nodeArgsTransformers = append(nodeArgsTransformers, registeredNodeArgsTransformer{id, transformer})
+	return func() {
+		nodeArgsTransformers = slices.DeleteFunc(nodeArgsTransformers, func(transformer registeredNodeArgsTransformer) bool {
+			return transformer.id == id
+		})
+	}
+}
+
+var (
+	nodeArgsTransformerCounter int64
+	nodeArgsTransformers       []registeredNodeArgsTransformer
+)
+
+type registeredNodeArgsTransformer struct {
+	id          int64
+	transformer NodeArgsTransformer
+}
+
+// TransformNewNodeArgs is the helper for DSL functions which handles NodeArgsTransformers.
+//
+// Its return valus are intentionally the same as the internal.NewNode parameters,
+// which makes it possible to chain the invocations:
+//
+//	NewNode(transformNewNodeArgs(...))
+func TransformNewNodeArgs(exitIfErrors func([]error), deprecationTracker *types.DeprecationTracker, nodeType types.NodeType, text string, args ...any) (*types.DeprecationTracker, types.NodeType, string, []any) {
+	var errs []error
+
+	// Most recent first...
+	//
+	// This intentionally doesn't use slices.Backward because
+	// using iterators influences stack unwinding.
+	for i := len(nodeArgsTransformers) - 1; i >= 0; i-- {
+		transformer := nodeArgsTransformers[i].transformer
+		args = UnrollInterfaceSlice(args)
+
+		// We do not really need to recompute this on additional loop iterations,
+		// but its fast and simpler this way.
+		var offset Offset
+		for _, arg := range args {
+			if o, ok := arg.(Offset); ok {
+				offset = o
+			}
+		}
+		offset += 3 // The DSL function, this helper, and the TransformNodeArgs implementation.
+
+		text, args, errs = transformer(nodeType, offset, text, args)
+		exitIfErrors(errs)
+	}
+	return deprecationTracker, nodeType, text, args
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/ordering.go b/vendor/github.com/onsi/ginkgo/v2/internal/ordering.go
index 84eea0a59e..da58d54f95 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/ordering.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/ordering.go
@@ -125,7 +125,7 @@ func OrderSpecs(specs Specs, suiteConfig types.SuiteConfig) (GroupedSpecIndices,
 		// pick out a representative spec
 		representativeSpec := specs[executionGroups[groupID][0]]
 
-		// and grab the node on the spec that will represent which shufflable group this execution group belongs tu
+		// and grab the node on the spec that will represent which shufflable group this execution group belongs to
 		shufflableGroupingNode := representativeSpec.Nodes.FirstNodeWithType(nodeTypesToShuffle)
 
 		//add the execution group to its shufflable group
@@ -138,14 +138,35 @@ func OrderSpecs(specs Specs, suiteConfig types.SuiteConfig) (GroupedSpecIndices,
 		}
 	}
 
+	// now, for each shuffleable group, we compute the priority
+	shufflableGroupingIDPriorities := map[uint]int{}
+	for shufflableGroupingID, groupIDs := range shufflableGroupingIDToGroupIDs {
+		// the priority of a shufflable grouping is the max priority of any spec in any execution group in the shufflable grouping
+		maxPriority := -1 << 31 // min int
+		for _, groupID := range groupIDs {
+			for _, specIdx := range executionGroups[groupID] {
+				specPriority := specs[specIdx].Nodes.GetSpecPriority()
+				maxPriority = max(specPriority, maxPriority)
+			}
+		}
+		shufflableGroupingIDPriorities[shufflableGroupingID] = maxPriority
+	}
+
 	// now we permute the sorted shufflable grouping IDs and build the ordered Groups
-	orderedGroups := GroupedSpecIndices{}
 	permutation := r.Perm(len(shufflableGroupingIDs))
-	for _, j := range permutation {
-		//let's get the execution group IDs for this shufflable group:
-		executionGroupIDsForJ := shufflableGroupingIDToGroupIDs[shufflableGroupingIDs[j]]
-		// and we'll add their associated specindices to the orderedGroups slice:
-		for _, executionGroupID := range executionGroupIDsForJ {
+	shuffledGroupingIds := make([]uint, len(shufflableGroupingIDs))
+	for i, j := range permutation {
+		shuffledGroupingIds[i] = shufflableGroupingIDs[j]
+	}
+	// now, we need to stable sort the shuffledGroupingIds by priority (higher priority first)
+	sort.SliceStable(shuffledGroupingIds, func(i, j int) bool {
+		return shufflableGroupingIDPriorities[shuffledGroupingIds[i]] > shufflableGroupingIDPriorities[shuffledGroupingIds[j]]
+	})
+
+	// we can now take these prioritized, shuffled, groupings and form the final set of ordered spec groups
+	orderedGroups := GroupedSpecIndices{}
+	for _, id := range shuffledGroupingIds {
+		for _, executionGroupID := range shufflableGroupingIDToGroupIDs[id] {
 			orderedGroups = append(orderedGroups, executionGroups[executionGroupID])
 		}
 	}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go
new file mode 100644
index 0000000000..751543ea78
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go
@@ -0,0 +1,171 @@
+package reporters
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/onsi/ginkgo/v2/types"
+	"golang.org/x/tools/go/packages"
+)
+
+func ptr[T any](in T) *T {
+	return &in
+}
+
+type encoder interface {
+	Encode(v any) error
+}
+
+// gojsonEvent matches the format from go internals
+// https://github.com/golang/go/blob/master/src/cmd/internal/test2json/test2json.go#L31-L41
+// https://pkg.go.dev/cmd/test2json
+type gojsonEvent struct {
+	Time        *time.Time `json:",omitempty"`
+	Action      GoJSONAction
+	Package     string   `json:",omitempty"`
+	Test        string   `json:",omitempty"`
+	Elapsed     *float64 `json:",omitempty"`
+	Output      *string  `json:",omitempty"`
+	FailedBuild string   `json:",omitempty"`
+}
+
+type GoJSONAction string
+
+const (
+	// start  - the test binary is about to be executed
+	GoJSONStart GoJSONAction = "start"
+	// run    - the test has started running
+	GoJSONRun GoJSONAction = "run"
+	// pause  - the test has been paused
+	GoJSONPause GoJSONAction = "pause"
+	// cont   - the test has continued running
+	GoJSONCont GoJSONAction = "cont"
+	// pass   - the test passed
+	GoJSONPass GoJSONAction = "pass"
+	// bench  - the benchmark printed log output but did not fail
+	GoJSONBench GoJSONAction = "bench"
+	// fail   - the test or benchmark failed
+	GoJSONFail GoJSONAction = "fail"
+	// output - the test printed output
+	GoJSONOutput GoJSONAction = "output"
+	// skip   - the test was skipped or the package contained no tests
+	GoJSONSkip GoJSONAction = "skip"
+)
+
+func goJSONActionFromSpecState(state types.SpecState) GoJSONAction {
+	switch state {
+	case types.SpecStateInvalid:
+		return GoJSONFail
+	case types.SpecStatePending:
+		return GoJSONSkip
+	case types.SpecStateSkipped:
+		return GoJSONSkip
+	case types.SpecStatePassed:
+		return GoJSONPass
+	case types.SpecStateFailed:
+		return GoJSONFail
+	case types.SpecStateAborted:
+		return GoJSONFail
+	case types.SpecStatePanicked:
+		return GoJSONFail
+	case types.SpecStateInterrupted:
+		return GoJSONFail
+	case types.SpecStateTimedout:
+		return GoJSONFail
+	default:
+		panic("unexpected state should not happen")
+	}
+}
+
+// gojsonReport wraps types.Report and calcualtes extra fields requires by gojson
+type gojsonReport struct {
+	o types.Report
+	// Extra calculated fields
+	goPkg   string
+	elapsed float64
+}
+
+func newReport(in types.Report) *gojsonReport {
+	return &gojsonReport{
+		o: in,
+	}
+}
+
+func (r *gojsonReport) Fill() error {
+	// NOTE: could the types.Report include the go package name?
+	goPkg, err := suitePathToPkg(r.o.SuitePath)
+	if err != nil {
+		return err
+	}
+	r.goPkg = goPkg
+	r.elapsed = r.o.RunTime.Seconds()
+	return nil
+}
+
+// gojsonSpecReport wraps types.SpecReport and calculates extra fields required by gojson
+type gojsonSpecReport struct {
+	o types.SpecReport
+	// extra calculated fields
+	testName string
+	elapsed  float64
+	action   GoJSONAction
+}
+
+func newSpecReport(in types.SpecReport) *gojsonSpecReport {
+	return &gojsonSpecReport{
+		o: in,
+	}
+}
+
+func (sr *gojsonSpecReport) Fill() error {
+	sr.elapsed = sr.o.RunTime.Seconds()
+	sr.testName = createTestName(sr.o)
+	sr.action = goJSONActionFromSpecState(sr.o.State)
+	return nil
+}
+
+func suitePathToPkg(dir string) (string, error) {
+	cfg := &packages.Config{
+		Mode: packages.NeedFiles | packages.NeedSyntax,
+	}
+	pkgs, err := packages.Load(cfg, dir)
+	if err != nil {
+		return "", err
+	}
+	if len(pkgs) != 1 {
+		return "", errors.New("error")
+	}
+	return pkgs[0].ID, nil
+}
+
+func createTestName(spec types.SpecReport) string {
+	name := fmt.Sprintf("[%s]", spec.LeafNodeType)
+	if spec.FullText() != "" {
+		name = name + " " + spec.FullText()
+	}
+	labels := spec.Labels()
+	if len(labels) > 0 {
+		name = name + " [" + strings.Join(labels, ", ") + "]"
+	}
+	semVerConstraints := spec.SemVerConstraints()
+	if len(semVerConstraints) > 0 {
+		name = name + " [" + strings.Join(semVerConstraints, ", ") + "]"
+	}
+	componentSemVerConstraints := spec.ComponentSemVerConstraints()
+	if len(componentSemVerConstraints) > 0 {
+		name = name + " [" + formatComponentSemVerConstraintsToString(componentSemVerConstraints) + "]"
+	}
+	name = strings.TrimSpace(name)
+	return name
+}
+
+func formatComponentSemVerConstraintsToString(componentSemVerConstraints map[string][]string) string {
+	var tmpStr string
+	for component, semVerConstraints := range componentSemVerConstraints {
+		tmpStr = tmpStr + fmt.Sprintf("%s: %s, ", component, semVerConstraints)
+	}
+	tmpStr = strings.TrimSuffix(tmpStr, ", ")
+	return tmpStr
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go
new file mode 100644
index 0000000000..ec5311d069
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go
@@ -0,0 +1,111 @@
+package reporters
+
+type GoJSONEventWriter struct {
+	enc encoder
+	specSystemErrFn specSystemExtractFn
+	specSystemOutFn specSystemExtractFn
+}
+
+func NewGoJSONEventWriter(enc encoder, errFn specSystemExtractFn, outFn specSystemExtractFn) *GoJSONEventWriter {
+	return &GoJSONEventWriter{
+		enc: enc,
+		specSystemErrFn: errFn,
+		specSystemOutFn: outFn,
+	}
+}
+
+func (r *GoJSONEventWriter) writeEvent(e *gojsonEvent) error {
+	return r.enc.Encode(e)
+}
+
+func (r *GoJSONEventWriter) WriteSuiteStart(report *gojsonReport) error {
+	e := &gojsonEvent{
+		Time:        &report.o.StartTime,
+		Action:      GoJSONStart,
+		Package:     report.goPkg,
+		Output:      nil,
+		FailedBuild: "",
+	}
+	return r.writeEvent(e)
+}
+
+func (r *GoJSONEventWriter) WriteSuiteResult(report *gojsonReport) error {
+	var action GoJSONAction
+	switch {
+	case report.o.PreRunStats.SpecsThatWillRun == 0:
+		action = GoJSONSkip
+	case report.o.SuiteSucceeded:
+		action = GoJSONPass
+	default:
+		action = GoJSONFail
+	}
+	e := &gojsonEvent{
+		Time:        &report.o.EndTime,
+		Action:      action,
+		Package:     report.goPkg,
+		Output:      nil,
+		FailedBuild: "",
+		Elapsed:     ptr(report.elapsed),
+	}
+	return r.writeEvent(e)
+}
+
+func (r *GoJSONEventWriter) WriteSpecStart(report *gojsonReport, specReport *gojsonSpecReport) error {
+	e := &gojsonEvent{
+		Time:        &specReport.o.StartTime,
+		Action:      GoJSONRun,
+		Test:        specReport.testName,
+		Package:     report.goPkg,
+		Output:      nil,
+		FailedBuild: "",
+	}
+	return r.writeEvent(e)
+}
+
+func (r *GoJSONEventWriter) WriteSpecOut(report *gojsonReport, specReport *gojsonSpecReport) error {
+	events := []*gojsonEvent{}
+
+	stdErr := r.specSystemErrFn(specReport.o)
+	if stdErr != "" {
+		events = append(events, &gojsonEvent{
+			Time:        &specReport.o.EndTime,
+			Action:      GoJSONOutput,
+			Test:        specReport.testName,
+			Package:     report.goPkg,
+			Output:      ptr(stdErr),
+			FailedBuild: "",
+		})
+	}
+	stdOut := r.specSystemOutFn(specReport.o)
+	if stdOut != "" {
+		events = append(events, &gojsonEvent{
+			Time:        &specReport.o.EndTime,
+			Action:      GoJSONOutput,
+			Test:        specReport.testName,
+			Package:     report.goPkg,
+			Output:      ptr(stdOut),
+			FailedBuild: "",
+		})
+	}
+
+	for _, ev := range events {
+		err := r.writeEvent(ev)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *GoJSONEventWriter) WriteSpecResult(report *gojsonReport, specReport *gojsonSpecReport) error {
+	e := &gojsonEvent{
+		Time:        &specReport.o.EndTime,
+		Action:      specReport.action,
+		Test:        specReport.testName,
+		Package:     report.goPkg,
+		Elapsed:     ptr(specReport.elapsed),
+		Output:      nil,
+		FailedBuild: "",
+	}
+	return r.writeEvent(e)
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go
new file mode 100644
index 0000000000..633e49b88d
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go
@@ -0,0 +1,45 @@
+package reporters
+
+import (
+	"github.com/onsi/ginkgo/v2/types"
+)
+
+type GoJSONReporter struct {
+	ev *GoJSONEventWriter
+}
+
+type specSystemExtractFn func (spec types.SpecReport) string
+
+func NewGoJSONReporter(enc encoder, errFn specSystemExtractFn, outFn specSystemExtractFn) *GoJSONReporter {
+	return &GoJSONReporter{
+		ev: NewGoJSONEventWriter(enc, errFn, outFn),
+	}
+}
+
+func (r *GoJSONReporter) Write(originalReport types.Report) error {
+	// suite start events
+	report := newReport(originalReport)
+	err := report.Fill()
+	if err != nil {
+		return err
+	}
+	r.ev.WriteSuiteStart(report)
+	for _, originalSpecReport := range originalReport.SpecReports {
+		specReport := newSpecReport(originalSpecReport)
+		err := specReport.Fill()
+		if err != nil {
+			return err
+		}
+		if specReport.o.LeafNodeType == types.NodeTypeIt {
+			// handle any It leaf node as a spec
+			r.ev.WriteSpecStart(report, specReport)
+			r.ev.WriteSpecOut(report, specReport)
+			r.ev.WriteSpecResult(report, specReport)
+		} else {
+			// handle any other leaf node as generic output
+			r.ev.WriteSpecOut(report, specReport)
+		}
+	}
+	r.ev.WriteSuiteResult(report)
+	return nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/suite.go b/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
index 14a0688f89..8f711e507a 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
@@ -42,6 +42,8 @@ type Suite struct {
 	config            types.SuiteConfig
 	deadline          time.Time
 
+	currentConstructionNodeReport *types.ConstructionNodeReport
+
 	skipAll              bool
 	report               types.Report
 	currentSpecReport    types.SpecReport
@@ -106,13 +108,13 @@ func (suite *Suite) BuildTree() error {
 	return nil
 }
 
-func (suite *Suite) Run(description string, suiteLabels Labels, suiteSemVerConstraints SemVerConstraints, suiteAroundNodes types.AroundNodes, suitePath string, failer *Failer, reporter reporters.Reporter, writer WriterInterface, outputInterceptor OutputInterceptor, interruptHandler interrupt_handler.InterruptHandlerInterface, client parallel_support.Client, progressSignalRegistrar ProgressSignalRegistrar, suiteConfig types.SuiteConfig) (bool, bool) {
+func (suite *Suite) Run(description string, suiteLabels Labels, suiteSemVerConstraints SemVerConstraints, suiteComponentSemVerConstraints ComponentSemVerConstraints, suiteAroundNodes types.AroundNodes, suitePath string, failer *Failer, reporter reporters.Reporter, writer WriterInterface, outputInterceptor OutputInterceptor, interruptHandler interrupt_handler.InterruptHandlerInterface, client parallel_support.Client, progressSignalRegistrar ProgressSignalRegistrar, suiteConfig types.SuiteConfig) (bool, bool) {
 	if suite.phase != PhaseBuildTree {
 		panic("cannot run before building the tree = call suite.BuildTree() first")
 	}
 	ApplyNestedFocusPolicyToTree(suite.tree)
 	specs := GenerateSpecsFromTreeRoot(suite.tree)
-	specs, hasProgrammaticFocus := ApplyFocusToSpecs(specs, description, suiteLabels, suiteSemVerConstraints, suiteConfig)
+	specs, hasProgrammaticFocus := ApplyFocusToSpecs(specs, description, suiteLabels, suiteSemVerConstraints, suiteComponentSemVerConstraints, suiteConfig)
 	specs = ComputeAroundNodes(specs)
 
 	suite.phase = PhaseRun
@@ -131,7 +133,7 @@ func (suite *Suite) Run(description string, suiteLabels Labels, suiteSemVerConst
 
 	cancelProgressHandler := progressSignalRegistrar(suite.handleProgressSignal)
 
-	success := suite.runSpecs(description, suiteLabels, suiteSemVerConstraints, suitePath, hasProgrammaticFocus, specs)
+	success := suite.runSpecs(description, suiteLabels, suiteSemVerConstraints, suiteComponentSemVerConstraints, suitePath, hasProgrammaticFocus, specs)
 
 	cancelProgressHandler()
 
@@ -203,6 +205,17 @@ func (suite *Suite) PushNode(node Node) error {
 						err = types.GinkgoErrors.CaughtPanicDuringABuildPhase(e, node.CodeLocation)
 					}
 				}()
+
+				// Ensure that code running in the body of the container node
+				// has access to information about the current container node(s).
+				// The current one (nil in top-level container nodes, non-nil in an
+				// embedded container node) gets restored when the node is done.
+				oldConstructionNodeReport := suite.currentConstructionNodeReport
+				suite.currentConstructionNodeReport = constructionNodeReportForTreeNode(suite.tree)
+				defer func() {
+					suite.currentConstructionNodeReport = oldConstructionNodeReport
+				}()
+
 				node.Body(nil)
 				return err
 			}()
@@ -332,6 +345,16 @@ func (suite *Suite) By(text string, callback ...func()) error {
 	return nil
 }
 
+func (suite *Suite) CurrentConstructionNodeReport() types.ConstructionNodeReport {
+	suite.selectiveLock.Lock()
+	defer suite.selectiveLock.Unlock()
+	report := suite.currentConstructionNodeReport
+	if report == nil {
+		panic("CurrentConstructionNodeReport may only be called during construction of the spec tree")
+	}
+	return *report
+}
+
 /*
 Spec Running methods - used during PhaseRun
 */
@@ -433,16 +456,17 @@ func (suite *Suite) processCurrentSpecReport() {
 	}
 }
 
-func (suite *Suite) runSpecs(description string, suiteLabels Labels, suiteSemVerConstraints SemVerConstraints, suitePath string, hasProgrammaticFocus bool, specs Specs) bool {
+func (suite *Suite) runSpecs(description string, suiteLabels Labels, suiteSemVerConstraints SemVerConstraints, suiteComponentSemVerConstraints ComponentSemVerConstraints, suitePath string, hasProgrammaticFocus bool, specs Specs) bool {
 	numSpecsThatWillBeRun := specs.CountWithoutSkip()
 
 	suite.report = types.Report{
-		SuitePath:                 suitePath,
-		SuiteDescription:          description,
-		SuiteLabels:               suiteLabels,
-		SuiteSemVerConstraints:    suiteSemVerConstraints,
-		SuiteConfig:               suite.config,
-		SuiteHasProgrammaticFocus: hasProgrammaticFocus,
+		SuitePath:                       suitePath,
+		SuiteDescription:                description,
+		SuiteLabels:                     suiteLabels,
+		SuiteSemVerConstraints:          suiteSemVerConstraints,
+		SuiteComponentSemVerConstraints: suiteComponentSemVerConstraints,
+		SuiteConfig:                     suite.config,
+		SuiteHasProgrammaticFocus:       hasProgrammaticFocus,
 		PreRunStats: types.PreRunStats{
 			TotalSpecs:       len(specs),
 			SpecsThatWillRun: numSpecsThatWillBeRun,
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go b/vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go
index 9806e315a6..5704f0fdf9 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go
@@ -27,6 +27,11 @@ type ginkgoWriterInterface interface {
 type ginkgoRecoverFunc func()
 type attachProgressReporterFunc func(func() string) func()
 
+var formatters = map[bool]formatter.Formatter{
+	true:  formatter.NewWithNoColorBool(true),
+	false: formatter.NewWithNoColorBool(false),
+}
+
 func New(writer ginkgoWriterInterface, fail failFunc, skip skipFunc, cleanup cleanupFunc, report reportFunc, addReportEntry addReportEntryFunc, ginkgoRecover ginkgoRecoverFunc, attachProgressReporter attachProgressReporterFunc, randomSeed int64, parallelProcess int, parallelTotal int, noColor bool, offset int) *ginkgoTestingTProxy {
 	return &ginkgoTestingTProxy{
 		fail:                   fail,
@@ -41,7 +46,7 @@ func New(writer ginkgoWriterInterface, fail failFunc, skip skipFunc, cleanup cle
 		randomSeed:             randomSeed,
 		parallelProcess:        parallelProcess,
 		parallelTotal:          parallelTotal,
-		f:                      formatter.NewWithNoColorBool(noColor),
+		f:                      formatters[noColor], //minimize allocations by reusing formatters
 	}
 }
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go b/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
index 8c3714b8ae..ef66b22898 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
@@ -75,6 +75,9 @@ func (r *DefaultReporter) SuiteWillBegin(report types.Report) {
 		if len(report.SuiteSemVerConstraints) > 0 {
 			r.emit(r.f("{{coral}}[%s]{{/}} ", strings.Join(report.SuiteSemVerConstraints, ", ")))
 		}
+		if len(report.SuiteComponentSemVerConstraints) > 0 {
+			r.emit(r.f("{{coral}}[Components: %s]{{/}} ", formatComponentSemVerConstraintsToString(report.SuiteComponentSemVerConstraints)))
+		}
 		r.emit(r.f("- %d/%d specs ", report.PreRunStats.SpecsThatWillRun, report.PreRunStats.TotalSpecs))
 		if report.SuiteConfig.ParallelTotal > 1 {
 			r.emit(r.f("- %d procs ", report.SuiteConfig.ParallelTotal))
@@ -97,6 +100,13 @@ func (r *DefaultReporter) SuiteWillBegin(report types.Report) {
 				bannerWidth = len(semVerConstraints) + 2
 			}
 		}
+		if len(report.SuiteComponentSemVerConstraints) > 0 {
+			componentSemVerConstraints := formatComponentSemVerConstraintsToString(report.SuiteComponentSemVerConstraints)
+			r.emitBlock(r.f("{{coral}}[Components: %s]{{/}} ", componentSemVerConstraints))
+			if len(componentSemVerConstraints)+2 > bannerWidth {
+				bannerWidth = len(componentSemVerConstraints) + 2
+			}
+		}
 		r.emitBlock(strings.Repeat("=", bannerWidth))
 
 		out := r.f("Random Seed: {{bold}}%d{{/}}", report.SuiteConfig.RandomSeed)
@@ -381,13 +391,22 @@ func (r *DefaultReporter) emitTimeline(indent uint, report types.SpecReport, tim
 	cursor := 0
 	for _, entry := range timeline {
 		tl := entry.GetTimelineLocation()
-		if tl.Offset < len(gw) {
-			r.emit(r.fi(indent, "%s", gw[cursor:tl.Offset]))
-			cursor = tl.Offset
-		} else if cursor < len(gw) {
+
+		end := tl.Offset
+		if end > len(gw) {
+			end = len(gw)
+		}
+		if end < cursor {
+			end = cursor
+		}
+		if cursor < end && cursor <= len(gw) && end <= len(gw) {
+			r.emit(r.fi(indent, "%s", gw[cursor:end]))
+			cursor = end
+		} else if cursor < len(gw) && end == len(gw) {
 			r.emit(r.fi(indent, "%s", gw[cursor:]))
 			cursor = len(gw)
 		}
+
 		switch x := entry.(type) {
 		case types.Failure:
 			if isVeryVerbose {
@@ -404,7 +423,7 @@ func (r *DefaultReporter) emitTimeline(indent uint, report types.SpecReport, tim
 		case types.ReportEntry:
 			r.emitReportEntry(indent, x)
 		case types.ProgressReport:
-			r.emitProgressReport(indent, false, false, x)
+			r.emitProgressReport(indent, false, isVeryVerbose, x)
 		case types.SpecEvent:
 			if isVeryVerbose || !x.IsOnlyVisibleAtVeryVerbose() || r.conf.ShowNodeEvents {
 				r.emitSpecEvent(indent, x, isVeryVerbose)
@@ -716,8 +735,12 @@ func (r *DefaultReporter) cycleJoin(elements []string, joiner string) string {
 }
 
 func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightColor string, veryVerbose bool, usePreciseFailureLocation bool) string {
-	texts, locations, labels, semVerConstraints := []string{}, []types.CodeLocation{}, [][]string{}, [][]string{}
-	texts, locations, labels, semVerConstraints = append(texts, report.ContainerHierarchyTexts...), append(locations, report.ContainerHierarchyLocations...), append(labels, report.ContainerHierarchyLabels...), append(semVerConstraints, report.ContainerHierarchySemVerConstraints...)
+	texts, locations, labels, semVerConstraints, componentSemVerConstraints := []string{}, []types.CodeLocation{}, [][]string{}, [][]string{}, []map[string][]string{}
+	texts = append(texts, report.ContainerHierarchyTexts...)
+	locations = append(locations, report.ContainerHierarchyLocations...)
+	labels = append(labels, report.ContainerHierarchyLabels...)
+	semVerConstraints = append(semVerConstraints, report.ContainerHierarchySemVerConstraints...)
+	componentSemVerConstraints = append(componentSemVerConstraints, report.ContainerHierarchyComponentSemVerConstraints...)
 
 	if report.LeafNodeType.Is(types.NodeTypesForSuiteLevelNodes) {
 		texts = append(texts, r.f("[%s] %s", report.LeafNodeType, report.LeafNodeText))
@@ -726,6 +749,7 @@ func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightCo
 	}
 	labels = append(labels, report.LeafNodeLabels)
 	semVerConstraints = append(semVerConstraints, report.LeafNodeSemVerConstraints)
+	componentSemVerConstraints = append(componentSemVerConstraints, report.LeafNodeComponentSemVerConstraints)
 	locations = append(locations, report.LeafNodeLocation)
 
 	failureLocation := report.Failure.FailureNodeLocation
@@ -740,6 +764,7 @@ func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightCo
 		locations = append([]types.CodeLocation{failureLocation}, locations...)
 		labels = append([][]string{{}}, labels...)
 		semVerConstraints = append([][]string{{}}, semVerConstraints...)
+		componentSemVerConstraints = append([]map[string][]string{{}}, componentSemVerConstraints...)
 		highlightIndex = 0
 	case types.FailureNodeInContainer:
 		i := report.Failure.FailureNodeContainerIndex
@@ -770,6 +795,9 @@ func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightCo
 			if len(semVerConstraints[i]) > 0 {
 				out += r.f(" {{coral}}[%s]{{/}}", strings.Join(semVerConstraints[i], ", "))
 			}
+			if len(componentSemVerConstraints[i]) > 0 {
+				out += r.f(" {{coral}}[%s]{{/}}", formatComponentSemVerConstraintsToString(componentSemVerConstraints[i]))
+			}
 			out += "\n"
 			out += r.fi(uint(i), "{{gray}}%s{{/}}\n", locations[i])
 		}
@@ -797,6 +825,10 @@ func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightCo
 		if len(flattenedSemVerConstraints) > 0 {
 			out += r.f(" {{coral}}[%s]{{/}}", strings.Join(flattenedSemVerConstraints, ", "))
 		}
+		flattenedComponentSemVerConstraints := report.ComponentSemVerConstraints()
+		if len(flattenedComponentSemVerConstraints) > 0 {
+			out += r.f(" {{coral}}[%s]{{/}}", formatComponentSemVerConstraintsToString(flattenedComponentSemVerConstraints))
+		}
 		out += "\n"
 		if usePreciseFailureLocation {
 			out += r.f("{{gray}}%s{{/}}", failureLocation)
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go b/vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go
new file mode 100644
index 0000000000..d02fb7a1ae
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go
@@ -0,0 +1,61 @@
+package reporters
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path"
+
+	"github.com/onsi/ginkgo/v2/internal/reporters"
+	"github.com/onsi/ginkgo/v2/types"
+)
+
+// GenerateGoTestJSONReport produces a JSON-formatted in the test2json format used by `go test -json`
+func GenerateGoTestJSONReport(report types.Report, destination string) error {
+	// walk report and generate test2json-compatible objects
+	// JSON-encode the objects into filename
+	if err := os.MkdirAll(path.Dir(destination), 0770); err != nil {
+		return err
+	}
+	f, err := os.Create(destination)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	enc := json.NewEncoder(f)
+	r := reporters.NewGoJSONReporter(
+		enc,
+		systemErrForUnstructuredReporters,
+		systemOutForUnstructuredReporters,
+	)
+	return r.Write(report)
+}
+
+// MergeJSONReports produces a single JSON-formatted report at the passed in destination by merging the JSON-formatted reports provided in sources
+// It skips over reports that fail to decode but reports on them via the returned messages []string
+func MergeAndCleanupGoTestJSONReports(sources []string, destination string) ([]string, error) {
+	messages := []string{}
+	if err := os.MkdirAll(path.Dir(destination), 0770); err != nil {
+		return messages, err
+	}
+	f, err := os.Create(destination)
+	if err != nil {
+		return messages, err
+	}
+	defer f.Close()
+
+	for _, source := range sources {
+		data, err := os.ReadFile(source)
+		if err != nil {
+			messages = append(messages, fmt.Sprintf("Could not open %s:\n%s", source, err.Error()))
+			continue
+		}
+		_, err = f.Write(data)
+		if err != nil {
+			messages = append(messages, fmt.Sprintf("Could not write to %s:\n%s", destination, err.Error()))
+			continue
+		}
+		os.Remove(source)
+	}
+	return messages, nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go b/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
index 828f893fb8..d4720ee949 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
@@ -13,9 +13,11 @@ package reporters
 import (
 	"encoding/xml"
 	"fmt"
+	"maps"
 	"os"
 	"path"
 	"regexp"
+	"slices"
 	"strings"
 
 	"github.com/onsi/ginkgo/v2/config"
@@ -39,6 +41,9 @@ type JunitReportConfig struct {
 	// Enable OmitSpecSemVerConstraints to prevent semantic version constraints from appearing in the spec name
 	OmitSpecSemVerConstraints bool
 
+	// Enable OmitSpecComponentSemVerConstraints to prevent component semantic version constraints from appearing in the spec name
+	OmitSpecComponentSemVerConstraints bool
+
 	// Enable OmitLeafNodeType to prevent the spec leaf node type from appearing in the spec name
 	OmitLeafNodeType bool
 
@@ -173,6 +178,7 @@ func GenerateJUnitReportWithConfig(report types.Report, dst string, config Junit
 				{"SpecialSuiteFailureReason", strings.Join(report.SpecialSuiteFailureReasons, ",")},
 				{"SuiteLabels", fmt.Sprintf("[%s]", strings.Join(report.SuiteLabels, ","))},
 				{"SuiteSemVerConstraints", fmt.Sprintf("[%s]", strings.Join(report.SuiteSemVerConstraints, ","))},
+				{"SuiteComponentSemVerConstraints", fmt.Sprintf("[%s]", formatComponentSemVerConstraintsToString(report.SuiteComponentSemVerConstraints))},
 				{"RandomSeed", fmt.Sprintf("%d", report.SuiteConfig.RandomSeed)},
 				{"RandomizeAllSpecs", fmt.Sprintf("%t", report.SuiteConfig.RandomizeAllSpecs)},
 				{"LabelFilter", report.SuiteConfig.LabelFilter},
@@ -216,6 +222,10 @@ func GenerateJUnitReportWithConfig(report types.Report, dst string, config Junit
 		if len(semVerConstraints) > 0 && !config.OmitSpecSemVerConstraints {
 			name = name + " [" + strings.Join(semVerConstraints, ", ") + "]"
 		}
+		componentSemVerConstraints := spec.ComponentSemVerConstraints()
+		if len(componentSemVerConstraints) > 0 && !config.OmitSpecComponentSemVerConstraints {
+			name = name + " [" + formatComponentSemVerConstraintsToString(componentSemVerConstraints) + "]"
+		}
 		name = strings.TrimSpace(name)
 
 		test := JUnitTestCase{
@@ -387,6 +397,16 @@ func systemOutForUnstructuredReporters(spec types.SpecReport) string {
 	return spec.CapturedStdOutErr
 }
 
+func formatComponentSemVerConstraintsToString(componentSemVerConstraints map[string][]string) string {
+	var tmpStr string
+	for _, key := range slices.Sorted(maps.Keys(componentSemVerConstraints)) {
+		tmpStr = tmpStr + fmt.Sprintf("%s: %s, ", key, componentSemVerConstraints[key])
+	}
+
+	tmpStr = strings.TrimSuffix(tmpStr, ", ")
+	return tmpStr
+}
+
 // Deprecated JUnitReporter (so folks can still compile their suites)
 type JUnitReporter struct{}
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go b/vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go
index 55e1d1f4f7..ed3e3a2bb9 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go
@@ -39,12 +39,16 @@ func GenerateTeamcityReport(report types.Report, dst string) error {
 	name := report.SuiteDescription
 	labels := report.SuiteLabels
 	semVerConstraints := report.SuiteSemVerConstraints
+	componentSemVerConstraints := report.SuiteComponentSemVerConstraints
 	if len(labels) > 0 {
 		name = name + " [" + strings.Join(labels, ", ") + "]"
 	}
 	if len(semVerConstraints) > 0 {
 		name = name + " [" + strings.Join(semVerConstraints, ", ") + "]"
 	}
+	if len(componentSemVerConstraints) > 0 {
+		name = name + " [" + formatComponentSemVerConstraintsToString(componentSemVerConstraints) + "]"
+	}
 	fmt.Fprintf(f, "##teamcity[testSuiteStarted name='%s']\n", tcEscape(name))
 	for _, spec := range report.SpecReports {
 		name := fmt.Sprintf("[%s]", spec.LeafNodeType)
@@ -59,6 +63,10 @@ func GenerateTeamcityReport(report types.Report, dst string) error {
 		if len(semVerConstraints) > 0 {
 			name = name + " [" + strings.Join(semVerConstraints, ", ") + "]"
 		}
+		componentSemVerConstraints := spec.ComponentSemVerConstraints()
+		if len(componentSemVerConstraints) > 0 {
+			name = name + " [" + formatComponentSemVerConstraintsToString(componentSemVerConstraints) + "]"
+		}
 
 		name = tcEscape(name)
 		fmt.Fprintf(f, "##teamcity[testStarted name='%s']\n", name)
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go b/vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go
index 5bf2e62e90..4e86dba84d 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go
@@ -27,6 +27,8 @@ CurrentSpecReport returns information about the current running spec.
 The returned object is a types.SpecReport which includes helper methods
 to make extracting information about the spec easier.
 
+During construction of the test tree the result is empty.
+
 You can learn more about SpecReport here: https://pkg.go.dev/github.com/onsi/ginkgo/types#SpecReport
 You can learn more about CurrentSpecReport() here: https://onsi.github.io/ginkgo/#getting-a-report-for-the-current-spec
 */
@@ -34,6 +36,31 @@ func CurrentSpecReport() SpecReport {
 	return global.Suite.CurrentSpecReport()
 }
 
+/*
+ConstructionNodeReport describes the container nodes during construction of
+the spec tree. It provides a subset of the information that is provided
+by SpecReport at runtime.
+
+It is documented here: [types.ConstructionNodeReport]
+*/
+type ConstructionNodeReport = types.ConstructionNodeReport
+
+/*
+CurrentConstructionNodeReport returns information about the current container nodes
+that are leading to the current path in the spec tree.
+The returned object is a types.ConstructionNodeReport which includes helper methods
+to make extracting information about the spec easier.
+
+May only be called during construction of the spec tree. It panics when
+called while tests are running. Use CurrentSpecReport instead in that
+phase.
+
+You can learn more about ConstructionNodeReport here: [types.ConstructionNodeReport]
+*/
+func CurrentTreeConstructionNodeReport() ConstructionNodeReport {
+	return global.Suite.CurrentConstructionNodeReport()
+}
+
 /*
 	ReportEntryVisibility governs the visibility of ReportEntries in Ginkgo's console reporter
 
@@ -92,7 +119,7 @@ func ReportBeforeEach(body any, args ...any) bool {
 	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
 
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeReportBeforeEach, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeReportBeforeEach, "", combinedArgs...)))
 }
 
 /*
@@ -116,7 +143,7 @@ func ReportAfterEach(body any, args ...any) bool {
 	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
 
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeReportAfterEach, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeReportAfterEach, "", combinedArgs...)))
 }
 
 /*
@@ -145,7 +172,7 @@ You can learn about interruptible nodes here: https://onsi.github.io/ginkgo/#spe
 func ReportBeforeSuite(body any, args ...any) bool {
 	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeReportBeforeSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeReportBeforeSuite, "", combinedArgs...)))
 }
 
 /*
@@ -165,7 +192,7 @@ ReportAfterSuite nodes must be created at the top-level (i.e. not nested in a Co
 When running in parallel, Ginkgo ensures that only one of the parallel nodes runs the ReportAfterSuite and that it is passed a report that is aggregated across
 all parallel nodes
 
-In addition to using ReportAfterSuite to programmatically generate suite reports, you can also generate JSON, JUnit, and Teamcity formatted reports using the --json-report, --junit-report, and --teamcity-report ginkgo CLI flags.
+In addition to using ReportAfterSuite to programmatically generate suite reports, you can also generate JSON, GoJSON, JUnit, and Teamcity formatted reports using the --json-report, --gojson-report, --junit-report, and --teamcity-report ginkgo CLI flags.
 
 You cannot nest any other Ginkgo nodes within a ReportAfterSuite node's closure.
 You can learn more about ReportAfterSuite here: https://onsi.github.io/ginkgo/#generating-reports-programmatically
@@ -177,7 +204,7 @@ You can learn about interruptible nodes here: https://onsi.github.io/ginkgo/#spe
 func ReportAfterSuite(text string, body any, args ...any) bool {
 	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeReportAfterSuite, text, combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeReportAfterSuite, text, combinedArgs...)))
 }
 
 func registerReportAfterSuiteNodeForAutogeneratedReports(reporterConfig types.ReporterConfig) {
@@ -188,6 +215,12 @@ func registerReportAfterSuiteNodeForAutogeneratedReports(reporterConfig types.Re
 				Fail(fmt.Sprintf("Failed to generate JSON report:\n%s", err.Error()))
 			}
 		}
+		if reporterConfig.GoJSONReport != "" {
+			err := reporters.GenerateGoTestJSONReport(report, reporterConfig.GoJSONReport)
+			if err != nil {
+				Fail(fmt.Sprintf("Failed to generate Go JSON report:\n%s", err.Error()))
+			}
+		}
 		if reporterConfig.JUnitReport != "" {
 			err := reporters.GenerateJUnitReport(report, reporterConfig.JUnitReport)
 			if err != nil {
@@ -206,6 +239,9 @@ func registerReportAfterSuiteNodeForAutogeneratedReports(reporterConfig types.Re
 	if reporterConfig.JSONReport != "" {
 		flags = append(flags, "--json-report")
 	}
+	if reporterConfig.GoJSONReport != "" {
+		flags = append(flags, "--gojson-report")
+	}
 	if reporterConfig.JUnitReport != "" {
 		flags = append(flags, "--junit-report")
 	}
@@ -213,9 +249,11 @@ func registerReportAfterSuiteNodeForAutogeneratedReports(reporterConfig types.Re
 		flags = append(flags, "--teamcity-report")
 	}
 	pushNode(internal.NewNode(
-		deprecationTracker, types.NodeTypeReportAfterSuite,
-		fmt.Sprintf("Autogenerated ReportAfterSuite for %s", strings.Join(flags, " ")),
-		body,
-		types.NewCustomCodeLocation("autogenerated by Ginkgo"),
+		internal.TransformNewNodeArgs(
+			exitIfErrors, deprecationTracker, types.NodeTypeReportAfterSuite,
+			fmt.Sprintf("Autogenerated ReportAfterSuite for %s", strings.Join(flags, " ")),
+			body,
+			types.NewCustomCodeLocation("autogenerated by Ginkgo"),
+		),
 	))
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/table_dsl.go b/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
index b9e0ca9ef7..1031aa8554 100644
--- a/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
@@ -309,11 +309,11 @@ func generateTable(description string, isSubtree bool, args ...any) {
 				internalNodeType = types.NodeTypeContainer
 			}
 
-			pushNode(internal.NewNode(deprecationTracker, internalNodeType, description, internalNodeArgs...))
+			pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, internalNodeType, description, internalNodeArgs...)))
 		}
 	})
 
-	pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, description, containerNodeArgs...))
+	pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, description, containerNodeArgs...)))
 }
 
 func invokeFunction(function any, parameters []any) []reflect.Value {
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/config.go b/vendor/github.com/onsi/ginkgo/v2/types/config.go
index b99a9e15e9..f847036046 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/config.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/config.go
@@ -96,6 +96,7 @@ type ReporterConfig struct {
 	ForceNewlines  bool
 
 	JSONReport     string
+	GoJSONReport   string
 	JUnitReport    string
 	TeamcityReport string
 }
@@ -112,7 +113,7 @@ func (rc ReporterConfig) Verbosity() VerbosityLevel {
 }
 
 func (rc ReporterConfig) WillGenerateReport() bool {
-	return rc.JSONReport != "" || rc.JUnitReport != "" || rc.TeamcityReport != ""
+	return rc.JSONReport != "" || rc.GoJSONReport != "" || rc.JUnitReport != "" || rc.TeamcityReport != ""
 }
 
 func NewDefaultReporterConfig() ReporterConfig {
@@ -359,6 +360,8 @@ var ReporterConfigFlags = GinkgoFlags{
 
 	{KeyPath: "R.JSONReport", Name: "json-report", UsageArgument: "filename.json", SectionKey: "output",
 		Usage: "If set, Ginkgo will generate a JSON-formatted test report at the specified location."},
+	{KeyPath: "R.GoJSONReport", Name: "gojson-report", UsageArgument: "filename.json", SectionKey: "output",
+		Usage: "If set, Ginkgo will generate a Go JSON-formatted test report at the specified location."},
 	{KeyPath: "R.JUnitReport", Name: "junit-report", UsageArgument: "filename.xml", SectionKey: "output", DeprecatedName: "reportFile", DeprecatedDocLink: "improved-reporting-infrastructure",
 		Usage: "If set, Ginkgo will generate a conformant junit test report in the specified file."},
 	{KeyPath: "R.TeamcityReport", Name: "teamcity-report", UsageArgument: "filename", SectionKey: "output",
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/errors.go b/vendor/github.com/onsi/ginkgo/v2/types/errors.go
index 59313238cf..623e54b66e 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/errors.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/errors.go
@@ -450,6 +450,15 @@ func (g ginkgoErrors) InvalidEmptySemVerConstraint(cl CodeLocation) error {
 	}
 }
 
+func (g ginkgoErrors) InvalidEmptyComponentForSemVerConstraint(cl CodeLocation) error {
+	return GinkgoError{
+		Heading:      "Invalid Empty Component for ComponentSemVerConstraint",
+		Message:      "ComponentSemVerConstraint requires a non-empty component name",
+		CodeLocation: cl,
+		DocLink: "spec-semantic-version-filtering",
+	}
+}
+
 /* Table errors */
 func (g ginkgoErrors) MultipleEntryBodyFunctionsForTable(cl CodeLocation) error {
 	return GinkgoError{
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go b/vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go
index 3fc2ed144b..71778078da 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go
@@ -2,11 +2,12 @@ package types
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/Masterminds/semver/v3"
 )
 
-type SemVerFilter func([]string) bool
+type SemVerFilter func(component string, constraints []string) bool
 
 func MustParseSemVerFilter(input string) SemVerFilter {
 	filter, err := ParseSemVerFilter(input)
@@ -16,30 +17,90 @@ func MustParseSemVerFilter(input string) SemVerFilter {
 	return filter
 }
 
-func ParseSemVerFilter(filterVersion string) (SemVerFilter, error) {
-	if filterVersion == "" {
-		return func(_ []string) bool { return true }, nil
+// ParseSemVerFilter parses non-component and component-specific semantic version filter string.
+// The filter string can contain multiple non-component and component-specific versions separated by commas.
+// Each component-specific version is in the format "component=version".
+// If a version is specified without a component, it applies to non-component-specific constraints.
+func ParseSemVerFilter(componentFilterVersions string) (SemVerFilter, error) {
+	if componentFilterVersions == "" {
+		return func(_ string, _ []string) bool { return true }, nil
 	}
 
-	targetVersion, err := semver.NewVersion(filterVersion)
-	if err != nil {
-		return nil, fmt.Errorf("invalid filter version: %w", err)
+	result := map[string]*semver.Version{}
+	parts := strings.Split(componentFilterVersions, ",")
+	for _, part := range parts {
+		part = strings.TrimSpace(part)
+		if len(part) == 0 {
+			continue
+		}
+		if strings.Contains(part, "=") {
+			// validate component-specific version string
+			invalidPart, invalidErr := false, fmt.Errorf("invalid component filter version: %s", part)
+			subParts := strings.Split(part, "=")
+			if len(subParts) != 2 {
+				invalidPart = true
+			}
+			component := strings.TrimSpace(subParts[0])
+			versionStr := strings.TrimSpace(subParts[1])
+			if len(component) == 0 || len(versionStr) == 0 {
+				invalidPart = true
+			}
+			if invalidPart {
+				return nil, invalidErr
+			}
+
+			// validate semver
+			v, err := semver.NewVersion(versionStr)
+			if err != nil {
+				return nil, fmt.Errorf("invalid component filter version: %s, error: %w", part, err)
+			}
+			result[component] = v
+		} else {
+			v, err := semver.NewVersion(part)
+			if err != nil {
+				return nil, fmt.Errorf("invalid filter version: %s, error: %w", part, err)
+			}
+			result[""] = v
+		}
 	}
 
-	return func(constraints []string) bool {
+	return func(component string, constraints []string) bool {
 		// unconstrained specs always run
-		if len(constraints) == 0 {
+		if len(component) == 0 && len(constraints) == 0 {
 			return true
 		}
 
-		for _, constraintStr := range constraints {
-			constraint, err := semver.NewConstraint(constraintStr)
-			if err != nil {
-				return false
+		// check non-component specific version constraints
+		if len(component) == 0 && len(constraints) != 0 {
+			v := result[""]
+			if v != nil {
+				for _, constraintStr := range constraints {
+					constraint, err := semver.NewConstraint(constraintStr)
+					if err != nil {
+						return false
+					}
+
+					if !constraint.Check(v) {
+						return false
+					}
+				}
 			}
+		}
+
+		// check component-specific version constraints
+		if len(component) != 0 && len(constraints) != 0 {
+			v := result[component]
+			if v != nil {
+				for _, constraintStr := range constraints {
+					constraint, err := semver.NewConstraint(constraintStr)
+					if err != nil {
+						return false
+					}
 
-			if !constraint.Check(targetVersion) {
-				return false
+					if !constraint.Check(v) {
+						return false
+					}
+				}
 			}
 		}
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/types.go b/vendor/github.com/onsi/ginkgo/v2/types/types.go
index b8e864a5d2..2401505120 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/types.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/types.go
@@ -20,6 +20,61 @@ func init() {
 	}
 }
 
+// ConstructionNodeReport captures information about a Ginkgo spec.
+type ConstructionNodeReport struct {
+	// ContainerHierarchyTexts is a slice containing the text strings of
+	// all Describe/Context/When containers in this spec's hierarchy.
+	ContainerHierarchyTexts []string
+
+	// ContainerHierarchyLocations is a slice containing the CodeLocations of
+	// all Describe/Context/When containers in this spec's hierarchy.
+	ContainerHierarchyLocations []CodeLocation
+
+	// ContainerHierarchyLabels is a slice containing the labels of
+	// all Describe/Context/When containers in this spec's hierarchy
+	ContainerHierarchyLabels [][]string
+
+	// ContainerHierarchySemVerConstraints is a slice containing the semVerConstraints of
+	// all Describe/Context/When containers in this spec's hierarchy
+	ContainerHierarchySemVerConstraints [][]string
+
+	// ContainerHierarchyComponentSemVerConstraints is a slice containing the component-specific semVerConstraints of
+	// all Describe/Context/When containers in this spec's hierarchy
+	ContainerHierarchyComponentSemVerConstraints []map[string][]string
+
+	// IsSerial captures whether the any container has the Serial decorator
+	IsSerial bool
+
+	// IsInOrderedContainer captures whether any container is an Ordered container
+	IsInOrderedContainer bool
+}
+
+// FullText returns a concatenation of all the report.ContainerHierarchyTexts and report.LeafNodeText
+func (report ConstructionNodeReport) FullText() string {
+	texts := []string{}
+	texts = append(texts, report.ContainerHierarchyTexts...)
+	texts = slices.DeleteFunc(texts, func(t string) bool {
+		return t == ""
+	})
+	return strings.Join(texts, " ")
+}
+
+// Labels returns a deduped set of all the spec's Labels.
+func (report ConstructionNodeReport) Labels() []string {
+	out := []string{}
+	seen := map[string]bool{}
+	for _, labels := range report.ContainerHierarchyLabels {
+		for _, label := range labels {
+			if !seen[label] {
+				seen[label] = true
+				out = append(out, label)
+			}
+		}
+	}
+
+	return out
+}
+
 // Report captures information about a Ginkgo test run
 type Report struct {
 	//SuitePath captures the absolute path to the test suite
@@ -34,6 +89,9 @@ type Report struct {
 	//SuiteSemVerConstraints captures any semVerConstraints attached to the suite by the DSL's RunSpecs() function
 	SuiteSemVerConstraints []string
 
+	//SuiteComponentSemVerConstraints captures any component-specific semVerConstraints attached to the suite by the DSL's RunSpecs() function
+	SuiteComponentSemVerConstraints map[string][]string
+
 	//SuiteSucceeded captures the success or failure status of the test run
 	//If true, the test run is considered successful.
 	//If false, the test run is considered unsuccessful
@@ -137,14 +195,22 @@ type SpecReport struct {
 	// all Describe/Context/When containers in this spec's hierarchy
 	ContainerHierarchySemVerConstraints [][]string
 
+	// ContainerHierarchyComponentSemVerConstraints is a slice containing the component-specific semVerConstraints of
+	// all Describe/Context/When containers in this spec's hierarchy
+	ContainerHierarchyComponentSemVerConstraints []map[string][]string
+
 	// LeafNodeType, LeafNodeLocation, LeafNodeLabels, LeafNodeSemVerConstraints and LeafNodeText capture the NodeType, CodeLocation, and text
 	// of the Ginkgo node being tested (typically an NodeTypeIt node, though this can also be
 	// one of the NodeTypesForSuiteLevelNodes node types)
-	LeafNodeType              NodeType
-	LeafNodeLocation          CodeLocation
-	LeafNodeLabels            []string
-	LeafNodeSemVerConstraints []string
-	LeafNodeText              string
+	LeafNodeType                       NodeType
+	LeafNodeLocation                   CodeLocation
+	LeafNodeLabels                     []string
+	LeafNodeSemVerConstraints          []string
+	LeafNodeComponentSemVerConstraints map[string][]string
+	LeafNodeText                       string
+
+	// Captures the Spec Priority
+	SpecPriority int
 
 	// State captures whether the spec has passed, failed, etc.
 	State SpecState
@@ -207,52 +273,54 @@ type SpecReport struct {
 func (report SpecReport) MarshalJSON() ([]byte, error) {
 	//All this to avoid emitting an empty Failure struct in the JSON
 	out := struct {
-		ContainerHierarchyTexts             []string
-		ContainerHierarchyLocations         []CodeLocation
-		ContainerHierarchyLabels            [][]string
-		ContainerHierarchySemVerConstraints [][]string
-		LeafNodeType                        NodeType
-		LeafNodeLocation                    CodeLocation
-		LeafNodeLabels                      []string
-		LeafNodeSemVerConstraints           []string
-		LeafNodeText                        string
-		State                               SpecState
-		StartTime                           time.Time
-		EndTime                             time.Time
-		RunTime                             time.Duration
-		ParallelProcess                     int
-		Failure                             *Failure `json:",omitempty"`
-		NumAttempts                         int
-		MaxFlakeAttempts                    int
-		MaxMustPassRepeatedly               int
-		CapturedGinkgoWriterOutput          string              `json:",omitempty"`
-		CapturedStdOutErr                   string              `json:",omitempty"`
-		ReportEntries                       ReportEntries       `json:",omitempty"`
-		ProgressReports                     []ProgressReport    `json:",omitempty"`
-		AdditionalFailures                  []AdditionalFailure `json:",omitempty"`
-		SpecEvents                          SpecEvents          `json:",omitempty"`
+		ContainerHierarchyTexts                      []string
+		ContainerHierarchyLocations                  []CodeLocation
+		ContainerHierarchyLabels                     [][]string
+		ContainerHierarchySemVerConstraints          [][]string
+		ContainerHierarchyComponentSemVerConstraints []map[string][]string
+		LeafNodeType                                 NodeType
+		LeafNodeLocation                             CodeLocation
+		LeafNodeLabels                               []string
+		LeafNodeSemVerConstraints                    []string
+		LeafNodeText                                 string
+		State                                        SpecState
+		StartTime                                    time.Time
+		EndTime                                      time.Time
+		RunTime                                      time.Duration
+		ParallelProcess                              int
+		Failure                                      *Failure `json:",omitempty"`
+		NumAttempts                                  int
+		MaxFlakeAttempts                             int
+		MaxMustPassRepeatedly                        int
+		CapturedGinkgoWriterOutput                   string              `json:",omitempty"`
+		CapturedStdOutErr                            string              `json:",omitempty"`
+		ReportEntries                                ReportEntries       `json:",omitempty"`
+		ProgressReports                              []ProgressReport    `json:",omitempty"`
+		AdditionalFailures                           []AdditionalFailure `json:",omitempty"`
+		SpecEvents                                   SpecEvents          `json:",omitempty"`
 	}{
-		ContainerHierarchyTexts:             report.ContainerHierarchyTexts,
-		ContainerHierarchyLocations:         report.ContainerHierarchyLocations,
-		ContainerHierarchyLabels:            report.ContainerHierarchyLabels,
-		ContainerHierarchySemVerConstraints: report.ContainerHierarchySemVerConstraints,
-		LeafNodeType:                        report.LeafNodeType,
-		LeafNodeLocation:                    report.LeafNodeLocation,
-		LeafNodeLabels:                      report.LeafNodeLabels,
-		LeafNodeSemVerConstraints:           report.LeafNodeSemVerConstraints,
-		LeafNodeText:                        report.LeafNodeText,
-		State:                               report.State,
-		StartTime:                           report.StartTime,
-		EndTime:                             report.EndTime,
-		RunTime:                             report.RunTime,
-		ParallelProcess:                     report.ParallelProcess,
-		Failure:                             nil,
-		ReportEntries:                       nil,
-		NumAttempts:                         report.NumAttempts,
-		MaxFlakeAttempts:                    report.MaxFlakeAttempts,
-		MaxMustPassRepeatedly:               report.MaxMustPassRepeatedly,
-		CapturedGinkgoWriterOutput:          report.CapturedGinkgoWriterOutput,
-		CapturedStdOutErr:                   report.CapturedStdOutErr,
+		ContainerHierarchyTexts:                      report.ContainerHierarchyTexts,
+		ContainerHierarchyLocations:                  report.ContainerHierarchyLocations,
+		ContainerHierarchyLabels:                     report.ContainerHierarchyLabels,
+		ContainerHierarchySemVerConstraints:          report.ContainerHierarchySemVerConstraints,
+		ContainerHierarchyComponentSemVerConstraints: report.ContainerHierarchyComponentSemVerConstraints,
+		LeafNodeType:                                 report.LeafNodeType,
+		LeafNodeLocation:                             report.LeafNodeLocation,
+		LeafNodeLabels:                               report.LeafNodeLabels,
+		LeafNodeSemVerConstraints:                    report.LeafNodeSemVerConstraints,
+		LeafNodeText:                                 report.LeafNodeText,
+		State:                                        report.State,
+		StartTime:                                    report.StartTime,
+		EndTime:                                      report.EndTime,
+		RunTime:                                      report.RunTime,
+		ParallelProcess:                              report.ParallelProcess,
+		Failure:                                      nil,
+		ReportEntries:                                nil,
+		NumAttempts:                                  report.NumAttempts,
+		MaxFlakeAttempts:                             report.MaxFlakeAttempts,
+		MaxMustPassRepeatedly:                        report.MaxMustPassRepeatedly,
+		CapturedGinkgoWriterOutput:                   report.CapturedGinkgoWriterOutput,
+		CapturedStdOutErr:                            report.CapturedStdOutErr,
 	}
 
 	if !report.Failure.IsZero() {
@@ -350,6 +418,34 @@ func (report SpecReport) SemVerConstraints() []string {
 	return out
 }
 
+// ComponentSemVerConstraints returns a deduped map of all the spec's component-specific SemVerConstraints.
+func (report SpecReport) ComponentSemVerConstraints() map[string][]string {
+	out := map[string][]string{}
+	seen := map[string]bool{}
+	for _, compSemVerConstraints := range report.ContainerHierarchyComponentSemVerConstraints {
+		for component := range compSemVerConstraints {
+			if !seen[component] {
+				seen[component] = true
+				out[component] = compSemVerConstraints[component]
+			} else {
+				out[component] = append(out[component], compSemVerConstraints[component]...)
+				out[component] = slices.Compact(out[component])
+			}
+		}
+	}
+	for component := range report.LeafNodeComponentSemVerConstraints {
+		if !seen[component] {
+			seen[component] = true
+			out[component] = report.LeafNodeComponentSemVerConstraints[component]
+		} else {
+			out[component] = append(out[component], report.LeafNodeComponentSemVerConstraints[component]...)
+			out[component] = slices.Compact(out[component])
+		}
+	}
+
+	return out
+}
+
 // MatchesLabelFilter returns true if the spec satisfies the passed in label filter query
 func (report SpecReport) MatchesLabelFilter(query string) (bool, error) {
 	filter, err := ParseLabelFilter(query)
@@ -365,7 +461,22 @@ func (report SpecReport) MatchesSemVerFilter(version string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	return filter(report.SemVerConstraints()), nil
+
+	semVerConstraints := report.SemVerConstraints()
+	if len(semVerConstraints) != 0 && filter("", report.SemVerConstraints()) == false {
+		return false, nil
+	}
+
+	componentSemVerConstraints := report.ComponentSemVerConstraints()
+	if len(componentSemVerConstraints) != 0 {
+		for component, constraints := range componentSemVerConstraints {
+			if filter(component, constraints) == false {
+				return false, nil
+			}
+		}
+	}
+
+	return true, nil
 }
 
 // FileName() returns the name of the file containing the spec
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/version.go b/vendor/github.com/onsi/ginkgo/v2/types/version.go
index 6aca6efa81..f872c59cd5 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/version.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/version.go
@@ -1,3 +1,3 @@
 package types
 
-const VERSION = "2.25.3"
+const VERSION = "2.28.0"
diff --git a/vendor/github.com/onsi/gomega/CHANGELOG.md b/vendor/github.com/onsi/gomega/CHANGELOG.md
index b7d7309f3f..91e65521b4 100644
--- a/vendor/github.com/onsi/gomega/CHANGELOG.md
+++ b/vendor/github.com/onsi/gomega/CHANGELOG.md
@@ -1,3 +1,18 @@
+## 1.39.1
+
+Update all dependencies.  This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.
+
+## 1.39.0
+
+### Features
+
+Add `MatchErrorStrictly` which only passes if `errors.Is(actual, expected)` returns true.  `MatchError`, by contrast, will fallback to string comparison.
+
+## 1.38.3
+
+### Fixes
+make string formatitng more consistent for users who use format.Object directly
+
 ## 1.38.2
 
 - roll back to go 1.23.0 [c404969]
diff --git a/vendor/github.com/onsi/gomega/format/format.go b/vendor/github.com/onsi/gomega/format/format.go
index 96f04b2104..6c23ba338b 100644
--- a/vendor/github.com/onsi/gomega/format/format.go
+++ b/vendor/github.com/onsi/gomega/format/format.go
@@ -262,7 +262,7 @@ func Object(object any, indentation uint) string {
 	if err, ok := object.(error); ok && !isNilValue(value) { // isNilValue check needed here to avoid nil deref due to boxed nil
 		commonRepresentation += "\n" + IndentString(err.Error(), indentation) + "\n" + indent
 	}
-	return fmt.Sprintf("%s<%s>: %s%s", indent, formatType(value), commonRepresentation, formatValue(value, indentation))
+	return fmt.Sprintf("%s<%s>: %s%s", indent, formatType(value), commonRepresentation, formatValue(value, indentation, true))
 }
 
 /*
@@ -306,7 +306,7 @@ func formatType(v reflect.Value) string {
 	}
 }
 
-func formatValue(value reflect.Value, indentation uint) string {
+func formatValue(value reflect.Value, indentation uint, isTopLevel bool) string {
 	if indentation > MaxDepth {
 		return "..."
 	}
@@ -367,11 +367,11 @@ func formatValue(value reflect.Value, indentation uint) string {
 	case reflect.Func:
 		return fmt.Sprintf("0x%x", value.Pointer())
 	case reflect.Ptr:
-		return formatValue(value.Elem(), indentation)
+		return formatValue(value.Elem(), indentation, isTopLevel)
 	case reflect.Slice:
 		return truncateLongStrings(formatSlice(value, indentation))
 	case reflect.String:
-		return truncateLongStrings(formatString(value.String(), indentation))
+		return truncateLongStrings(formatString(value.String(), indentation, isTopLevel))
 	case reflect.Array:
 		return truncateLongStrings(formatSlice(value, indentation))
 	case reflect.Map:
@@ -392,8 +392,8 @@ func formatValue(value reflect.Value, indentation uint) string {
 	}
 }
 
-func formatString(object any, indentation uint) string {
-	if indentation == 1 {
+func formatString(object any, indentation uint, isTopLevel bool) string {
+	if isTopLevel {
 		s := fmt.Sprintf("%s", object)
 		components := strings.Split(s, "\n")
 		result := ""
@@ -416,14 +416,14 @@ func formatString(object any, indentation uint) string {
 
 func formatSlice(v reflect.Value, indentation uint) string {
 	if v.Kind() == reflect.Slice && v.Type().Elem().Kind() == reflect.Uint8 && isPrintableString(string(v.Bytes())) {
-		return formatString(v.Bytes(), indentation)
+		return formatString(v.Bytes(), indentation, false)
 	}
 
 	l := v.Len()
 	result := make([]string, l)
 	longest := 0
-	for i := 0; i < l; i++ {
-		result[i] = formatValue(v.Index(i), indentation+1)
+	for i := range l {
+		result[i] = formatValue(v.Index(i), indentation+1, false)
 		if len(result[i]) > longest {
 			longest = len(result[i])
 		}
@@ -443,7 +443,7 @@ func formatMap(v reflect.Value, indentation uint) string {
 	longest := 0
 	for i, key := range v.MapKeys() {
 		value := v.MapIndex(key)
-		result[i] = fmt.Sprintf("%s: %s", formatValue(key, indentation+1), formatValue(value, indentation+1))
+		result[i] = fmt.Sprintf("%s: %s", formatValue(key, indentation+1, false), formatValue(value, indentation+1, false))
 		if len(result[i]) > longest {
 			longest = len(result[i])
 		}
@@ -462,10 +462,10 @@ func formatStruct(v reflect.Value, indentation uint) string {
 	l := v.NumField()
 	result := []string{}
 	longest := 0
-	for i := 0; i < l; i++ {
+	for i := range l {
 		structField := t.Field(i)
 		fieldEntry := v.Field(i)
-		representation := fmt.Sprintf("%s: %s", structField.Name, formatValue(fieldEntry, indentation+1))
+		representation := fmt.Sprintf("%s: %s", structField.Name, formatValue(fieldEntry, indentation+1, false))
 		result = append(result, representation)
 		if len(representation) > longest {
 			longest = len(representation)
@@ -479,7 +479,7 @@ func formatStruct(v reflect.Value, indentation uint) string {
 }
 
 func formatInterface(v reflect.Value, indentation uint) string {
-	return fmt.Sprintf("<%s>%s", formatType(v.Elem()), formatValue(v.Elem(), indentation))
+	return fmt.Sprintf("<%s>%s", formatType(v.Elem()), formatValue(v.Elem(), indentation, false))
 }
 
 func isNilValue(a reflect.Value) bool {
diff --git a/vendor/github.com/onsi/gomega/gomega_dsl.go b/vendor/github.com/onsi/gomega/gomega_dsl.go
index fdba34ee9d..87c70692bf 100644
--- a/vendor/github.com/onsi/gomega/gomega_dsl.go
+++ b/vendor/github.com/onsi/gomega/gomega_dsl.go
@@ -22,7 +22,7 @@ import (
 	"github.com/onsi/gomega/types"
 )
 
-const GOMEGA_VERSION = "1.38.2"
+const GOMEGA_VERSION = "1.39.1"
 
 const nilGomegaPanic = `You are trying to make an assertion, but haven't registered Gomega's fail handler.
 If you're using Ginkgo then you probably forgot to put your assertion in an It().
diff --git a/vendor/github.com/onsi/gomega/matchers.go b/vendor/github.com/onsi/gomega/matchers.go
index 10b6693fd6..16ca8f46dc 100644
--- a/vendor/github.com/onsi/gomega/matchers.go
+++ b/vendor/github.com/onsi/gomega/matchers.go
@@ -146,6 +146,24 @@ func MatchError(expected any, functionErrorDescription ...any) types.GomegaMatch
 	}
 }
 
+// MatchErrorStrictly succeeds iff actual is a non-nil error that matches the passed in
+// expected error according to errors.Is(actual, expected).
+//
+// This behavior differs from MatchError where
+//
+//	Expect(errors.New("some error")).To(MatchError(errors.New("some error")))
+//
+// succeeds, but errors.Is would return false so:
+//
+//	Expect(errors.New("some error")).To(MatchErrorStrictly(errors.New("some error")))
+//
+// fails.
+func MatchErrorStrictly(expected error) types.GomegaMatcher {
+	return &matchers.MatchErrorStrictlyMatcher{
+		Expected: expected,
+	}
+}
+
 // BeClosed succeeds if actual is a closed channel.
 // It is an error to pass a non-channel to BeClosed, it is also an error to pass nil
 //
@@ -515,8 +533,8 @@ func HaveExistingField(field string) types.GomegaMatcher {
 // and even interface values.
 //
 //	actual := 42
-//	Expect(actual).To(HaveValue(42))
-//	Expect(&actual).To(HaveValue(42))
+//	Expect(actual).To(HaveValue(Equal(42)))
+//	Expect(&actual).To(HaveValue(Equal(42)))
 func HaveValue(matcher types.GomegaMatcher) types.GomegaMatcher {
 	return &matchers.HaveValueMatcher{
 		Matcher: matcher,
diff --git a/vendor/github.com/onsi/gomega/matchers/have_key_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_key_matcher.go
index 9e16dcf5d6..16630c18e3 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_key_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_key_matcher.go
@@ -39,7 +39,7 @@ func (matcher *HaveKeyMatcher) Match(actual any) (success bool, err error) {
 	}
 
 	keys := reflect.ValueOf(actual).MapKeys()
-	for i := 0; i < len(keys); i++ {
+	for i := range keys {
 		success, err := keyMatcher.Match(keys[i].Interface())
 		if err != nil {
 			return false, fmt.Errorf("HaveKey's key matcher failed with:\n%s%s", format.Indent, err.Error())
diff --git a/vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go
index 1c53f1e56a..0cd7081532 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go
@@ -52,7 +52,7 @@ func (matcher *HaveKeyWithValueMatcher) Match(actual any) (success bool, err err
 	}
 
 	keys := reflect.ValueOf(actual).MapKeys()
-	for i := 0; i < len(keys); i++ {
+	for i := range keys {
 		success, err := keyMatcher.Match(keys[i].Interface())
 		if err != nil {
 			return false, fmt.Errorf("HaveKeyWithValue's key matcher failed with:\n%s%s", format.Indent, err.Error())
diff --git a/vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go b/vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go
new file mode 100644
index 0000000000..63969b2663
--- /dev/null
+++ b/vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go
@@ -0,0 +1,39 @@
+package matchers
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/onsi/gomega/format"
+)
+
+type MatchErrorStrictlyMatcher struct {
+	Expected error
+}
+
+func (matcher *MatchErrorStrictlyMatcher) Match(actual any) (success bool, err error) {
+
+	if isNil(matcher.Expected) {
+		return false, fmt.Errorf("Expected error is nil, use \"ToNot(HaveOccurred())\" to explicitly check for nil errors")
+	}
+
+	if isNil(actual) {
+		return false, fmt.Errorf("Expected an error, got nil")
+	}
+
+	if !isError(actual) {
+		return false, fmt.Errorf("Expected an error.  Got:\n%s", format.Object(actual, 1))
+	}
+
+	actualErr := actual.(error)
+
+	return errors.Is(actualErr, matcher.Expected), nil
+}
+
+func (matcher *MatchErrorStrictlyMatcher) FailureMessage(actual any) (message string) {
+	return format.Message(actual, "to match error", matcher.Expected)
+}
+
+func (matcher *MatchErrorStrictlyMatcher) NegatedFailureMessage(actual any) (message string) {
+	return format.Message(actual, "not to match error", matcher.Expected)
+}
diff --git a/vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go b/vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go
index 8c38411b28..72edba20f7 100644
--- a/vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go
+++ b/vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go
@@ -1,6 +1,9 @@
 package edge
 
-import . "github.com/onsi/gomega/matchers/support/goraph/node"
+import (
+	. "github.com/onsi/gomega/matchers/support/goraph/node"
+	"slices"
+)
 
 type Edge struct {
 	Node1 int
@@ -20,13 +23,7 @@ func (ec EdgeSet) Free(node Node) bool {
 }
 
 func (ec EdgeSet) Contains(edge Edge) bool {
-	for _, e := range ec {
-		if e == edge {
-			return true
-		}
-	}
-
-	return false
+	return slices.Contains(ec, edge)
 }
 
 func (ec EdgeSet) FindByNodes(node1, node2 Node) (Edge, bool) {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
index 07e0f77dc2..884a8b8059 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
@@ -6,78 +6,11 @@ import (
 	"github.com/opencontainers/selinux/go-selinux"
 )
 
-// Deprecated: use selinux.ROFileLabel
-var ROMountLabel = selinux.ROFileLabel
-
-// SetProcessLabel takes a process label and tells the kernel to assign the
-// label to the next program executed by the current process.
-// Deprecated: use selinux.SetExecLabel
-var SetProcessLabel = selinux.SetExecLabel
-
-// ProcessLabel returns the process label that the kernel will assign
-// to the next program executed by the current process.  If "" is returned
-// this indicates that the default labeling will happen for the process.
-// Deprecated: use selinux.ExecLabel
-var ProcessLabel = selinux.ExecLabel
-
-// SetSocketLabel takes a process label and tells the kernel to assign the
-// label to the next socket that gets created
-// Deprecated: use selinux.SetSocketLabel
-var SetSocketLabel = selinux.SetSocketLabel
-
-// SocketLabel retrieves the current default socket label setting
-// Deprecated: use selinux.SocketLabel
-var SocketLabel = selinux.SocketLabel
-
-// SetKeyLabel takes a process label and tells the kernel to assign the
-// label to the next kernel keyring that gets created
-// Deprecated: use selinux.SetKeyLabel
-var SetKeyLabel = selinux.SetKeyLabel
-
-// KeyLabel retrieves the current default kernel keyring label setting
-// Deprecated: use selinux.KeyLabel
-var KeyLabel = selinux.KeyLabel
-
-// FileLabel returns the label for specified path
-// Deprecated: use selinux.FileLabel
-var FileLabel = selinux.FileLabel
-
-// PidLabel will return the label of the process running with the specified pid
-// Deprecated: use selinux.PidLabel
-var PidLabel = selinux.PidLabel
-
 // Init initialises the labeling system
 func Init() {
 	_ = selinux.GetEnabled()
 }
 
-// ClearLabels will clear all reserved labels
-// Deprecated: use selinux.ClearLabels
-var ClearLabels = selinux.ClearLabels
-
-// ReserveLabel will record the fact that the MCS label has already been used.
-// This will prevent InitLabels from using the MCS label in a newly created
-// container
-// Deprecated: use selinux.ReserveLabel
-func ReserveLabel(label string) error {
-	selinux.ReserveLabel(label)
-	return nil
-}
-
-// ReleaseLabel will remove the reservation of the MCS label.
-// This will allow InitLabels to use the MCS label in a newly created
-// containers
-// Deprecated: use selinux.ReleaseLabel
-func ReleaseLabel(label string) error {
-	selinux.ReleaseLabel(label)
-	return nil
-}
-
-// DupSecOpt takes a process label and returns security options that
-// can be used to set duplicate labels on future container processes
-// Deprecated: use selinux.DupSecOpt
-var DupSecOpt = selinux.DupSecOpt
-
 // FormatMountLabel returns a string to be used by the mount command. Using
 // the SELinux `context` mount option. Changing labels of files on mount
 // points with this option can never be changed.
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
index e49e6d53f7..95f29e21f4 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
@@ -18,7 +18,7 @@ var validOptions = map[string]bool{
 	"level":    true,
 }
 
-var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together")
+var ErrIncompatibleLabel = errors.New("bad SELinux option: z and Z can not be used together")
 
 // InitLabels returns the process label and file labels to be used within
 // the container.  A list of options can be passed into this function to alter
@@ -52,11 +52,11 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 				return "", selinux.PrivContainerMountLabel(), nil
 			}
 			if i := strings.Index(opt, ":"); i == -1 {
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
 			}
 			con := strings.SplitN(opt, ":", 2)
 			if !validOptions[con[0]] {
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
 			}
 			if con[0] == "filetype" {
 				mcon["type"] = con[1]
@@ -79,12 +79,6 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 	return processLabel, mountLabel, nil
 }
 
-// Deprecated: The GenLabels function is only to be used during the transition
-// to the official API. Use InitLabels(strings.Fields(options)) instead.
-func GenLabels(options string) (string, string, error) {
-	return InitLabels(strings.Fields(options))
-}
-
 // SetFileLabel modifies the "path" label to the specified file label
 func SetFileLabel(path string, fileLabel string) error {
 	if !selinux.GetEnabled() || fileLabel == "" {
@@ -123,11 +117,6 @@ func Relabel(path string, fileLabel string, shared bool) error {
 	return selinux.Chcon(path, fileLabel, true)
 }
 
-// DisableSecOpt returns a security opt that can disable labeling
-// support for future container processes
-// Deprecated: use selinux.DisableSecOpt
-var DisableSecOpt = selinux.DisableSecOpt
-
 // Validate checks that the label does not include unexpected options
 func Validate(label string) error {
 	if strings.Contains(label, "z") && strings.Contains(label, "Z") {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
index 1c260cb27d..7a54afc5e6 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
@@ -10,12 +10,6 @@ func InitLabels([]string) (string, string, error) {
 	return "", "", nil
 }
 
-// Deprecated: The GenLabels function is only to be used during the transition
-// to the official API. Use InitLabels(strings.Fields(options)) instead.
-func GenLabels(string) (string, string, error) {
-	return "", "", nil
-}
-
 func SetFileLabel(string, string) error {
 	return nil
 }
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
index af058b84b1..15150d4752 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
@@ -41,6 +41,10 @@ var (
 	// ErrVerifierNil is returned when a context verifier function is nil.
 	ErrVerifierNil = errors.New("verifier function is nil")
 
+	// ErrNotTGLeader is returned by [SetKeyLabel] if the calling thread
+	// is not the thread group leader.
+	ErrNotTGLeader = errors.New("calling thread is not the thread group leader")
+
 	// CategoryRange allows the upper bound on the category range to be adjusted
 	CategoryRange = DefaultCategoryRange
 
@@ -149,7 +153,7 @@ func CalculateGlbLub(sourceRange, targetRange string) (string, error) {
 // of the program is finished to guarantee another goroutine does not migrate to the current
 // thread before execution is complete.
 func SetExecLabel(label string) error {
-	return writeCon(attrPath("exec"), label)
+	return writeConThreadSelf("attr/exec", label)
 }
 
 // SetTaskLabel sets the SELinux label for the current thread, or an error.
@@ -157,7 +161,7 @@ func SetExecLabel(label string) error {
 // be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() to guarantee
 // the current thread does not run in a new mislabeled thread.
 func SetTaskLabel(label string) error {
-	return writeCon(attrPath("current"), label)
+	return writeConThreadSelf("attr/current", label)
 }
 
 // SetSocketLabel takes a process label and tells the kernel to assign the
@@ -166,12 +170,12 @@ func SetTaskLabel(label string) error {
 // the socket is created to guarantee another goroutine does not migrate
 // to the current thread before execution is complete.
 func SetSocketLabel(label string) error {
-	return writeCon(attrPath("sockcreate"), label)
+	return writeConThreadSelf("attr/sockcreate", label)
 }
 
 // SocketLabel retrieves the current socket label setting
 func SocketLabel() (string, error) {
-	return readCon(attrPath("sockcreate"))
+	return readConThreadSelf("attr/sockcreate")
 }
 
 // PeerLabel retrieves the label of the client on the other side of a socket
@@ -180,17 +184,21 @@ func PeerLabel(fd uintptr) (string, error) {
 }
 
 // SetKeyLabel takes a process label and tells the kernel to assign the
-// label to the next kernel keyring that gets created. Calls to SetKeyLabel
-// should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until
-// the kernel keyring is created to guarantee another goroutine does not migrate
-// to the current thread before execution is complete.
+// label to the next kernel keyring that gets created.
+//
+// Calls to SetKeyLabel should be wrapped in
+// runtime.LockOSThread()/runtime.UnlockOSThread() until the kernel keyring is
+// created to guarantee another goroutine does not migrate to the current
+// thread before execution is complete.
+//
+// Only the thread group leader can set key label.
 func SetKeyLabel(label string) error {
 	return setKeyLabel(label)
 }
 
 // KeyLabel retrieves the current kernel keyring label setting
 func KeyLabel() (string, error) {
-	return readCon("/proc/self/attr/keycreate")
+	return keyLabel()
 }
 
 // Get returns the Context as a string
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index c80c10971b..6d7f8e270b 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -17,8 +17,11 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/opencontainers/selinux/pkg/pwalkdir"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
 	"golang.org/x/sys/unix"
+
+	"github.com/opencontainers/selinux/pkg/pwalkdir"
 )
 
 const (
@@ -45,7 +48,7 @@ type selinuxState struct {
 
 type level struct {
 	cats *big.Int
-	sens uint
+	sens int
 }
 
 type mlsRange struct {
@@ -73,10 +76,6 @@ var (
 		mcsList: make(map[string]bool),
 	}
 
-	// for attrPath()
-	attrPathOnce   sync.Once
-	haveThreadSelf bool
-
 	// for policyRoot()
 	policyRootOnce sync.Once
 	policyRootVal  string
@@ -138,6 +137,7 @@ func verifySELinuxfsMount(mnt string) bool {
 		return false
 	}
 
+	//#nosec G115 -- there is no overflow here.
 	if uint32(buf.Type) != uint32(unix.SELINUX_MAGIC) {
 		return false
 	}
@@ -255,48 +255,183 @@ func readConfig(target string) string {
 	return ""
 }
 
-func isProcHandle(fh *os.File) error {
-	var buf unix.Statfs_t
+func readConFd(in *os.File) (string, error) {
+	data, err := io.ReadAll(in)
+	if err != nil {
+		return "", err
+	}
+	return string(bytes.TrimSuffix(data, []byte{0})), nil
+}
 
-	for {
-		err := unix.Fstatfs(int(fh.Fd()), &buf)
-		if err == nil {
-			break
-		}
-		if err != unix.EINTR {
-			return &os.PathError{Op: "fstatfs", Path: fh.Name(), Err: err}
-		}
+func writeConFd(out *os.File, val string) error {
+	var err error
+	if val != "" {
+		_, err = out.Write([]byte(val))
+	} else {
+		_, err = out.Write(nil)
 	}
-	if buf.Type != unix.PROC_SUPER_MAGIC {
-		return fmt.Errorf("file %q is not on procfs", fh.Name())
+	return err
+}
+
+// openProcThreadSelf is a small wrapper around [procfs.Handle.OpenThreadSelf]
+// and [pathrs.Reopen] to make "one-shot opens" slightly more ergonomic. The
+// provided mode must be os.O_* flags to indicate what mode the returned file
+// should be opened with (flags like os.O_CREAT and os.O_EXCL are not
+// supported).
+//
+// If no error occurred, the returned handle is guaranteed to be exactly
+// /proc/thread-self/ with no tricky mounts or symlinks causing you to
+// operate on an unexpected path (with some caveats on pre-openat2 or
+// pre-fsopen kernels).
+func openProcThreadSelf(subpath string, mode int) (*os.File, procfs.ProcThreadSelfCloser, error) {
+	if subpath == "" {
+		return nil, nil, ErrEmptyPath
 	}
 
-	return nil
-}
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return nil, nil, err
+	}
+	defer proc.Close()
 
-func readCon(fpath string) (string, error) {
-	if fpath == "" {
-		return "", ErrEmptyPath
+	handle, closer, err := proc.OpenThreadSelf(subpath)
+	if err != nil {
+		return nil, nil, fmt.Errorf("open /proc/thread-self/%s handle: %w", subpath, err)
+	}
+	defer handle.Close() // we will return a re-opened handle
+
+	file, err := pathrs.Reopen(handle, mode)
+	if err != nil {
+		closer()
+		return nil, nil, fmt.Errorf("reopen /proc/thread-self/%s handle (%#x): %w", subpath, mode, err)
 	}
+	return file, closer, nil
+}
 
-	in, err := os.Open(fpath)
+// Read the contents of /proc/thread-self/.
+func readConThreadSelf(fpath string) (string, error) {
+	in, closer, err := openProcThreadSelf(fpath, os.O_RDONLY|unix.O_CLOEXEC)
 	if err != nil {
 		return "", err
 	}
+	defer closer()
 	defer in.Close()
 
-	if err := isProcHandle(in); err != nil {
+	return readConFd(in)
+}
+
+// Write  to /proc/thread-self/.
+func writeConThreadSelf(fpath, val string) error {
+	if val == "" {
+		if !getEnabled() {
+			return nil
+		}
+	}
+
+	out, closer, err := openProcThreadSelf(fpath, os.O_WRONLY|unix.O_CLOEXEC)
+	if err != nil {
+		return err
+	}
+	defer closer()
+	defer out.Close()
+
+	return writeConFd(out, val)
+}
+
+// openProcSelf is a small wrapper around [procfs.Handle.OpenSelf] and
+// [pathrs.Reopen] to make "one-shot opens" slightly more ergonomic. The
+// provided mode must be os.O_* flags to indicate what mode the returned file
+// should be opened with (flags like os.O_CREAT and os.O_EXCL are not
+// supported).
+//
+// If no error occurred, the returned handle is guaranteed to be exactly
+// /proc/self/ with no tricky mounts or symlinks causing you to
+// operate on an unexpected path (with some caveats on pre-openat2 or
+// pre-fsopen kernels).
+func openProcSelf(subpath string, mode int) (*os.File, error) {
+	if subpath == "" {
+		return nil, ErrEmptyPath
+	}
+
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return nil, err
+	}
+	defer proc.Close()
+
+	handle, err := proc.OpenSelf(subpath)
+	if err != nil {
+		return nil, fmt.Errorf("open /proc/self/%s handle: %w", subpath, err)
+	}
+	defer handle.Close() // we will return a re-opened handle
+
+	file, err := pathrs.Reopen(handle, mode)
+	if err != nil {
+		return nil, fmt.Errorf("reopen /proc/self/%s handle (%#x): %w", subpath, mode, err)
+	}
+	return file, nil
+}
+
+// Read the contents of /proc/self/.
+func readConSelf(fpath string) (string, error) {
+	in, err := openProcSelf(fpath, os.O_RDONLY|unix.O_CLOEXEC)
+	if err != nil {
 		return "", err
 	}
+	defer in.Close()
+
 	return readConFd(in)
 }
 
-func readConFd(in *os.File) (string, error) {
-	data, err := io.ReadAll(in)
+// Write  to /proc/self/.
+func writeConSelf(fpath, val string) error {
+	if val == "" {
+		if !getEnabled() {
+			return nil
+		}
+	}
+
+	out, err := openProcSelf(fpath, os.O_WRONLY|unix.O_CLOEXEC)
 	if err != nil {
-		return "", err
+		return err
 	}
-	return string(bytes.TrimSuffix(data, []byte{0})), nil
+	defer out.Close()
+
+	return writeConFd(out, val)
+}
+
+// openProcPid is a small wrapper around [procfs.Handle.OpenPid] and
+// [pathrs.Reopen] to make "one-shot opens" slightly more ergonomic. The
+// provided mode must be os.O_* flags to indicate what mode the returned file
+// should be opened with (flags like os.O_CREAT and os.O_EXCL are not
+// supported).
+//
+// If no error occurred, the returned handle is guaranteed to be exactly
+// /proc/self/ with no tricky mounts or symlinks causing you to
+// operate on an unexpected path (with some caveats on pre-openat2 or
+// pre-fsopen kernels).
+func openProcPid(pid int, subpath string, mode int) (*os.File, error) {
+	if subpath == "" {
+		return nil, ErrEmptyPath
+	}
+
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return nil, err
+	}
+	defer proc.Close()
+
+	handle, err := proc.OpenPid(pid, subpath)
+	if err != nil {
+		return nil, fmt.Errorf("open /proc/%d/%s handle: %w", pid, subpath, err)
+	}
+	defer handle.Close() // we will return a re-opened handle
+
+	file, err := pathrs.Reopen(handle, mode)
+	if err != nil {
+		return nil, fmt.Errorf("reopen /proc/%d/%s handle (%#x): %w", pid, subpath, mode, err)
+	}
+	return file, nil
 }
 
 // classIndex returns the int index for an object class in the loaded policy,
@@ -392,78 +527,34 @@ func lFileLabel(fpath string) (string, error) {
 }
 
 func setFSCreateLabel(label string) error {
-	return writeCon(attrPath("fscreate"), label)
+	return writeConThreadSelf("attr/fscreate", label)
 }
 
 // fsCreateLabel returns the default label the kernel which the kernel is using
 // for file system objects created by this task. "" indicates default.
 func fsCreateLabel() (string, error) {
-	return readCon(attrPath("fscreate"))
+	return readConThreadSelf("attr/fscreate")
 }
 
 // currentLabel returns the SELinux label of the current process thread, or an error.
 func currentLabel() (string, error) {
-	return readCon(attrPath("current"))
+	return readConThreadSelf("attr/current")
 }
 
 // pidLabel returns the SELinux label of the given pid, or an error.
 func pidLabel(pid int) (string, error) {
-	return readCon(fmt.Sprintf("/proc/%d/attr/current", pid))
+	it, err := openProcPid(pid, "attr/current", os.O_RDONLY|unix.O_CLOEXEC)
+	if err != nil {
+		return "", nil
+	}
+	defer it.Close()
+	return readConFd(it)
 }
 
 // ExecLabel returns the SELinux label that the kernel will use for any programs
 // that are executed by the current process thread, or an error.
 func execLabel() (string, error) {
-	return readCon(attrPath("exec"))
-}
-
-func writeCon(fpath, val string) error {
-	if fpath == "" {
-		return ErrEmptyPath
-	}
-	if val == "" {
-		if !getEnabled() {
-			return nil
-		}
-	}
-
-	out, err := os.OpenFile(fpath, os.O_WRONLY, 0)
-	if err != nil {
-		return err
-	}
-	defer out.Close()
-
-	if err := isProcHandle(out); err != nil {
-		return err
-	}
-
-	if val != "" {
-		_, err = out.Write([]byte(val))
-	} else {
-		_, err = out.Write(nil)
-	}
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func attrPath(attr string) string {
-	// Linux >= 3.17 provides this
-	const threadSelfPrefix = "/proc/thread-self/attr"
-
-	attrPathOnce.Do(func() {
-		st, err := os.Stat(threadSelfPrefix)
-		if err == nil && st.Mode().IsDir() {
-			haveThreadSelf = true
-		}
-	})
-
-	if haveThreadSelf {
-		return filepath.Join(threadSelfPrefix, attr)
-	}
-
-	return filepath.Join("/proc/self/task", strconv.Itoa(unix.Gettid()), "attr", attr)
+	return readConThreadSelf("exec")
 }
 
 // canonicalizeContext takes a context string and writes it to the kernel
@@ -501,14 +592,14 @@ func catsToBitset(cats string) (*big.Int, error) {
 				return nil, err
 			}
 			for i := catstart; i <= catend; i++ {
-				bitset.SetBit(bitset, int(i), 1)
+				bitset.SetBit(bitset, i, 1)
 			}
 		} else {
 			cat, err := parseLevelItem(ranges[0], category)
 			if err != nil {
 				return nil, err
 			}
-			bitset.SetBit(bitset, int(cat), 1)
+			bitset.SetBit(bitset, cat, 1)
 		}
 	}
 
@@ -516,16 +607,17 @@ func catsToBitset(cats string) (*big.Int, error) {
 }
 
 // parseLevelItem parses and verifies that a sensitivity or category are valid
-func parseLevelItem(s string, sep levelItem) (uint, error) {
+func parseLevelItem(s string, sep levelItem) (int, error) {
 	if len(s) < minSensLen || levelItem(s[0]) != sep {
 		return 0, ErrLevelSyntax
 	}
-	val, err := strconv.ParseUint(s[1:], 10, 32)
+	const bitSize = 31 // Make sure the result fits into signed int32.
+	val, err := strconv.ParseUint(s[1:], 10, bitSize)
 	if err != nil {
 		return 0, err
 	}
 
-	return uint(val), nil
+	return int(val), nil
 }
 
 // parseLevel fills a level from a string that contains
@@ -582,7 +674,8 @@ func bitsetToStr(c *big.Int) string {
 	var str string
 
 	length := 0
-	for i := int(c.TrailingZeroBits()); i < c.BitLen(); i++ {
+	i0 := int(c.TrailingZeroBits()) //#nosec G115 -- don't expect TralingZeroBits to return values with highest bit set.
+	for i := i0; i < c.BitLen(); i++ {
 		if c.Bit(i) == 0 {
 			continue
 		}
@@ -622,7 +715,7 @@ func (l *level) equal(l2 *level) bool {
 
 // String returns an mlsRange as a string.
 func (m mlsRange) String() string {
-	low := "s" + strconv.Itoa(int(m.low.sens))
+	low := "s" + strconv.Itoa(m.low.sens)
 	if m.low.cats != nil && m.low.cats.BitLen() > 0 {
 		low += ":" + bitsetToStr(m.low.cats)
 	}
@@ -631,7 +724,7 @@ func (m mlsRange) String() string {
 		return low
 	}
 
-	high := "s" + strconv.Itoa(int(m.high.sens))
+	high := "s" + strconv.Itoa(m.high.sens)
 	if m.high.cats != nil && m.high.cats.BitLen() > 0 {
 		high += ":" + bitsetToStr(m.high.cats)
 	}
@@ -639,15 +732,16 @@ func (m mlsRange) String() string {
 	return low + "-" + high
 }
 
-// TODO: remove min and max once Go < 1.21 is not supported.
-func max(a, b uint) uint {
+// TODO: remove these in favor of built-in min/max
+// once we stop supporting Go < 1.21.
+func maxInt(a, b int) int {
 	if a > b {
 		return a
 	}
 	return b
 }
 
-func min(a, b uint) uint {
+func minInt(a, b int) int {
 	if a < b {
 		return a
 	}
@@ -676,10 +770,10 @@ func calculateGlbLub(sourceRange, targetRange string) (string, error) {
 	outrange := &mlsRange{low: &level{}, high: &level{}}
 
 	/* take the greatest of the low */
-	outrange.low.sens = max(s.low.sens, t.low.sens)
+	outrange.low.sens = maxInt(s.low.sens, t.low.sens)
 
 	/* take the least of the high */
-	outrange.high.sens = min(s.high.sens, t.high.sens)
+	outrange.high.sens = minInt(s.high.sens, t.high.sens)
 
 	/* find the intersecting categories */
 	if s.low.cats != nil && t.low.cats != nil {
@@ -724,16 +818,29 @@ func peerLabel(fd uintptr) (string, error) {
 // setKeyLabel takes a process label and tells the kernel to assign the
 // label to the next kernel keyring that gets created
 func setKeyLabel(label string) error {
-	err := writeCon("/proc/self/attr/keycreate", label)
+	// Rather than using /proc/thread-self, we want to use /proc/self to
+	// operate on the thread-group leader.
+	err := writeConSelf("attr/keycreate", label)
 	if errors.Is(err, os.ErrNotExist) {
 		return nil
 	}
 	if label == "" && errors.Is(err, os.ErrPermission) {
 		return nil
 	}
+	if errors.Is(err, unix.EACCES) && unix.Getpid() != unix.Gettid() {
+		return ErrNotTGLeader
+	}
 	return err
 }
 
+// KeyLabel retrieves the current kernel keyring label setting for this
+// thread-group.
+func keyLabel() (string, error) {
+	// Rather than using /proc/thread-self, we want to use /proc/self to
+	// operate on the thread-group leader.
+	return readConSelf("attr/keycreate")
+}
+
 // get returns the Context as a string
 func (c Context) get() string {
 	if l := c["level"]; l != "" {
@@ -809,8 +916,7 @@ func enforceMode() int {
 // setEnforceMode sets the current SELinux mode Enforcing, Permissive.
 // Disabled is not valid, since this needs to be set at boot time.
 func setEnforceMode(mode int) error {
-	//nolint:gosec // ignore G306: permissions to be 0600 or less.
-	return os.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0o644)
+	return os.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0)
 }
 
 // defaultEnforceMode returns the systems default SELinux mode Enforcing,
@@ -1017,8 +1123,7 @@ func addMcs(processLabel, fileLabel string) (string, string) {
 
 // securityCheckContext validates that the SELinux label is understood by the kernel
 func securityCheckContext(val string) error {
-	//nolint:gosec // ignore G306: permissions to be 0600 or less.
-	return os.WriteFile(filepath.Join(getSelinuxMountPoint(), "context"), []byte(val), 0o644)
+	return os.WriteFile(filepath.Join(getSelinuxMountPoint(), "context"), []byte(val), 0)
 }
 
 // copyLevel returns a label with the MLS/MCS level from src label replaced on
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 0889fbe0e0..382244e503 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -3,15 +3,11 @@
 
 package selinux
 
-func attrPath(string) string {
-	return ""
-}
-
-func readCon(string) (string, error) {
+func readConThreadSelf(string) (string, error) {
 	return "", nil
 }
 
-func writeCon(string, string) error {
+func writeConThreadSelf(string, string) error {
 	return nil
 }
 
@@ -81,6 +77,10 @@ func setKeyLabel(string) error {
 	return nil
 }
 
+func keyLabel() (string, error) {
+	return "", nil
+}
+
 func (c Context) get() string {
 	return ""
 }
diff --git a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go
index e854d7e84e..2950fdb42e 100644
--- a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go
+++ b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go
@@ -82,7 +82,7 @@ func marshalJSON(id []byte) ([]byte, error) {
 }
 
 // unmarshalJSON inflates trace id from hex string, possibly enclosed in quotes.
-func unmarshalJSON(dst []byte, src []byte) error {
+func unmarshalJSON(dst, src []byte) error {
 	if l := len(src); l >= 2 && src[0] == '"' && src[l-1] == '"' {
 		src = src[1 : l-1]
 	}
diff --git a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go
index 29e629d667..5bb3b16c70 100644
--- a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go
+++ b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go
@@ -41,7 +41,7 @@ func (i *protoInt64) UnmarshalJSON(data []byte) error {
 // strings or integers.
 type protoUint64 uint64
 
-// Int64 returns the protoUint64 as a uint64.
+// Uint64 returns the protoUint64 as a uint64.
 func (i *protoUint64) Uint64() uint64 { return uint64(*i) }
 
 // UnmarshalJSON decodes both strings and integers.
diff --git a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go
index a13a6b733d..67f80b6aa0 100644
--- a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go
+++ b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go
@@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"time"
 )
 
@@ -151,8 +152,8 @@ func (s Span) MarshalJSON() ([]byte, error) {
 	}{
 		Alias:        Alias(s),
 		ParentSpanID: parentSpanId,
-		StartTime:    uint64(startT),
-		EndTime:      uint64(endT),
+		StartTime:    uint64(startT), // nolint:gosec  // >0 checked above.
+		EndTime:      uint64(endT),   // nolint:gosec  // >0 checked above.
 	})
 }
 
@@ -201,11 +202,13 @@ func (s *Span) UnmarshalJSON(data []byte) error {
 		case "startTimeUnixNano", "start_time_unix_nano":
 			var val protoUint64
 			err = decoder.Decode(&val)
-			s.StartTime = time.Unix(0, int64(val.Uint64()))
+			v := int64(min(val.Uint64(), math.MaxInt64)) //nolint:gosec  // Overflow checked.
+			s.StartTime = time.Unix(0, v)
 		case "endTimeUnixNano", "end_time_unix_nano":
 			var val protoUint64
 			err = decoder.Decode(&val)
-			s.EndTime = time.Unix(0, int64(val.Uint64()))
+			v := int64(min(val.Uint64(), math.MaxInt64)) //nolint:gosec  // Overflow checked.
+			s.EndTime = time.Unix(0, v)
 		case "attributes":
 			err = decoder.Decode(&s.Attrs)
 		case "droppedAttributesCount", "dropped_attributes_count":
@@ -248,13 +251,20 @@ func (s *Span) UnmarshalJSON(data []byte) error {
 type SpanFlags int32
 
 const (
+	// SpanFlagsTraceFlagsMask is a mask for trace-flags.
+	//
 	// Bits 0-7 are used for trace flags.
 	SpanFlagsTraceFlagsMask SpanFlags = 255
-	// Bits 8 and 9 are used to indicate that the parent span or link span is remote.
-	// Bit 8 (`HAS_IS_REMOTE`) indicates whether the value is known.
-	// Bit 9 (`IS_REMOTE`) indicates whether the span or link is remote.
+	// SpanFlagsContextHasIsRemoteMask is a mask for HAS_IS_REMOTE status.
+	//
+	// Bits 8 and 9 are used to indicate that the parent span or link span is
+	// remote. Bit 8 (`HAS_IS_REMOTE`) indicates whether the value is known.
 	SpanFlagsContextHasIsRemoteMask SpanFlags = 256
-	// SpanFlagsContextHasIsRemoteMask indicates the Span is remote.
+	// SpanFlagsContextIsRemoteMask is a mask for IS_REMOTE status.
+	//
+	// Bits 8 and 9 are used to indicate that the parent span or link span is
+	// remote. Bit 9 (`IS_REMOTE`) indicates whether the span or link is
+	// remote.
 	SpanFlagsContextIsRemoteMask SpanFlags = 512
 )
 
@@ -263,26 +273,30 @@ const (
 type SpanKind int32
 
 const (
-	// Indicates that the span represents an internal operation within an application,
-	// as opposed to an operation happening at the boundaries. Default value.
+	// SpanKindInternal indicates that the span represents an internal
+	// operation within an application, as opposed to an operation happening at
+	// the boundaries.
 	SpanKindInternal SpanKind = 1
-	// Indicates that the span covers server-side handling of an RPC or other
-	// remote network request.
+	// SpanKindServer indicates that the span covers server-side handling of an
+	// RPC or other remote network request.
 	SpanKindServer SpanKind = 2
-	// Indicates that the span describes a request to some remote service.
+	// SpanKindClient indicates that the span describes a request to some
+	// remote service.
 	SpanKindClient SpanKind = 3
-	// Indicates that the span describes a producer sending a message to a broker.
-	// Unlike CLIENT and SERVER, there is often no direct critical path latency relationship
-	// between producer and consumer spans. A PRODUCER span ends when the message was accepted
-	// by the broker while the logical processing of the message might span a much longer time.
+	// SpanKindProducer indicates that the span describes a producer sending a
+	// message to a broker. Unlike SpanKindClient and SpanKindServer, there is
+	// often no direct critical path latency relationship between producer and
+	// consumer spans. A SpanKindProducer span ends when the message was
+	// accepted by the broker while the logical processing of the message might
+	// span a much longer time.
 	SpanKindProducer SpanKind = 4
-	// Indicates that the span describes consumer receiving a message from a broker.
-	// Like the PRODUCER kind, there is often no direct critical path latency relationship
-	// between producer and consumer spans.
+	// SpanKindConsumer indicates that the span describes a consumer receiving
+	// a message from a broker. Like SpanKindProducer, there is often no direct
+	// critical path latency relationship between producer and consumer spans.
 	SpanKindConsumer SpanKind = 5
 )
 
-// Event is a time-stamped annotation of the span, consisting of user-supplied
+// SpanEvent is a time-stamped annotation of the span, consisting of user-supplied
 // text description and key-value pairs.
 type SpanEvent struct {
 	// time_unix_nano is the time the event occurred.
@@ -312,7 +326,7 @@ func (e SpanEvent) MarshalJSON() ([]byte, error) {
 		Time uint64 `json:"timeUnixNano,omitempty"`
 	}{
 		Alias: Alias(e),
-		Time:  uint64(t),
+		Time:  uint64(t), //nolint:gosec  // >0 checked above
 	})
 }
 
@@ -347,7 +361,8 @@ func (se *SpanEvent) UnmarshalJSON(data []byte) error {
 		case "timeUnixNano", "time_unix_nano":
 			var val protoUint64
 			err = decoder.Decode(&val)
-			se.Time = time.Unix(0, int64(val.Uint64()))
+			v := int64(min(val.Uint64(), math.MaxInt64)) //nolint:gosec  // Overflow checked.
+			se.Time = time.Unix(0, v)
 		case "name":
 			err = decoder.Decode(&se.Name)
 		case "attributes":
@@ -365,10 +380,11 @@ func (se *SpanEvent) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// A pointer from the current span to another span in the same trace or in a
-// different trace. For example, this can be used in batching operations,
-// where a single batch handler processes multiple requests from different
-// traces or when the handler receives a request from a different project.
+// SpanLink is a reference from the current span to another span in the same
+// trace or in a different trace. For example, this can be used in batching
+// operations, where a single batch handler processes multiple requests from
+// different traces or when the handler receives a request from a different
+// project.
 type SpanLink struct {
 	// A unique identifier of a trace that this linked span is part of. The ID is a
 	// 16-byte array.
diff --git a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go
index 1217776ead..a2802764f8 100644
--- a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go
+++ b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go
@@ -3,17 +3,19 @@
 
 package telemetry
 
+// StatusCode is the status of a Span.
+//
 // For the semantics of status codes see
 // https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/api.md#set-status
 type StatusCode int32
 
 const (
-	// The default status.
+	// StatusCodeUnset is the default status.
 	StatusCodeUnset StatusCode = 0
-	// The Span has been validated by an Application developer or Operator to
-	// have completed successfully.
+	// StatusCodeOK is used when the Span has been validated by an Application
+	// developer or Operator to have completed successfully.
 	StatusCodeOK StatusCode = 1
-	// The Span contains an error.
+	// StatusCodeError is used when the Span contains an error.
 	StatusCodeError StatusCode = 2
 )
 
diff --git a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go
index 69a348f0f0..44197b8084 100644
--- a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go
+++ b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go
@@ -71,7 +71,7 @@ func (td *Traces) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// A collection of ScopeSpans from a Resource.
+// ResourceSpans is a collection of ScopeSpans from a Resource.
 type ResourceSpans struct {
 	// The resource for the spans in this message.
 	// If this field is not set then no resource info is known.
@@ -128,7 +128,7 @@ func (rs *ResourceSpans) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// A collection of Spans produced by an InstrumentationScope.
+// ScopeSpans is a collection of Spans produced by an InstrumentationScope.
 type ScopeSpans struct {
 	// The instrumentation scope information for the spans in this message.
 	// Semantically when InstrumentationScope isn't set, it is equivalent with
diff --git a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go
index 0dd01b063a..022768bb50 100644
--- a/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go
+++ b/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go
@@ -1,8 +1,6 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
-//go:generate stringer -type=ValueKind -trimprefix=ValueKind
-
 package telemetry
 
 import (
@@ -23,7 +21,7 @@ import (
 // A zero value is valid and represents an empty value.
 type Value struct {
 	// Ensure forward compatibility by explicitly making this not comparable.
-	noCmp [0]func() //nolint: unused  // This is indeed used.
+	noCmp [0]func() //nolint:unused  // This is indeed used.
 
 	// num holds the value for Int64, Float64, and Bool. It holds the length
 	// for String, Bytes, Slice, Map.
@@ -92,7 +90,7 @@ func IntValue(v int) Value { return Int64Value(int64(v)) }
 
 // Int64Value returns a [Value] for an int64.
 func Int64Value(v int64) Value {
-	return Value{num: uint64(v), any: ValueKindInt64}
+	return Value{num: uint64(v), any: ValueKindInt64} //nolint:gosec  // Raw value conv.
 }
 
 // Float64Value returns a [Value] for a float64.
@@ -164,7 +162,7 @@ func (v Value) AsInt64() int64 {
 // this will return garbage.
 func (v Value) asInt64() int64 {
 	// Assumes v.num was a valid int64 (overflow not checked).
-	return int64(v.num) // nolint: gosec
+	return int64(v.num) //nolint:gosec  // Bounded.
 }
 
 // AsBool returns the value held by v as a bool.
@@ -309,13 +307,13 @@ func (v Value) String() string {
 		return v.asString()
 	case ValueKindInt64:
 		// Assumes v.num was a valid int64 (overflow not checked).
-		return strconv.FormatInt(int64(v.num), 10) // nolint: gosec
+		return strconv.FormatInt(int64(v.num), 10) //nolint:gosec  // Bounded.
 	case ValueKindFloat64:
 		return strconv.FormatFloat(v.asFloat64(), 'g', -1, 64)
 	case ValueKindBool:
 		return strconv.FormatBool(v.asBool())
 	case ValueKindBytes:
-		return fmt.Sprint(v.asBytes())
+		return string(v.asBytes())
 	case ValueKindMap:
 		return fmt.Sprint(v.asMap())
 	case ValueKindSlice:
@@ -343,7 +341,7 @@ func (v *Value) MarshalJSON() ([]byte, error) {
 	case ValueKindInt64:
 		return json.Marshal(struct {
 			Value string `json:"intValue"`
-		}{strconv.FormatInt(int64(v.num), 10)})
+		}{strconv.FormatInt(int64(v.num), 10)}) //nolint:gosec  // Raw value conv.
 	case ValueKindFloat64:
 		return json.Marshal(struct {
 			Value float64 `json:"doubleValue"`
diff --git a/vendor/go.opentelemetry.io/auto/sdk/span.go b/vendor/go.opentelemetry.io/auto/sdk/span.go
index 6ebea12a9e..815d271ffb 100644
--- a/vendor/go.opentelemetry.io/auto/sdk/span.go
+++ b/vendor/go.opentelemetry.io/auto/sdk/span.go
@@ -6,6 +6,7 @@ package sdk
 import (
 	"encoding/json"
 	"fmt"
+	"math"
 	"reflect"
 	"runtime"
 	"strings"
@@ -16,7 +17,7 @@ import (
 
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
-	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.37.0"
 	"go.opentelemetry.io/otel/trace"
 	"go.opentelemetry.io/otel/trace/noop"
 
@@ -85,7 +86,12 @@ func (s *span) SetAttributes(attrs ...attribute.KeyValue) {
 	limit := maxSpan.Attrs
 	if limit == 0 {
 		// No attributes allowed.
-		s.span.DroppedAttrs += uint32(len(attrs))
+		n := int64(len(attrs))
+		if n > 0 {
+			s.span.DroppedAttrs += uint32( //nolint:gosec  // Bounds checked.
+				min(n, math.MaxUint32),
+			)
+		}
 		return
 	}
 
@@ -121,8 +127,13 @@ func (s *span) SetAttributes(attrs ...attribute.KeyValue) {
 // convCappedAttrs converts up to limit attrs into a []telemetry.Attr. The
 // number of dropped attributes is also returned.
 func convCappedAttrs(limit int, attrs []attribute.KeyValue) ([]telemetry.Attr, uint32) {
+	n := len(attrs)
 	if limit == 0 {
-		return nil, uint32(len(attrs))
+		var out uint32
+		if n > 0 {
+			out = uint32(min(int64(n), math.MaxUint32)) //nolint:gosec  // Bounds checked.
+		}
+		return nil, out
 	}
 
 	if limit < 0 {
@@ -130,8 +141,12 @@ func convCappedAttrs(limit int, attrs []attribute.KeyValue) ([]telemetry.Attr, u
 		return convAttrs(attrs), 0
 	}
 
-	limit = min(len(attrs), limit)
-	return convAttrs(attrs[:limit]), uint32(len(attrs) - limit)
+	if n < 0 {
+		n = 0
+	}
+
+	limit = min(n, limit)
+	return convAttrs(attrs[:limit]), uint32(n - limit) //nolint:gosec  // Bounds checked.
 }
 
 func convAttrs(attrs []attribute.KeyValue) []telemetry.Attr {
diff --git a/vendor/go.opentelemetry.io/auto/sdk/tracer.go b/vendor/go.opentelemetry.io/auto/sdk/tracer.go
index cbcfabde3b..e09acf022f 100644
--- a/vendor/go.opentelemetry.io/auto/sdk/tracer.go
+++ b/vendor/go.opentelemetry.io/auto/sdk/tracer.go
@@ -5,6 +5,7 @@ package sdk
 
 import (
 	"context"
+	"math"
 	"time"
 
 	"go.opentelemetry.io/otel/trace"
@@ -21,15 +22,20 @@ type tracer struct {
 
 var _ trace.Tracer = tracer{}
 
-func (t tracer) Start(ctx context.Context, name string, opts ...trace.SpanStartOption) (context.Context, trace.Span) {
-	var psc trace.SpanContext
+func (t tracer) Start(
+	ctx context.Context,
+	name string,
+	opts ...trace.SpanStartOption,
+) (context.Context, trace.Span) {
+	var psc, sc trace.SpanContext
 	sampled := true
 	span := new(span)
 
 	// Ask eBPF for sampling decision and span context info.
-	t.start(ctx, span, &psc, &sampled, &span.spanContext)
+	t.start(ctx, span, &psc, &sampled, &sc)
 
 	span.sampled.Store(sampled)
+	span.spanContext = sc
 
 	ctx = trace.ContextWithSpan(ctx, span)
 
@@ -58,7 +64,13 @@ func (t *tracer) start(
 // start is used for testing.
 var start = func(context.Context, *span, *trace.SpanContext, *bool, *trace.SpanContext) {}
 
-func (t tracer) traces(name string, cfg trace.SpanConfig, sc, psc trace.SpanContext) (*telemetry.Traces, *telemetry.Span) {
+var intToUint32Bound = min(math.MaxInt, math.MaxUint32)
+
+func (t tracer) traces(
+	name string,
+	cfg trace.SpanConfig,
+	sc, psc trace.SpanContext,
+) (*telemetry.Traces, *telemetry.Span) {
 	span := &telemetry.Span{
 		TraceID:      telemetry.TraceID(sc.TraceID()),
 		SpanID:       telemetry.SpanID(sc.SpanID()),
@@ -73,11 +85,16 @@ func (t tracer) traces(name string, cfg trace.SpanConfig, sc, psc trace.SpanCont
 
 	links := cfg.Links()
 	if limit := maxSpan.Links; limit == 0 {
-		span.DroppedLinks = uint32(len(links))
+		n := len(links)
+		if n > 0 {
+			bounded := max(min(n, intToUint32Bound), 0)
+			span.DroppedLinks = uint32(bounded) //nolint:gosec  // Bounds checked.
+		}
 	} else {
 		if limit > 0 {
 			n := max(len(links)-limit, 0)
-			span.DroppedLinks = uint32(n)
+			bounded := min(n, intToUint32Bound)
+			span.DroppedLinks = uint32(bounded) //nolint:gosec  // Bounds checked.
 			links = links[n:]
 		}
 		span.Links = convLinks(links)
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/README.md b/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/README.md
deleted file mode 100644
index 2de1fc3c6b..0000000000
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Semconv v1.26.0
-
-[![PkgGoDev](https://pkg.go.dev/badge/go.opentelemetry.io/otel/semconv/v1.26.0)](https://pkg.go.dev/go.opentelemetry.io/otel/semconv/v1.26.0)
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/attribute_group.go b/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/attribute_group.go
deleted file mode 100644
index d8dc822b26..0000000000
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/attribute_group.go
+++ /dev/null
@@ -1,8996 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated from semantic convention specification. DO NOT EDIT.
-
-package semconv // import "go.opentelemetry.io/otel/semconv/v1.26.0"
-
-import "go.opentelemetry.io/otel/attribute"
-
-// The Android platform on which the Android application is running.
-const (
-	// AndroidOSAPILevelKey is the attribute Key conforming to the
-	// "android.os.api_level" semantic conventions. It represents the uniquely
-	// identifies the framework API revision offered by a version
-	// (`os.version`) of the android operating system. More information can be
-	// found
-	// [here](https://developer.android.com/guide/topics/manifest/uses-sdk-element#APILevels).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '33', '32'
-	AndroidOSAPILevelKey = attribute.Key("android.os.api_level")
-)
-
-// AndroidOSAPILevel returns an attribute KeyValue conforming to the
-// "android.os.api_level" semantic conventions. It represents the uniquely
-// identifies the framework API revision offered by a version (`os.version`) of
-// the android operating system. More information can be found
-// [here](https://developer.android.com/guide/topics/manifest/uses-sdk-element#APILevels).
-func AndroidOSAPILevel(val string) attribute.KeyValue {
-	return AndroidOSAPILevelKey.String(val)
-}
-
-// ASP.NET Core attributes
-const (
-	// AspnetcoreRateLimitingResultKey is the attribute Key conforming to the
-	// "aspnetcore.rate_limiting.result" semantic conventions. It represents
-	// the rate-limiting result, shows whether the lease was acquired or
-	// contains a rejection reason
-	//
-	// Type: Enum
-	// RequirementLevel: Required
-	// Stability: stable
-	// Examples: 'acquired', 'request_canceled'
-	AspnetcoreRateLimitingResultKey = attribute.Key("aspnetcore.rate_limiting.result")
-
-	// AspnetcoreDiagnosticsHandlerTypeKey is the attribute Key conforming to
-	// the "aspnetcore.diagnostics.handler.type" semantic conventions. It
-	// represents the full type name of the
-	// [`IExceptionHandler`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.diagnostics.iexceptionhandler)
-	// implementation that handled the exception.
-	//
-	// Type: string
-	// RequirementLevel: ConditionallyRequired (if and only if the exception
-	// was handled by this handler.)
-	// Stability: stable
-	// Examples: 'Contoso.MyHandler'
-	AspnetcoreDiagnosticsHandlerTypeKey = attribute.Key("aspnetcore.diagnostics.handler.type")
-
-	// AspnetcoreDiagnosticsExceptionResultKey is the attribute Key conforming
-	// to the "aspnetcore.diagnostics.exception.result" semantic conventions.
-	// It represents the aSP.NET Core exception middleware handling result
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'handled', 'unhandled'
-	AspnetcoreDiagnosticsExceptionResultKey = attribute.Key("aspnetcore.diagnostics.exception.result")
-
-	// AspnetcoreRateLimitingPolicyKey is the attribute Key conforming to the
-	// "aspnetcore.rate_limiting.policy" semantic conventions. It represents
-	// the rate limiting policy name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'fixed', 'sliding', 'token'
-	AspnetcoreRateLimitingPolicyKey = attribute.Key("aspnetcore.rate_limiting.policy")
-
-	// AspnetcoreRequestIsUnhandledKey is the attribute Key conforming to the
-	// "aspnetcore.request.is_unhandled" semantic conventions. It represents
-	// the flag indicating if request was handled by the application pipeline.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: True
-	AspnetcoreRequestIsUnhandledKey = attribute.Key("aspnetcore.request.is_unhandled")
-
-	// AspnetcoreRoutingIsFallbackKey is the attribute Key conforming to the
-	// "aspnetcore.routing.is_fallback" semantic conventions. It represents a
-	// value that indicates whether the matched route is a fallback route.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: True
-	AspnetcoreRoutingIsFallbackKey = attribute.Key("aspnetcore.routing.is_fallback")
-
-	// AspnetcoreRoutingMatchStatusKey is the attribute Key conforming to the
-	// "aspnetcore.routing.match_status" semantic conventions. It represents
-	// the match result - success or failure
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'success', 'failure'
-	AspnetcoreRoutingMatchStatusKey = attribute.Key("aspnetcore.routing.match_status")
-)
-
-var (
-	// Lease was acquired
-	AspnetcoreRateLimitingResultAcquired = AspnetcoreRateLimitingResultKey.String("acquired")
-	// Lease request was rejected by the endpoint limiter
-	AspnetcoreRateLimitingResultEndpointLimiter = AspnetcoreRateLimitingResultKey.String("endpoint_limiter")
-	// Lease request was rejected by the global limiter
-	AspnetcoreRateLimitingResultGlobalLimiter = AspnetcoreRateLimitingResultKey.String("global_limiter")
-	// Lease request was canceled
-	AspnetcoreRateLimitingResultRequestCanceled = AspnetcoreRateLimitingResultKey.String("request_canceled")
-)
-
-var (
-	// Exception was handled by the exception handling middleware
-	AspnetcoreDiagnosticsExceptionResultHandled = AspnetcoreDiagnosticsExceptionResultKey.String("handled")
-	// Exception was not handled by the exception handling middleware
-	AspnetcoreDiagnosticsExceptionResultUnhandled = AspnetcoreDiagnosticsExceptionResultKey.String("unhandled")
-	// Exception handling was skipped because the response had started
-	AspnetcoreDiagnosticsExceptionResultSkipped = AspnetcoreDiagnosticsExceptionResultKey.String("skipped")
-	// Exception handling didn't run because the request was aborted
-	AspnetcoreDiagnosticsExceptionResultAborted = AspnetcoreDiagnosticsExceptionResultKey.String("aborted")
-)
-
-var (
-	// Match succeeded
-	AspnetcoreRoutingMatchStatusSuccess = AspnetcoreRoutingMatchStatusKey.String("success")
-	// Match failed
-	AspnetcoreRoutingMatchStatusFailure = AspnetcoreRoutingMatchStatusKey.String("failure")
-)
-
-// AspnetcoreDiagnosticsHandlerType returns an attribute KeyValue conforming
-// to the "aspnetcore.diagnostics.handler.type" semantic conventions. It
-// represents the full type name of the
-// [`IExceptionHandler`](https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.diagnostics.iexceptionhandler)
-// implementation that handled the exception.
-func AspnetcoreDiagnosticsHandlerType(val string) attribute.KeyValue {
-	return AspnetcoreDiagnosticsHandlerTypeKey.String(val)
-}
-
-// AspnetcoreRateLimitingPolicy returns an attribute KeyValue conforming to
-// the "aspnetcore.rate_limiting.policy" semantic conventions. It represents
-// the rate limiting policy name.
-func AspnetcoreRateLimitingPolicy(val string) attribute.KeyValue {
-	return AspnetcoreRateLimitingPolicyKey.String(val)
-}
-
-// AspnetcoreRequestIsUnhandled returns an attribute KeyValue conforming to
-// the "aspnetcore.request.is_unhandled" semantic conventions. It represents
-// the flag indicating if request was handled by the application pipeline.
-func AspnetcoreRequestIsUnhandled(val bool) attribute.KeyValue {
-	return AspnetcoreRequestIsUnhandledKey.Bool(val)
-}
-
-// AspnetcoreRoutingIsFallback returns an attribute KeyValue conforming to
-// the "aspnetcore.routing.is_fallback" semantic conventions. It represents a
-// value that indicates whether the matched route is a fallback route.
-func AspnetcoreRoutingIsFallback(val bool) attribute.KeyValue {
-	return AspnetcoreRoutingIsFallbackKey.Bool(val)
-}
-
-// Generic attributes for AWS services.
-const (
-	// AWSRequestIDKey is the attribute Key conforming to the "aws.request_id"
-	// semantic conventions. It represents the AWS request ID as returned in
-	// the response headers `x-amz-request-id` or `x-amz-requestid`.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '79b9da39-b7ae-508a-a6bc-864b2829c622', 'C9ER4AJX75574TDJ'
-	AWSRequestIDKey = attribute.Key("aws.request_id")
-)
-
-// AWSRequestID returns an attribute KeyValue conforming to the
-// "aws.request_id" semantic conventions. It represents the AWS request ID as
-// returned in the response headers `x-amz-request-id` or `x-amz-requestid`.
-func AWSRequestID(val string) attribute.KeyValue {
-	return AWSRequestIDKey.String(val)
-}
-
-// Attributes for AWS DynamoDB.
-const (
-	// AWSDynamoDBAttributeDefinitionsKey is the attribute Key conforming to
-	// the "aws.dynamodb.attribute_definitions" semantic conventions. It
-	// represents the JSON-serialized value of each item in the
-	// `AttributeDefinitions` request field.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '{ "AttributeName": "string", "AttributeType": "string" }'
-	AWSDynamoDBAttributeDefinitionsKey = attribute.Key("aws.dynamodb.attribute_definitions")
-
-	// AWSDynamoDBAttributesToGetKey is the attribute Key conforming to the
-	// "aws.dynamodb.attributes_to_get" semantic conventions. It represents the
-	// value of the `AttributesToGet` request parameter.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'lives', 'id'
-	AWSDynamoDBAttributesToGetKey = attribute.Key("aws.dynamodb.attributes_to_get")
-
-	// AWSDynamoDBConsistentReadKey is the attribute Key conforming to the
-	// "aws.dynamodb.consistent_read" semantic conventions. It represents the
-	// value of the `ConsistentRead` request parameter.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	AWSDynamoDBConsistentReadKey = attribute.Key("aws.dynamodb.consistent_read")
-
-	// AWSDynamoDBConsumedCapacityKey is the attribute Key conforming to the
-	// "aws.dynamodb.consumed_capacity" semantic conventions. It represents the
-	// JSON-serialized value of each item in the `ConsumedCapacity` response
-	// field.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '{ "CapacityUnits": number, "GlobalSecondaryIndexes": {
-	// "string" : { "CapacityUnits": number, "ReadCapacityUnits": number,
-	// "WriteCapacityUnits": number } }, "LocalSecondaryIndexes": { "string" :
-	// { "CapacityUnits": number, "ReadCapacityUnits": number,
-	// "WriteCapacityUnits": number } }, "ReadCapacityUnits": number, "Table":
-	// { "CapacityUnits": number, "ReadCapacityUnits": number,
-	// "WriteCapacityUnits": number }, "TableName": "string",
-	// "WriteCapacityUnits": number }'
-	AWSDynamoDBConsumedCapacityKey = attribute.Key("aws.dynamodb.consumed_capacity")
-
-	// AWSDynamoDBCountKey is the attribute Key conforming to the
-	// "aws.dynamodb.count" semantic conventions. It represents the value of
-	// the `Count` response parameter.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 10
-	AWSDynamoDBCountKey = attribute.Key("aws.dynamodb.count")
-
-	// AWSDynamoDBExclusiveStartTableKey is the attribute Key conforming to the
-	// "aws.dynamodb.exclusive_start_table" semantic conventions. It represents
-	// the value of the `ExclusiveStartTableName` request parameter.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Users', 'CatsTable'
-	AWSDynamoDBExclusiveStartTableKey = attribute.Key("aws.dynamodb.exclusive_start_table")
-
-	// AWSDynamoDBGlobalSecondaryIndexUpdatesKey is the attribute Key
-	// conforming to the "aws.dynamodb.global_secondary_index_updates" semantic
-	// conventions. It represents the JSON-serialized value of each item in the
-	// `GlobalSecondaryIndexUpdates` request field.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '{ "Create": { "IndexName": "string", "KeySchema": [ {
-	// "AttributeName": "string", "KeyType": "string" } ], "Projection": {
-	// "NonKeyAttributes": [ "string" ], "ProjectionType": "string" },
-	// "ProvisionedThroughput": { "ReadCapacityUnits": number,
-	// "WriteCapacityUnits": number } }'
-	AWSDynamoDBGlobalSecondaryIndexUpdatesKey = attribute.Key("aws.dynamodb.global_secondary_index_updates")
-
-	// AWSDynamoDBGlobalSecondaryIndexesKey is the attribute Key conforming to
-	// the "aws.dynamodb.global_secondary_indexes" semantic conventions. It
-	// represents the JSON-serialized value of each item of the
-	// `GlobalSecondaryIndexes` request field
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '{ "IndexName": "string", "KeySchema": [ { "AttributeName":
-	// "string", "KeyType": "string" } ], "Projection": { "NonKeyAttributes": [
-	// "string" ], "ProjectionType": "string" }, "ProvisionedThroughput": {
-	// "ReadCapacityUnits": number, "WriteCapacityUnits": number } }'
-	AWSDynamoDBGlobalSecondaryIndexesKey = attribute.Key("aws.dynamodb.global_secondary_indexes")
-
-	// AWSDynamoDBIndexNameKey is the attribute Key conforming to the
-	// "aws.dynamodb.index_name" semantic conventions. It represents the value
-	// of the `IndexName` request parameter.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'name_to_group'
-	AWSDynamoDBIndexNameKey = attribute.Key("aws.dynamodb.index_name")
-
-	// AWSDynamoDBItemCollectionMetricsKey is the attribute Key conforming to
-	// the "aws.dynamodb.item_collection_metrics" semantic conventions. It
-	// represents the JSON-serialized value of the `ItemCollectionMetrics`
-	// response field.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '{ "string" : [ { "ItemCollectionKey": { "string" : { "B":
-	// blob, "BOOL": boolean, "BS": [ blob ], "L": [ "AttributeValue" ], "M": {
-	// "string" : "AttributeValue" }, "N": "string", "NS": [ "string" ],
-	// "NULL": boolean, "S": "string", "SS": [ "string" ] } },
-	// "SizeEstimateRangeGB": [ number ] } ] }'
-	AWSDynamoDBItemCollectionMetricsKey = attribute.Key("aws.dynamodb.item_collection_metrics")
-
-	// AWSDynamoDBLimitKey is the attribute Key conforming to the
-	// "aws.dynamodb.limit" semantic conventions. It represents the value of
-	// the `Limit` request parameter.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 10
-	AWSDynamoDBLimitKey = attribute.Key("aws.dynamodb.limit")
-
-	// AWSDynamoDBLocalSecondaryIndexesKey is the attribute Key conforming to
-	// the "aws.dynamodb.local_secondary_indexes" semantic conventions. It
-	// represents the JSON-serialized value of each item of the
-	// `LocalSecondaryIndexes` request field.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '{ "IndexARN": "string", "IndexName": "string",
-	// "IndexSizeBytes": number, "ItemCount": number, "KeySchema": [ {
-	// "AttributeName": "string", "KeyType": "string" } ], "Projection": {
-	// "NonKeyAttributes": [ "string" ], "ProjectionType": "string" } }'
-	AWSDynamoDBLocalSecondaryIndexesKey = attribute.Key("aws.dynamodb.local_secondary_indexes")
-
-	// AWSDynamoDBProjectionKey is the attribute Key conforming to the
-	// "aws.dynamodb.projection" semantic conventions. It represents the value
-	// of the `ProjectionExpression` request parameter.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Title', 'Title, Price, Color', 'Title, Description,
-	// RelatedItems, ProductReviews'
-	AWSDynamoDBProjectionKey = attribute.Key("aws.dynamodb.projection")
-
-	// AWSDynamoDBProvisionedReadCapacityKey is the attribute Key conforming to
-	// the "aws.dynamodb.provisioned_read_capacity" semantic conventions. It
-	// represents the value of the `ProvisionedThroughput.ReadCapacityUnits`
-	// request parameter.
-	//
-	// Type: double
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1.0, 2.0
-	AWSDynamoDBProvisionedReadCapacityKey = attribute.Key("aws.dynamodb.provisioned_read_capacity")
-
-	// AWSDynamoDBProvisionedWriteCapacityKey is the attribute Key conforming
-	// to the "aws.dynamodb.provisioned_write_capacity" semantic conventions.
-	// It represents the value of the
-	// `ProvisionedThroughput.WriteCapacityUnits` request parameter.
-	//
-	// Type: double
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1.0, 2.0
-	AWSDynamoDBProvisionedWriteCapacityKey = attribute.Key("aws.dynamodb.provisioned_write_capacity")
-
-	// AWSDynamoDBScanForwardKey is the attribute Key conforming to the
-	// "aws.dynamodb.scan_forward" semantic conventions. It represents the
-	// value of the `ScanIndexForward` request parameter.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	AWSDynamoDBScanForwardKey = attribute.Key("aws.dynamodb.scan_forward")
-
-	// AWSDynamoDBScannedCountKey is the attribute Key conforming to the
-	// "aws.dynamodb.scanned_count" semantic conventions. It represents the
-	// value of the `ScannedCount` response parameter.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 50
-	AWSDynamoDBScannedCountKey = attribute.Key("aws.dynamodb.scanned_count")
-
-	// AWSDynamoDBSegmentKey is the attribute Key conforming to the
-	// "aws.dynamodb.segment" semantic conventions. It represents the value of
-	// the `Segment` request parameter.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 10
-	AWSDynamoDBSegmentKey = attribute.Key("aws.dynamodb.segment")
-
-	// AWSDynamoDBSelectKey is the attribute Key conforming to the
-	// "aws.dynamodb.select" semantic conventions. It represents the value of
-	// the `Select` request parameter.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'ALL_ATTRIBUTES', 'COUNT'
-	AWSDynamoDBSelectKey = attribute.Key("aws.dynamodb.select")
-
-	// AWSDynamoDBTableCountKey is the attribute Key conforming to the
-	// "aws.dynamodb.table_count" semantic conventions. It represents the
-	// number of items in the `TableNames` response parameter.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 20
-	AWSDynamoDBTableCountKey = attribute.Key("aws.dynamodb.table_count")
-
-	// AWSDynamoDBTableNamesKey is the attribute Key conforming to the
-	// "aws.dynamodb.table_names" semantic conventions. It represents the keys
-	// in the `RequestItems` object field.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Users', 'Cats'
-	AWSDynamoDBTableNamesKey = attribute.Key("aws.dynamodb.table_names")
-
-	// AWSDynamoDBTotalSegmentsKey is the attribute Key conforming to the
-	// "aws.dynamodb.total_segments" semantic conventions. It represents the
-	// value of the `TotalSegments` request parameter.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 100
-	AWSDynamoDBTotalSegmentsKey = attribute.Key("aws.dynamodb.total_segments")
-)
-
-// AWSDynamoDBAttributeDefinitions returns an attribute KeyValue conforming
-// to the "aws.dynamodb.attribute_definitions" semantic conventions. It
-// represents the JSON-serialized value of each item in the
-// `AttributeDefinitions` request field.
-func AWSDynamoDBAttributeDefinitions(val ...string) attribute.KeyValue {
-	return AWSDynamoDBAttributeDefinitionsKey.StringSlice(val)
-}
-
-// AWSDynamoDBAttributesToGet returns an attribute KeyValue conforming to
-// the "aws.dynamodb.attributes_to_get" semantic conventions. It represents the
-// value of the `AttributesToGet` request parameter.
-func AWSDynamoDBAttributesToGet(val ...string) attribute.KeyValue {
-	return AWSDynamoDBAttributesToGetKey.StringSlice(val)
-}
-
-// AWSDynamoDBConsistentRead returns an attribute KeyValue conforming to the
-// "aws.dynamodb.consistent_read" semantic conventions. It represents the value
-// of the `ConsistentRead` request parameter.
-func AWSDynamoDBConsistentRead(val bool) attribute.KeyValue {
-	return AWSDynamoDBConsistentReadKey.Bool(val)
-}
-
-// AWSDynamoDBConsumedCapacity returns an attribute KeyValue conforming to
-// the "aws.dynamodb.consumed_capacity" semantic conventions. It represents the
-// JSON-serialized value of each item in the `ConsumedCapacity` response field.
-func AWSDynamoDBConsumedCapacity(val ...string) attribute.KeyValue {
-	return AWSDynamoDBConsumedCapacityKey.StringSlice(val)
-}
-
-// AWSDynamoDBCount returns an attribute KeyValue conforming to the
-// "aws.dynamodb.count" semantic conventions. It represents the value of the
-// `Count` response parameter.
-func AWSDynamoDBCount(val int) attribute.KeyValue {
-	return AWSDynamoDBCountKey.Int(val)
-}
-
-// AWSDynamoDBExclusiveStartTable returns an attribute KeyValue conforming
-// to the "aws.dynamodb.exclusive_start_table" semantic conventions. It
-// represents the value of the `ExclusiveStartTableName` request parameter.
-func AWSDynamoDBExclusiveStartTable(val string) attribute.KeyValue {
-	return AWSDynamoDBExclusiveStartTableKey.String(val)
-}
-
-// AWSDynamoDBGlobalSecondaryIndexUpdates returns an attribute KeyValue
-// conforming to the "aws.dynamodb.global_secondary_index_updates" semantic
-// conventions. It represents the JSON-serialized value of each item in the
-// `GlobalSecondaryIndexUpdates` request field.
-func AWSDynamoDBGlobalSecondaryIndexUpdates(val ...string) attribute.KeyValue {
-	return AWSDynamoDBGlobalSecondaryIndexUpdatesKey.StringSlice(val)
-}
-
-// AWSDynamoDBGlobalSecondaryIndexes returns an attribute KeyValue
-// conforming to the "aws.dynamodb.global_secondary_indexes" semantic
-// conventions. It represents the JSON-serialized value of each item of the
-// `GlobalSecondaryIndexes` request field
-func AWSDynamoDBGlobalSecondaryIndexes(val ...string) attribute.KeyValue {
-	return AWSDynamoDBGlobalSecondaryIndexesKey.StringSlice(val)
-}
-
-// AWSDynamoDBIndexName returns an attribute KeyValue conforming to the
-// "aws.dynamodb.index_name" semantic conventions. It represents the value of
-// the `IndexName` request parameter.
-func AWSDynamoDBIndexName(val string) attribute.KeyValue {
-	return AWSDynamoDBIndexNameKey.String(val)
-}
-
-// AWSDynamoDBItemCollectionMetrics returns an attribute KeyValue conforming
-// to the "aws.dynamodb.item_collection_metrics" semantic conventions. It
-// represents the JSON-serialized value of the `ItemCollectionMetrics` response
-// field.
-func AWSDynamoDBItemCollectionMetrics(val string) attribute.KeyValue {
-	return AWSDynamoDBItemCollectionMetricsKey.String(val)
-}
-
-// AWSDynamoDBLimit returns an attribute KeyValue conforming to the
-// "aws.dynamodb.limit" semantic conventions. It represents the value of the
-// `Limit` request parameter.
-func AWSDynamoDBLimit(val int) attribute.KeyValue {
-	return AWSDynamoDBLimitKey.Int(val)
-}
-
-// AWSDynamoDBLocalSecondaryIndexes returns an attribute KeyValue conforming
-// to the "aws.dynamodb.local_secondary_indexes" semantic conventions. It
-// represents the JSON-serialized value of each item of the
-// `LocalSecondaryIndexes` request field.
-func AWSDynamoDBLocalSecondaryIndexes(val ...string) attribute.KeyValue {
-	return AWSDynamoDBLocalSecondaryIndexesKey.StringSlice(val)
-}
-
-// AWSDynamoDBProjection returns an attribute KeyValue conforming to the
-// "aws.dynamodb.projection" semantic conventions. It represents the value of
-// the `ProjectionExpression` request parameter.
-func AWSDynamoDBProjection(val string) attribute.KeyValue {
-	return AWSDynamoDBProjectionKey.String(val)
-}
-
-// AWSDynamoDBProvisionedReadCapacity returns an attribute KeyValue
-// conforming to the "aws.dynamodb.provisioned_read_capacity" semantic
-// conventions. It represents the value of the
-// `ProvisionedThroughput.ReadCapacityUnits` request parameter.
-func AWSDynamoDBProvisionedReadCapacity(val float64) attribute.KeyValue {
-	return AWSDynamoDBProvisionedReadCapacityKey.Float64(val)
-}
-
-// AWSDynamoDBProvisionedWriteCapacity returns an attribute KeyValue
-// conforming to the "aws.dynamodb.provisioned_write_capacity" semantic
-// conventions. It represents the value of the
-// `ProvisionedThroughput.WriteCapacityUnits` request parameter.
-func AWSDynamoDBProvisionedWriteCapacity(val float64) attribute.KeyValue {
-	return AWSDynamoDBProvisionedWriteCapacityKey.Float64(val)
-}
-
-// AWSDynamoDBScanForward returns an attribute KeyValue conforming to the
-// "aws.dynamodb.scan_forward" semantic conventions. It represents the value of
-// the `ScanIndexForward` request parameter.
-func AWSDynamoDBScanForward(val bool) attribute.KeyValue {
-	return AWSDynamoDBScanForwardKey.Bool(val)
-}
-
-// AWSDynamoDBScannedCount returns an attribute KeyValue conforming to the
-// "aws.dynamodb.scanned_count" semantic conventions. It represents the value
-// of the `ScannedCount` response parameter.
-func AWSDynamoDBScannedCount(val int) attribute.KeyValue {
-	return AWSDynamoDBScannedCountKey.Int(val)
-}
-
-// AWSDynamoDBSegment returns an attribute KeyValue conforming to the
-// "aws.dynamodb.segment" semantic conventions. It represents the value of the
-// `Segment` request parameter.
-func AWSDynamoDBSegment(val int) attribute.KeyValue {
-	return AWSDynamoDBSegmentKey.Int(val)
-}
-
-// AWSDynamoDBSelect returns an attribute KeyValue conforming to the
-// "aws.dynamodb.select" semantic conventions. It represents the value of the
-// `Select` request parameter.
-func AWSDynamoDBSelect(val string) attribute.KeyValue {
-	return AWSDynamoDBSelectKey.String(val)
-}
-
-// AWSDynamoDBTableCount returns an attribute KeyValue conforming to the
-// "aws.dynamodb.table_count" semantic conventions. It represents the number of
-// items in the `TableNames` response parameter.
-func AWSDynamoDBTableCount(val int) attribute.KeyValue {
-	return AWSDynamoDBTableCountKey.Int(val)
-}
-
-// AWSDynamoDBTableNames returns an attribute KeyValue conforming to the
-// "aws.dynamodb.table_names" semantic conventions. It represents the keys in
-// the `RequestItems` object field.
-func AWSDynamoDBTableNames(val ...string) attribute.KeyValue {
-	return AWSDynamoDBTableNamesKey.StringSlice(val)
-}
-
-// AWSDynamoDBTotalSegments returns an attribute KeyValue conforming to the
-// "aws.dynamodb.total_segments" semantic conventions. It represents the value
-// of the `TotalSegments` request parameter.
-func AWSDynamoDBTotalSegments(val int) attribute.KeyValue {
-	return AWSDynamoDBTotalSegmentsKey.Int(val)
-}
-
-// Attributes for AWS Elastic Container Service (ECS).
-const (
-	// AWSECSTaskIDKey is the attribute Key conforming to the "aws.ecs.task.id"
-	// semantic conventions. It represents the ID of a running ECS task. The ID
-	// MUST be extracted from `task.arn`.
-	//
-	// Type: string
-	// RequirementLevel: ConditionallyRequired (If and only if `task.arn` is
-	// populated.)
-	// Stability: experimental
-	// Examples: '10838bed-421f-43ef-870a-f43feacbbb5b',
-	// '23ebb8ac-c18f-46c6-8bbe-d55d0e37cfbd'
-	AWSECSTaskIDKey = attribute.Key("aws.ecs.task.id")
-
-	// AWSECSClusterARNKey is the attribute Key conforming to the
-	// "aws.ecs.cluster.arn" semantic conventions. It represents the ARN of an
-	// [ECS
-	// cluster](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/clusters.html).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'arn:aws:ecs:us-west-2:123456789123:cluster/my-cluster'
-	AWSECSClusterARNKey = attribute.Key("aws.ecs.cluster.arn")
-
-	// AWSECSContainerARNKey is the attribute Key conforming to the
-	// "aws.ecs.container.arn" semantic conventions. It represents the Amazon
-	// Resource Name (ARN) of an [ECS container
-	// instance](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_instances.html).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// 'arn:aws:ecs:us-west-1:123456789123:container/32624152-9086-4f0e-acae-1a75b14fe4d9'
-	AWSECSContainerARNKey = attribute.Key("aws.ecs.container.arn")
-
-	// AWSECSLaunchtypeKey is the attribute Key conforming to the
-	// "aws.ecs.launchtype" semantic conventions. It represents the [launch
-	// type](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html)
-	// for an ECS task.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	AWSECSLaunchtypeKey = attribute.Key("aws.ecs.launchtype")
-
-	// AWSECSTaskARNKey is the attribute Key conforming to the
-	// "aws.ecs.task.arn" semantic conventions. It represents the ARN of a
-	// running [ECS
-	// task](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// 'arn:aws:ecs:us-west-1:123456789123:task/10838bed-421f-43ef-870a-f43feacbbb5b',
-	// 'arn:aws:ecs:us-west-1:123456789123:task/my-cluster/task-id/23ebb8ac-c18f-46c6-8bbe-d55d0e37cfbd'
-	AWSECSTaskARNKey = attribute.Key("aws.ecs.task.arn")
-
-	// AWSECSTaskFamilyKey is the attribute Key conforming to the
-	// "aws.ecs.task.family" semantic conventions. It represents the family
-	// name of the [ECS task
-	// definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html)
-	// used to create the ECS task.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry-family'
-	AWSECSTaskFamilyKey = attribute.Key("aws.ecs.task.family")
-
-	// AWSECSTaskRevisionKey is the attribute Key conforming to the
-	// "aws.ecs.task.revision" semantic conventions. It represents the revision
-	// for the task definition used to create the ECS task.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '8', '26'
-	AWSECSTaskRevisionKey = attribute.Key("aws.ecs.task.revision")
-)
-
-var (
-	// ec2
-	AWSECSLaunchtypeEC2 = AWSECSLaunchtypeKey.String("ec2")
-	// fargate
-	AWSECSLaunchtypeFargate = AWSECSLaunchtypeKey.String("fargate")
-)
-
-// AWSECSTaskID returns an attribute KeyValue conforming to the
-// "aws.ecs.task.id" semantic conventions. It represents the ID of a running
-// ECS task. The ID MUST be extracted from `task.arn`.
-func AWSECSTaskID(val string) attribute.KeyValue {
-	return AWSECSTaskIDKey.String(val)
-}
-
-// AWSECSClusterARN returns an attribute KeyValue conforming to the
-// "aws.ecs.cluster.arn" semantic conventions. It represents the ARN of an [ECS
-// cluster](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/clusters.html).
-func AWSECSClusterARN(val string) attribute.KeyValue {
-	return AWSECSClusterARNKey.String(val)
-}
-
-// AWSECSContainerARN returns an attribute KeyValue conforming to the
-// "aws.ecs.container.arn" semantic conventions. It represents the Amazon
-// Resource Name (ARN) of an [ECS container
-// instance](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_instances.html).
-func AWSECSContainerARN(val string) attribute.KeyValue {
-	return AWSECSContainerARNKey.String(val)
-}
-
-// AWSECSTaskARN returns an attribute KeyValue conforming to the
-// "aws.ecs.task.arn" semantic conventions. It represents the ARN of a running
-// [ECS
-// task](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids).
-func AWSECSTaskARN(val string) attribute.KeyValue {
-	return AWSECSTaskARNKey.String(val)
-}
-
-// AWSECSTaskFamily returns an attribute KeyValue conforming to the
-// "aws.ecs.task.family" semantic conventions. It represents the family name of
-// the [ECS task
-// definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html)
-// used to create the ECS task.
-func AWSECSTaskFamily(val string) attribute.KeyValue {
-	return AWSECSTaskFamilyKey.String(val)
-}
-
-// AWSECSTaskRevision returns an attribute KeyValue conforming to the
-// "aws.ecs.task.revision" semantic conventions. It represents the revision for
-// the task definition used to create the ECS task.
-func AWSECSTaskRevision(val string) attribute.KeyValue {
-	return AWSECSTaskRevisionKey.String(val)
-}
-
-// Attributes for AWS Elastic Kubernetes Service (EKS).
-const (
-	// AWSEKSClusterARNKey is the attribute Key conforming to the
-	// "aws.eks.cluster.arn" semantic conventions. It represents the ARN of an
-	// EKS cluster.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'arn:aws:ecs:us-west-2:123456789123:cluster/my-cluster'
-	AWSEKSClusterARNKey = attribute.Key("aws.eks.cluster.arn")
-)
-
-// AWSEKSClusterARN returns an attribute KeyValue conforming to the
-// "aws.eks.cluster.arn" semantic conventions. It represents the ARN of an EKS
-// cluster.
-func AWSEKSClusterARN(val string) attribute.KeyValue {
-	return AWSEKSClusterARNKey.String(val)
-}
-
-// Attributes for AWS Logs.
-const (
-	// AWSLogGroupARNsKey is the attribute Key conforming to the
-	// "aws.log.group.arns" semantic conventions. It represents the Amazon
-	// Resource Name(s) (ARN) of the AWS log group(s).
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// 'arn:aws:logs:us-west-1:123456789012:log-group:/aws/my/group:*'
-	// Note: See the [log group ARN format
-	// documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html#CWL_ARN_Format).
-	AWSLogGroupARNsKey = attribute.Key("aws.log.group.arns")
-
-	// AWSLogGroupNamesKey is the attribute Key conforming to the
-	// "aws.log.group.names" semantic conventions. It represents the name(s) of
-	// the AWS log group(s) an application is writing to.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/aws/lambda/my-function', 'opentelemetry-service'
-	// Note: Multiple log groups must be supported for cases like
-	// multi-container applications, where a single application has sidecar
-	// containers, and each write to their own log group.
-	AWSLogGroupNamesKey = attribute.Key("aws.log.group.names")
-
-	// AWSLogStreamARNsKey is the attribute Key conforming to the
-	// "aws.log.stream.arns" semantic conventions. It represents the ARN(s) of
-	// the AWS log stream(s).
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// 'arn:aws:logs:us-west-1:123456789012:log-group:/aws/my/group:log-stream:logs/main/10838bed-421f-43ef-870a-f43feacbbb5b'
-	// Note: See the [log stream ARN format
-	// documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html#CWL_ARN_Format).
-	// One log group can contain several log streams, so these ARNs necessarily
-	// identify both a log group and a log stream.
-	AWSLogStreamARNsKey = attribute.Key("aws.log.stream.arns")
-
-	// AWSLogStreamNamesKey is the attribute Key conforming to the
-	// "aws.log.stream.names" semantic conventions. It represents the name(s)
-	// of the AWS log stream(s) an application is writing to.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'logs/main/10838bed-421f-43ef-870a-f43feacbbb5b'
-	AWSLogStreamNamesKey = attribute.Key("aws.log.stream.names")
-)
-
-// AWSLogGroupARNs returns an attribute KeyValue conforming to the
-// "aws.log.group.arns" semantic conventions. It represents the Amazon Resource
-// Name(s) (ARN) of the AWS log group(s).
-func AWSLogGroupARNs(val ...string) attribute.KeyValue {
-	return AWSLogGroupARNsKey.StringSlice(val)
-}
-
-// AWSLogGroupNames returns an attribute KeyValue conforming to the
-// "aws.log.group.names" semantic conventions. It represents the name(s) of the
-// AWS log group(s) an application is writing to.
-func AWSLogGroupNames(val ...string) attribute.KeyValue {
-	return AWSLogGroupNamesKey.StringSlice(val)
-}
-
-// AWSLogStreamARNs returns an attribute KeyValue conforming to the
-// "aws.log.stream.arns" semantic conventions. It represents the ARN(s) of the
-// AWS log stream(s).
-func AWSLogStreamARNs(val ...string) attribute.KeyValue {
-	return AWSLogStreamARNsKey.StringSlice(val)
-}
-
-// AWSLogStreamNames returns an attribute KeyValue conforming to the
-// "aws.log.stream.names" semantic conventions. It represents the name(s) of
-// the AWS log stream(s) an application is writing to.
-func AWSLogStreamNames(val ...string) attribute.KeyValue {
-	return AWSLogStreamNamesKey.StringSlice(val)
-}
-
-// Attributes for AWS Lambda.
-const (
-	// AWSLambdaInvokedARNKey is the attribute Key conforming to the
-	// "aws.lambda.invoked_arn" semantic conventions. It represents the full
-	// invoked ARN as provided on the `Context` passed to the function
-	// (`Lambda-Runtime-Invoked-Function-ARN` header on the
-	// `/runtime/invocation/next` applicable).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'arn:aws:lambda:us-east-1:123456:function:myfunction:myalias'
-	// Note: This may be different from `cloud.resource_id` if an alias is
-	// involved.
-	AWSLambdaInvokedARNKey = attribute.Key("aws.lambda.invoked_arn")
-)
-
-// AWSLambdaInvokedARN returns an attribute KeyValue conforming to the
-// "aws.lambda.invoked_arn" semantic conventions. It represents the full
-// invoked ARN as provided on the `Context` passed to the function
-// (`Lambda-Runtime-Invoked-Function-ARN` header on the
-// `/runtime/invocation/next` applicable).
-func AWSLambdaInvokedARN(val string) attribute.KeyValue {
-	return AWSLambdaInvokedARNKey.String(val)
-}
-
-// Attributes for AWS S3.
-const (
-	// AWSS3BucketKey is the attribute Key conforming to the "aws.s3.bucket"
-	// semantic conventions. It represents the S3 bucket name the request
-	// refers to. Corresponds to the `--bucket` parameter of the [S3
-	// API](https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html)
-	// operations.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'some-bucket-name'
-	// Note: The `bucket` attribute is applicable to all S3 operations that
-	// reference a bucket, i.e. that require the bucket name as a mandatory
-	// parameter.
-	// This applies to almost all S3 operations except `list-buckets`.
-	AWSS3BucketKey = attribute.Key("aws.s3.bucket")
-
-	// AWSS3CopySourceKey is the attribute Key conforming to the
-	// "aws.s3.copy_source" semantic conventions. It represents the source
-	// object (in the form `bucket`/`key`) for the copy operation.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'someFile.yml'
-	// Note: The `copy_source` attribute applies to S3 copy operations and
-	// corresponds to the `--copy-source` parameter
-	// of the [copy-object operation within the S3
-	// API](https://docs.aws.amazon.com/cli/latest/reference/s3api/copy-object.html).
-	// This applies in particular to the following operations:
-	//
-	// -
-	// [copy-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/copy-object.html)
-	// -
-	// [upload-part-copy](https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part-copy.html)
-	AWSS3CopySourceKey = attribute.Key("aws.s3.copy_source")
-
-	// AWSS3DeleteKey is the attribute Key conforming to the "aws.s3.delete"
-	// semantic conventions. It represents the delete request container that
-	// specifies the objects to be deleted.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// 'Objects=[{Key=string,VersionID=string},{Key=string,VersionID=string}],Quiet=boolean'
-	// Note: The `delete` attribute is only applicable to the
-	// [delete-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-object.html)
-	// operation.
-	// The `delete` attribute corresponds to the `--delete` parameter of the
-	// [delete-objects operation within the S3
-	// API](https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-objects.html).
-	AWSS3DeleteKey = attribute.Key("aws.s3.delete")
-
-	// AWSS3KeyKey is the attribute Key conforming to the "aws.s3.key" semantic
-	// conventions. It represents the S3 object key the request refers to.
-	// Corresponds to the `--key` parameter of the [S3
-	// API](https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html)
-	// operations.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'someFile.yml'
-	// Note: The `key` attribute is applicable to all object-related S3
-	// operations, i.e. that require the object key as a mandatory parameter.
-	// This applies in particular to the following operations:
-	//
-	// -
-	// [copy-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/copy-object.html)
-	// -
-	// [delete-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-object.html)
-	// -
-	// [get-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/get-object.html)
-	// -
-	// [head-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/head-object.html)
-	// -
-	// [put-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html)
-	// -
-	// [restore-object](https://docs.aws.amazon.com/cli/latest/reference/s3api/restore-object.html)
-	// -
-	// [select-object-content](https://docs.aws.amazon.com/cli/latest/reference/s3api/select-object-content.html)
-	// -
-	// [abort-multipart-upload](https://docs.aws.amazon.com/cli/latest/reference/s3api/abort-multipart-upload.html)
-	// -
-	// [complete-multipart-upload](https://docs.aws.amazon.com/cli/latest/reference/s3api/complete-multipart-upload.html)
-	// -
-	// [create-multipart-upload](https://docs.aws.amazon.com/cli/latest/reference/s3api/create-multipart-upload.html)
-	// -
-	// [list-parts](https://docs.aws.amazon.com/cli/latest/reference/s3api/list-parts.html)
-	// -
-	// [upload-part](https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part.html)
-	// -
-	// [upload-part-copy](https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part-copy.html)
-	AWSS3KeyKey = attribute.Key("aws.s3.key")
-
-	// AWSS3PartNumberKey is the attribute Key conforming to the
-	// "aws.s3.part_number" semantic conventions. It represents the part number
-	// of the part being uploaded in a multipart-upload operation. This is a
-	// positive integer between 1 and 10,000.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 3456
-	// Note: The `part_number` attribute is only applicable to the
-	// [upload-part](https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part.html)
-	// and
-	// [upload-part-copy](https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part-copy.html)
-	// operations.
-	// The `part_number` attribute corresponds to the `--part-number` parameter
-	// of the
-	// [upload-part operation within the S3
-	// API](https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part.html).
-	AWSS3PartNumberKey = attribute.Key("aws.s3.part_number")
-
-	// AWSS3UploadIDKey is the attribute Key conforming to the
-	// "aws.s3.upload_id" semantic conventions. It represents the upload ID
-	// that identifies the multipart upload.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'dfRtDYWFbkRONycy.Yxwh66Yjlx.cph0gtNBtJ'
-	// Note: The `upload_id` attribute applies to S3 multipart-upload
-	// operations and corresponds to the `--upload-id` parameter
-	// of the [S3
-	// API](https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html)
-	// multipart operations.
-	// This applies in particular to the following operations:
-	//
-	// -
-	// [abort-multipart-upload](https://docs.aws.amazon.com/cli/latest/reference/s3api/abort-multipart-upload.html)
-	// -
-	// [complete-multipart-upload](https://docs.aws.amazon.com/cli/latest/reference/s3api/complete-multipart-upload.html)
-	// -
-	// [list-parts](https://docs.aws.amazon.com/cli/latest/reference/s3api/list-parts.html)
-	// -
-	// [upload-part](https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part.html)
-	// -
-	// [upload-part-copy](https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part-copy.html)
-	AWSS3UploadIDKey = attribute.Key("aws.s3.upload_id")
-)
-
-// AWSS3Bucket returns an attribute KeyValue conforming to the
-// "aws.s3.bucket" semantic conventions. It represents the S3 bucket name the
-// request refers to. Corresponds to the `--bucket` parameter of the [S3
-// API](https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html)
-// operations.
-func AWSS3Bucket(val string) attribute.KeyValue {
-	return AWSS3BucketKey.String(val)
-}
-
-// AWSS3CopySource returns an attribute KeyValue conforming to the
-// "aws.s3.copy_source" semantic conventions. It represents the source object
-// (in the form `bucket`/`key`) for the copy operation.
-func AWSS3CopySource(val string) attribute.KeyValue {
-	return AWSS3CopySourceKey.String(val)
-}
-
-// AWSS3Delete returns an attribute KeyValue conforming to the
-// "aws.s3.delete" semantic conventions. It represents the delete request
-// container that specifies the objects to be deleted.
-func AWSS3Delete(val string) attribute.KeyValue {
-	return AWSS3DeleteKey.String(val)
-}
-
-// AWSS3Key returns an attribute KeyValue conforming to the "aws.s3.key"
-// semantic conventions. It represents the S3 object key the request refers to.
-// Corresponds to the `--key` parameter of the [S3
-// API](https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html)
-// operations.
-func AWSS3Key(val string) attribute.KeyValue {
-	return AWSS3KeyKey.String(val)
-}
-
-// AWSS3PartNumber returns an attribute KeyValue conforming to the
-// "aws.s3.part_number" semantic conventions. It represents the part number of
-// the part being uploaded in a multipart-upload operation. This is a positive
-// integer between 1 and 10,000.
-func AWSS3PartNumber(val int) attribute.KeyValue {
-	return AWSS3PartNumberKey.Int(val)
-}
-
-// AWSS3UploadID returns an attribute KeyValue conforming to the
-// "aws.s3.upload_id" semantic conventions. It represents the upload ID that
-// identifies the multipart upload.
-func AWSS3UploadID(val string) attribute.KeyValue {
-	return AWSS3UploadIDKey.String(val)
-}
-
-// The web browser attributes
-const (
-	// BrowserBrandsKey is the attribute Key conforming to the "browser.brands"
-	// semantic conventions. It represents the array of brand name and version
-	// separated by a space
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: ' Not A;Brand 99', 'Chromium 99', 'Chrome 99'
-	// Note: This value is intended to be taken from the [UA client hints
-	// API](https://wicg.github.io/ua-client-hints/#interface)
-	// (`navigator.userAgentData.brands`).
-	BrowserBrandsKey = attribute.Key("browser.brands")
-
-	// BrowserLanguageKey is the attribute Key conforming to the
-	// "browser.language" semantic conventions. It represents the preferred
-	// language of the user using the browser
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'en', 'en-US', 'fr', 'fr-FR'
-	// Note: This value is intended to be taken from the Navigator API
-	// `navigator.language`.
-	BrowserLanguageKey = attribute.Key("browser.language")
-
-	// BrowserMobileKey is the attribute Key conforming to the "browser.mobile"
-	// semantic conventions. It represents a boolean that is true if the
-	// browser is running on a mobile device
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Note: This value is intended to be taken from the [UA client hints
-	// API](https://wicg.github.io/ua-client-hints/#interface)
-	// (`navigator.userAgentData.mobile`). If unavailable, this attribute
-	// SHOULD be left unset.
-	BrowserMobileKey = attribute.Key("browser.mobile")
-
-	// BrowserPlatformKey is the attribute Key conforming to the
-	// "browser.platform" semantic conventions. It represents the platform on
-	// which the browser is running
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Windows', 'macOS', 'Android'
-	// Note: This value is intended to be taken from the [UA client hints
-	// API](https://wicg.github.io/ua-client-hints/#interface)
-	// (`navigator.userAgentData.platform`). If unavailable, the legacy
-	// `navigator.platform` API SHOULD NOT be used instead and this attribute
-	// SHOULD be left unset in order for the values to be consistent.
-	// The list of possible values is defined in the [W3C User-Agent Client
-	// Hints
-	// specification](https://wicg.github.io/ua-client-hints/#sec-ch-ua-platform).
-	// Note that some (but not all) of these values can overlap with values in
-	// the [`os.type` and `os.name` attributes](./os.md). However, for
-	// consistency, the values in the `browser.platform` attribute should
-	// capture the exact value that the user agent provides.
-	BrowserPlatformKey = attribute.Key("browser.platform")
-)
-
-// BrowserBrands returns an attribute KeyValue conforming to the
-// "browser.brands" semantic conventions. It represents the array of brand name
-// and version separated by a space
-func BrowserBrands(val ...string) attribute.KeyValue {
-	return BrowserBrandsKey.StringSlice(val)
-}
-
-// BrowserLanguage returns an attribute KeyValue conforming to the
-// "browser.language" semantic conventions. It represents the preferred
-// language of the user using the browser
-func BrowserLanguage(val string) attribute.KeyValue {
-	return BrowserLanguageKey.String(val)
-}
-
-// BrowserMobile returns an attribute KeyValue conforming to the
-// "browser.mobile" semantic conventions. It represents a boolean that is true
-// if the browser is running on a mobile device
-func BrowserMobile(val bool) attribute.KeyValue {
-	return BrowserMobileKey.Bool(val)
-}
-
-// BrowserPlatform returns an attribute KeyValue conforming to the
-// "browser.platform" semantic conventions. It represents the platform on which
-// the browser is running
-func BrowserPlatform(val string) attribute.KeyValue {
-	return BrowserPlatformKey.String(val)
-}
-
-// These attributes may be used to describe the client in a connection-based
-// network interaction where there is one side that initiates the connection
-// (the client is the side that initiates the connection). This covers all TCP
-// network interactions since TCP is connection-based and one side initiates
-// the connection (an exception is made for peer-to-peer communication over TCP
-// where the "user-facing" surface of the protocol / API doesn't expose a clear
-// notion of client and server). This also covers UDP network interactions
-// where one side initiates the interaction, e.g. QUIC (HTTP/3) and DNS.
-const (
-	// ClientAddressKey is the attribute Key conforming to the "client.address"
-	// semantic conventions. It represents the client address - domain name if
-	// available without reverse DNS lookup; otherwise, IP address or Unix
-	// domain socket name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'client.example.com', '10.1.2.80', '/tmp/my.sock'
-	// Note: When observed from the server side, and when communicating through
-	// an intermediary, `client.address` SHOULD represent the client address
-	// behind any intermediaries,  for example proxies, if it's available.
-	ClientAddressKey = attribute.Key("client.address")
-
-	// ClientPortKey is the attribute Key conforming to the "client.port"
-	// semantic conventions. It represents the client port number.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 65123
-	// Note: When observed from the server side, and when communicating through
-	// an intermediary, `client.port` SHOULD represent the client port behind
-	// any intermediaries,  for example proxies, if it's available.
-	ClientPortKey = attribute.Key("client.port")
-)
-
-// ClientAddress returns an attribute KeyValue conforming to the
-// "client.address" semantic conventions. It represents the client address -
-// domain name if available without reverse DNS lookup; otherwise, IP address
-// or Unix domain socket name.
-func ClientAddress(val string) attribute.KeyValue {
-	return ClientAddressKey.String(val)
-}
-
-// ClientPort returns an attribute KeyValue conforming to the "client.port"
-// semantic conventions. It represents the client port number.
-func ClientPort(val int) attribute.KeyValue {
-	return ClientPortKey.Int(val)
-}
-
-// A cloud environment (e.g. GCP, Azure, AWS).
-const (
-	// CloudAccountIDKey is the attribute Key conforming to the
-	// "cloud.account.id" semantic conventions. It represents the cloud account
-	// ID the resource is assigned to.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '111111111111', 'opentelemetry'
-	CloudAccountIDKey = attribute.Key("cloud.account.id")
-
-	// CloudAvailabilityZoneKey is the attribute Key conforming to the
-	// "cloud.availability_zone" semantic conventions. It represents the cloud
-	// regions often have multiple, isolated locations known as zones to
-	// increase availability. Availability zone represents the zone where the
-	// resource is running.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'us-east-1c'
-	// Note: Availability zones are called "zones" on Alibaba Cloud and Google
-	// Cloud.
-	CloudAvailabilityZoneKey = attribute.Key("cloud.availability_zone")
-
-	// CloudPlatformKey is the attribute Key conforming to the "cloud.platform"
-	// semantic conventions. It represents the cloud platform in use.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Note: The prefix of the service SHOULD match the one specified in
-	// `cloud.provider`.
-	CloudPlatformKey = attribute.Key("cloud.platform")
-
-	// CloudProviderKey is the attribute Key conforming to the "cloud.provider"
-	// semantic conventions. It represents the name of the cloud provider.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	CloudProviderKey = attribute.Key("cloud.provider")
-
-	// CloudRegionKey is the attribute Key conforming to the "cloud.region"
-	// semantic conventions. It represents the geographical region the resource
-	// is running.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'us-central1', 'us-east-1'
-	// Note: Refer to your provider's docs to see the available regions, for
-	// example [Alibaba Cloud
-	// regions](https://www.alibabacloud.com/help/doc-detail/40654.htm), [AWS
-	// regions](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/),
-	// [Azure
-	// regions](https://azure.microsoft.com/global-infrastructure/geographies/),
-	// [Google Cloud regions](https://cloud.google.com/about/locations), or
-	// [Tencent Cloud
-	// regions](https://www.tencentcloud.com/document/product/213/6091).
-	CloudRegionKey = attribute.Key("cloud.region")
-
-	// CloudResourceIDKey is the attribute Key conforming to the
-	// "cloud.resource_id" semantic conventions. It represents the cloud
-	// provider-specific native identifier of the monitored cloud resource
-	// (e.g. an
-	// [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// on AWS, a [fully qualified resource
-	// ID](https://learn.microsoft.com/rest/api/resources/resources/get-by-id)
-	// on Azure, a [full resource
-	// name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
-	// on GCP)
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'arn:aws:lambda:REGION:ACCOUNT_ID:function:my-function',
-	// '//run.googleapis.com/projects/PROJECT_ID/locations/LOCATION_ID/services/SERVICE_ID',
-	// '/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions/'
-	// Note: On some cloud providers, it may not be possible to determine the
-	// full ID at startup,
-	// so it may be necessary to set `cloud.resource_id` as a span attribute
-	// instead.
-	//
-	// The exact value to use for `cloud.resource_id` depends on the cloud
-	// provider.
-	// The following well-known definitions MUST be used if you set this
-	// attribute and they apply:
-	//
-	// * **AWS Lambda:** The function
-	// [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html).
-	//   Take care not to use the "invoked ARN" directly but replace any
-	//   [alias
-	// suffix](https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html)
-	//   with the resolved function version, as the same runtime instance may
-	// be invokable with
-	//   multiple different aliases.
-	// * **GCP:** The [URI of the
-	// resource](https://cloud.google.com/iam/docs/full-resource-names)
-	// * **Azure:** The [Fully Qualified Resource
-	// ID](https://docs.microsoft.com/rest/api/resources/resources/get-by-id)
-	// of the invoked function,
-	//   *not* the function app, having the form
-	// `/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions/`.
-	//   This means that a span attribute MUST be used, as an Azure function
-	// app can host multiple functions that would usually share
-	//   a TracerProvider.
-	CloudResourceIDKey = attribute.Key("cloud.resource_id")
-)
-
-var (
-	// Alibaba Cloud Elastic Compute Service
-	CloudPlatformAlibabaCloudECS = CloudPlatformKey.String("alibaba_cloud_ecs")
-	// Alibaba Cloud Function Compute
-	CloudPlatformAlibabaCloudFc = CloudPlatformKey.String("alibaba_cloud_fc")
-	// Red Hat OpenShift on Alibaba Cloud
-	CloudPlatformAlibabaCloudOpenshift = CloudPlatformKey.String("alibaba_cloud_openshift")
-	// AWS Elastic Compute Cloud
-	CloudPlatformAWSEC2 = CloudPlatformKey.String("aws_ec2")
-	// AWS Elastic Container Service
-	CloudPlatformAWSECS = CloudPlatformKey.String("aws_ecs")
-	// AWS Elastic Kubernetes Service
-	CloudPlatformAWSEKS = CloudPlatformKey.String("aws_eks")
-	// AWS Lambda
-	CloudPlatformAWSLambda = CloudPlatformKey.String("aws_lambda")
-	// AWS Elastic Beanstalk
-	CloudPlatformAWSElasticBeanstalk = CloudPlatformKey.String("aws_elastic_beanstalk")
-	// AWS App Runner
-	CloudPlatformAWSAppRunner = CloudPlatformKey.String("aws_app_runner")
-	// Red Hat OpenShift on AWS (ROSA)
-	CloudPlatformAWSOpenshift = CloudPlatformKey.String("aws_openshift")
-	// Azure Virtual Machines
-	CloudPlatformAzureVM = CloudPlatformKey.String("azure_vm")
-	// Azure Container Apps
-	CloudPlatformAzureContainerApps = CloudPlatformKey.String("azure_container_apps")
-	// Azure Container Instances
-	CloudPlatformAzureContainerInstances = CloudPlatformKey.String("azure_container_instances")
-	// Azure Kubernetes Service
-	CloudPlatformAzureAKS = CloudPlatformKey.String("azure_aks")
-	// Azure Functions
-	CloudPlatformAzureFunctions = CloudPlatformKey.String("azure_functions")
-	// Azure App Service
-	CloudPlatformAzureAppService = CloudPlatformKey.String("azure_app_service")
-	// Azure Red Hat OpenShift
-	CloudPlatformAzureOpenshift = CloudPlatformKey.String("azure_openshift")
-	// Google Bare Metal Solution (BMS)
-	CloudPlatformGCPBareMetalSolution = CloudPlatformKey.String("gcp_bare_metal_solution")
-	// Google Cloud Compute Engine (GCE)
-	CloudPlatformGCPComputeEngine = CloudPlatformKey.String("gcp_compute_engine")
-	// Google Cloud Run
-	CloudPlatformGCPCloudRun = CloudPlatformKey.String("gcp_cloud_run")
-	// Google Cloud Kubernetes Engine (GKE)
-	CloudPlatformGCPKubernetesEngine = CloudPlatformKey.String("gcp_kubernetes_engine")
-	// Google Cloud Functions (GCF)
-	CloudPlatformGCPCloudFunctions = CloudPlatformKey.String("gcp_cloud_functions")
-	// Google Cloud App Engine (GAE)
-	CloudPlatformGCPAppEngine = CloudPlatformKey.String("gcp_app_engine")
-	// Red Hat OpenShift on Google Cloud
-	CloudPlatformGCPOpenshift = CloudPlatformKey.String("gcp_openshift")
-	// Red Hat OpenShift on IBM Cloud
-	CloudPlatformIbmCloudOpenshift = CloudPlatformKey.String("ibm_cloud_openshift")
-	// Tencent Cloud Cloud Virtual Machine (CVM)
-	CloudPlatformTencentCloudCvm = CloudPlatformKey.String("tencent_cloud_cvm")
-	// Tencent Cloud Elastic Kubernetes Service (EKS)
-	CloudPlatformTencentCloudEKS = CloudPlatformKey.String("tencent_cloud_eks")
-	// Tencent Cloud Serverless Cloud Function (SCF)
-	CloudPlatformTencentCloudScf = CloudPlatformKey.String("tencent_cloud_scf")
-)
-
-var (
-	// Alibaba Cloud
-	CloudProviderAlibabaCloud = CloudProviderKey.String("alibaba_cloud")
-	// Amazon Web Services
-	CloudProviderAWS = CloudProviderKey.String("aws")
-	// Microsoft Azure
-	CloudProviderAzure = CloudProviderKey.String("azure")
-	// Google Cloud Platform
-	CloudProviderGCP = CloudProviderKey.String("gcp")
-	// Heroku Platform as a Service
-	CloudProviderHeroku = CloudProviderKey.String("heroku")
-	// IBM Cloud
-	CloudProviderIbmCloud = CloudProviderKey.String("ibm_cloud")
-	// Tencent Cloud
-	CloudProviderTencentCloud = CloudProviderKey.String("tencent_cloud")
-)
-
-// CloudAccountID returns an attribute KeyValue conforming to the
-// "cloud.account.id" semantic conventions. It represents the cloud account ID
-// the resource is assigned to.
-func CloudAccountID(val string) attribute.KeyValue {
-	return CloudAccountIDKey.String(val)
-}
-
-// CloudAvailabilityZone returns an attribute KeyValue conforming to the
-// "cloud.availability_zone" semantic conventions. It represents the cloud
-// regions often have multiple, isolated locations known as zones to increase
-// availability. Availability zone represents the zone where the resource is
-// running.
-func CloudAvailabilityZone(val string) attribute.KeyValue {
-	return CloudAvailabilityZoneKey.String(val)
-}
-
-// CloudRegion returns an attribute KeyValue conforming to the
-// "cloud.region" semantic conventions. It represents the geographical region
-// the resource is running.
-func CloudRegion(val string) attribute.KeyValue {
-	return CloudRegionKey.String(val)
-}
-
-// CloudResourceID returns an attribute KeyValue conforming to the
-// "cloud.resource_id" semantic conventions. It represents the cloud
-// provider-specific native identifier of the monitored cloud resource (e.g. an
-// [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-// on AWS, a [fully qualified resource
-// ID](https://learn.microsoft.com/rest/api/resources/resources/get-by-id) on
-// Azure, a [full resource
-// name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
-// on GCP)
-func CloudResourceID(val string) attribute.KeyValue {
-	return CloudResourceIDKey.String(val)
-}
-
-// Attributes for CloudEvents.
-const (
-	// CloudeventsEventIDKey is the attribute Key conforming to the
-	// "cloudevents.event_id" semantic conventions. It represents the
-	// [event_id](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#id)
-	// uniquely identifies the event.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '123e4567-e89b-12d3-a456-426614174000', '0001'
-	CloudeventsEventIDKey = attribute.Key("cloudevents.event_id")
-
-	// CloudeventsEventSourceKey is the attribute Key conforming to the
-	// "cloudevents.event_source" semantic conventions. It represents the
-	// [source](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#source-1)
-	// identifies the context in which an event happened.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'https://github.com/cloudevents',
-	// '/cloudevents/spec/pull/123', 'my-service'
-	CloudeventsEventSourceKey = attribute.Key("cloudevents.event_source")
-
-	// CloudeventsEventSpecVersionKey is the attribute Key conforming to the
-	// "cloudevents.event_spec_version" semantic conventions. It represents the
-	// [version of the CloudEvents
-	// specification](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#specversion)
-	// which the event uses.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '1.0'
-	CloudeventsEventSpecVersionKey = attribute.Key("cloudevents.event_spec_version")
-
-	// CloudeventsEventSubjectKey is the attribute Key conforming to the
-	// "cloudevents.event_subject" semantic conventions. It represents the
-	// [subject](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#subject)
-	// of the event in the context of the event producer (identified by
-	// source).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'mynewfile.jpg'
-	CloudeventsEventSubjectKey = attribute.Key("cloudevents.event_subject")
-
-	// CloudeventsEventTypeKey is the attribute Key conforming to the
-	// "cloudevents.event_type" semantic conventions. It represents the
-	// [event_type](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#type)
-	// contains a value describing the type of event related to the originating
-	// occurrence.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'com.github.pull_request.opened',
-	// 'com.example.object.deleted.v2'
-	CloudeventsEventTypeKey = attribute.Key("cloudevents.event_type")
-)
-
-// CloudeventsEventID returns an attribute KeyValue conforming to the
-// "cloudevents.event_id" semantic conventions. It represents the
-// [event_id](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#id)
-// uniquely identifies the event.
-func CloudeventsEventID(val string) attribute.KeyValue {
-	return CloudeventsEventIDKey.String(val)
-}
-
-// CloudeventsEventSource returns an attribute KeyValue conforming to the
-// "cloudevents.event_source" semantic conventions. It represents the
-// [source](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#source-1)
-// identifies the context in which an event happened.
-func CloudeventsEventSource(val string) attribute.KeyValue {
-	return CloudeventsEventSourceKey.String(val)
-}
-
-// CloudeventsEventSpecVersion returns an attribute KeyValue conforming to
-// the "cloudevents.event_spec_version" semantic conventions. It represents the
-// [version of the CloudEvents
-// specification](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#specversion)
-// which the event uses.
-func CloudeventsEventSpecVersion(val string) attribute.KeyValue {
-	return CloudeventsEventSpecVersionKey.String(val)
-}
-
-// CloudeventsEventSubject returns an attribute KeyValue conforming to the
-// "cloudevents.event_subject" semantic conventions. It represents the
-// [subject](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#subject)
-// of the event in the context of the event producer (identified by source).
-func CloudeventsEventSubject(val string) attribute.KeyValue {
-	return CloudeventsEventSubjectKey.String(val)
-}
-
-// CloudeventsEventType returns an attribute KeyValue conforming to the
-// "cloudevents.event_type" semantic conventions. It represents the
-// [event_type](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#type)
-// contains a value describing the type of event related to the originating
-// occurrence.
-func CloudeventsEventType(val string) attribute.KeyValue {
-	return CloudeventsEventTypeKey.String(val)
-}
-
-// These attributes allow to report this unit of code and therefore to provide
-// more context about the span.
-const (
-	// CodeColumnKey is the attribute Key conforming to the "code.column"
-	// semantic conventions. It represents the column number in `code.filepath`
-	// best representing the operation. It SHOULD point within the code unit
-	// named in `code.function`.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 16
-	CodeColumnKey = attribute.Key("code.column")
-
-	// CodeFilepathKey is the attribute Key conforming to the "code.filepath"
-	// semantic conventions. It represents the source code file name that
-	// identifies the code unit as uniquely as possible (preferably an absolute
-	// file path).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/usr/local/MyApplication/content_root/app/index.php'
-	CodeFilepathKey = attribute.Key("code.filepath")
-
-	// CodeFunctionKey is the attribute Key conforming to the "code.function"
-	// semantic conventions. It represents the method or function name, or
-	// equivalent (usually rightmost part of the code unit's name).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'serveRequest'
-	CodeFunctionKey = attribute.Key("code.function")
-
-	// CodeLineNumberKey is the attribute Key conforming to the "code.lineno"
-	// semantic conventions. It represents the line number in `code.filepath`
-	// best representing the operation. It SHOULD point within the code unit
-	// named in `code.function`.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 42
-	CodeLineNumberKey = attribute.Key("code.lineno")
-
-	// CodeNamespaceKey is the attribute Key conforming to the "code.namespace"
-	// semantic conventions. It represents the "namespace" within which
-	// `code.function` is defined. Usually the qualified class or module name,
-	// such that `code.namespace` + some separator + `code.function` form a
-	// unique identifier for the code unit.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'com.example.MyHTTPService'
-	CodeNamespaceKey = attribute.Key("code.namespace")
-
-	// CodeStacktraceKey is the attribute Key conforming to the
-	// "code.stacktrace" semantic conventions. It represents a stacktrace as a
-	// string in the natural representation for the language runtime. The
-	// representation is to be determined and documented by each language SIG.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'at
-	// com.example.GenerateTrace.methodB(GenerateTrace.java:13)\\n at '
-	//  'com.example.GenerateTrace.methodA(GenerateTrace.java:9)\\n at '
-	//  'com.example.GenerateTrace.main(GenerateTrace.java:5)'
-	CodeStacktraceKey = attribute.Key("code.stacktrace")
-)
-
-// CodeColumn returns an attribute KeyValue conforming to the "code.column"
-// semantic conventions. It represents the column number in `code.filepath`
-// best representing the operation. It SHOULD point within the code unit named
-// in `code.function`.
-func CodeColumn(val int) attribute.KeyValue {
-	return CodeColumnKey.Int(val)
-}
-
-// CodeFilepath returns an attribute KeyValue conforming to the
-// "code.filepath" semantic conventions. It represents the source code file
-// name that identifies the code unit as uniquely as possible (preferably an
-// absolute file path).
-func CodeFilepath(val string) attribute.KeyValue {
-	return CodeFilepathKey.String(val)
-}
-
-// CodeFunction returns an attribute KeyValue conforming to the
-// "code.function" semantic conventions. It represents the method or function
-// name, or equivalent (usually rightmost part of the code unit's name).
-func CodeFunction(val string) attribute.KeyValue {
-	return CodeFunctionKey.String(val)
-}
-
-// CodeLineNumber returns an attribute KeyValue conforming to the "code.lineno"
-// semantic conventions. It represents the line number in `code.filepath` best
-// representing the operation. It SHOULD point within the code unit named in
-// `code.function`.
-func CodeLineNumber(val int) attribute.KeyValue {
-	return CodeLineNumberKey.Int(val)
-}
-
-// CodeNamespace returns an attribute KeyValue conforming to the
-// "code.namespace" semantic conventions. It represents the "namespace" within
-// which `code.function` is defined. Usually the qualified class or module
-// name, such that `code.namespace` + some separator + `code.function` form a
-// unique identifier for the code unit.
-func CodeNamespace(val string) attribute.KeyValue {
-	return CodeNamespaceKey.String(val)
-}
-
-// CodeStacktrace returns an attribute KeyValue conforming to the
-// "code.stacktrace" semantic conventions. It represents a stacktrace as a
-// string in the natural representation for the language runtime. The
-// representation is to be determined and documented by each language SIG.
-func CodeStacktrace(val string) attribute.KeyValue {
-	return CodeStacktraceKey.String(val)
-}
-
-// A container instance.
-const (
-	// ContainerCommandKey is the attribute Key conforming to the
-	// "container.command" semantic conventions. It represents the command used
-	// to run the container (i.e. the command name).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'otelcontribcol'
-	// Note: If using embedded credentials or sensitive data, it is recommended
-	// to remove them to prevent potential leakage.
-	ContainerCommandKey = attribute.Key("container.command")
-
-	// ContainerCommandArgsKey is the attribute Key conforming to the
-	// "container.command_args" semantic conventions. It represents the all the
-	// command arguments (including the command/executable itself) run by the
-	// container. [2]
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'otelcontribcol, --config, config.yaml'
-	ContainerCommandArgsKey = attribute.Key("container.command_args")
-
-	// ContainerCommandLineKey is the attribute Key conforming to the
-	// "container.command_line" semantic conventions. It represents the full
-	// command run by the container as a single string representing the full
-	// command. [2]
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'otelcontribcol --config config.yaml'
-	ContainerCommandLineKey = attribute.Key("container.command_line")
-
-	// ContainerCPUStateKey is the attribute Key conforming to the
-	// "container.cpu.state" semantic conventions. It represents the CPU state
-	// for this data point.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'user', 'kernel'
-	ContainerCPUStateKey = attribute.Key("container.cpu.state")
-
-	// ContainerIDKey is the attribute Key conforming to the "container.id"
-	// semantic conventions. It represents the container ID. Usually a UUID, as
-	// for example used to [identify Docker
-	// containers](https://docs.docker.com/engine/reference/run/#container-identification).
-	// The UUID might be abbreviated.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'a3bf90e006b2'
-	ContainerIDKey = attribute.Key("container.id")
-
-	// ContainerImageIDKey is the attribute Key conforming to the
-	// "container.image.id" semantic conventions. It represents the runtime
-	// specific image identifier. Usually a hash algorithm followed by a UUID.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// 'sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f'
-	// Note: Docker defines a sha256 of the image id; `container.image.id`
-	// corresponds to the `Image` field from the Docker container inspect
-	// [API](https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerInspect)
-	// endpoint.
-	// K8S defines a link to the container registry repository with digest
-	// `"imageID": "registry.azurecr.io
-	// /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`.
-	// The ID is assigned by the container runtime and can vary in different
-	// environments. Consider using `oci.manifest.digest` if it is important to
-	// identify the same image in different environments/runtimes.
-	ContainerImageIDKey = attribute.Key("container.image.id")
-
-	// ContainerImageNameKey is the attribute Key conforming to the
-	// "container.image.name" semantic conventions. It represents the name of
-	// the image the container was built on.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'gcr.io/opentelemetry/operator'
-	ContainerImageNameKey = attribute.Key("container.image.name")
-
-	// ContainerImageRepoDigestsKey is the attribute Key conforming to the
-	// "container.image.repo_digests" semantic conventions. It represents the
-	// repo digests of the container image as provided by the container
-	// runtime.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// 'example@sha256:afcc7f1ac1b49db317a7196c902e61c6c3c4607d63599ee1a82d702d249a0ccb',
-	// 'internal.registry.example.com:5000/example@sha256:b69959407d21e8a062e0416bf13405bb2b71ed7a84dde4158ebafacfa06f5578'
-	// Note:
-	// [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect)
-	// and
-	// [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238)
-	// report those under the `RepoDigests` field.
-	ContainerImageRepoDigestsKey = attribute.Key("container.image.repo_digests")
-
-	// ContainerImageTagsKey is the attribute Key conforming to the
-	// "container.image.tags" semantic conventions. It represents the container
-	// image tags. An example can be found in [Docker Image
-	// Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect).
-	// Should be only the `` section of the full name for example from
-	// `registry.example.com/my-org/my-image:`.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'v1.27.1', '3.5.7-0'
-	ContainerImageTagsKey = attribute.Key("container.image.tags")
-
-	// ContainerNameKey is the attribute Key conforming to the "container.name"
-	// semantic conventions. It represents the container name used by container
-	// runtime.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry-autoconf'
-	ContainerNameKey = attribute.Key("container.name")
-
-	// ContainerRuntimeKey is the attribute Key conforming to the
-	// "container.runtime" semantic conventions. It represents the container
-	// runtime managing this container.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'docker', 'containerd', 'rkt'
-	ContainerRuntimeKey = attribute.Key("container.runtime")
-)
-
-var (
-	// When tasks of the cgroup are in user mode (Linux). When all container processes are in user mode (Windows)
-	ContainerCPUStateUser = ContainerCPUStateKey.String("user")
-	// When CPU is used by the system (host OS)
-	ContainerCPUStateSystem = ContainerCPUStateKey.String("system")
-	// When tasks of the cgroup are in kernel mode (Linux). When all container processes are in kernel mode (Windows)
-	ContainerCPUStateKernel = ContainerCPUStateKey.String("kernel")
-)
-
-// ContainerCommand returns an attribute KeyValue conforming to the
-// "container.command" semantic conventions. It represents the command used to
-// run the container (i.e. the command name).
-func ContainerCommand(val string) attribute.KeyValue {
-	return ContainerCommandKey.String(val)
-}
-
-// ContainerCommandArgs returns an attribute KeyValue conforming to the
-// "container.command_args" semantic conventions. It represents the all the
-// command arguments (including the command/executable itself) run by the
-// container. [2]
-func ContainerCommandArgs(val ...string) attribute.KeyValue {
-	return ContainerCommandArgsKey.StringSlice(val)
-}
-
-// ContainerCommandLine returns an attribute KeyValue conforming to the
-// "container.command_line" semantic conventions. It represents the full
-// command run by the container as a single string representing the full
-// command. [2]
-func ContainerCommandLine(val string) attribute.KeyValue {
-	return ContainerCommandLineKey.String(val)
-}
-
-// ContainerID returns an attribute KeyValue conforming to the
-// "container.id" semantic conventions. It represents the container ID. Usually
-// a UUID, as for example used to [identify Docker
-// containers](https://docs.docker.com/engine/reference/run/#container-identification).
-// The UUID might be abbreviated.
-func ContainerID(val string) attribute.KeyValue {
-	return ContainerIDKey.String(val)
-}
-
-// ContainerImageID returns an attribute KeyValue conforming to the
-// "container.image.id" semantic conventions. It represents the runtime
-// specific image identifier. Usually a hash algorithm followed by a UUID.
-func ContainerImageID(val string) attribute.KeyValue {
-	return ContainerImageIDKey.String(val)
-}
-
-// ContainerImageName returns an attribute KeyValue conforming to the
-// "container.image.name" semantic conventions. It represents the name of the
-// image the container was built on.
-func ContainerImageName(val string) attribute.KeyValue {
-	return ContainerImageNameKey.String(val)
-}
-
-// ContainerImageRepoDigests returns an attribute KeyValue conforming to the
-// "container.image.repo_digests" semantic conventions. It represents the repo
-// digests of the container image as provided by the container runtime.
-func ContainerImageRepoDigests(val ...string) attribute.KeyValue {
-	return ContainerImageRepoDigestsKey.StringSlice(val)
-}
-
-// ContainerImageTags returns an attribute KeyValue conforming to the
-// "container.image.tags" semantic conventions. It represents the container
-// image tags. An example can be found in [Docker Image
-// Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect).
-// Should be only the `` section of the full name for example from
-// `registry.example.com/my-org/my-image:`.
-func ContainerImageTags(val ...string) attribute.KeyValue {
-	return ContainerImageTagsKey.StringSlice(val)
-}
-
-// ContainerName returns an attribute KeyValue conforming to the
-// "container.name" semantic conventions. It represents the container name used
-// by container runtime.
-func ContainerName(val string) attribute.KeyValue {
-	return ContainerNameKey.String(val)
-}
-
-// ContainerRuntime returns an attribute KeyValue conforming to the
-// "container.runtime" semantic conventions. It represents the container
-// runtime managing this container.
-func ContainerRuntime(val string) attribute.KeyValue {
-	return ContainerRuntimeKey.String(val)
-}
-
-// This group defines the attributes used to describe telemetry in the context
-// of databases.
-const (
-	// DBClientConnectionsPoolNameKey is the attribute Key conforming to the
-	// "db.client.connections.pool.name" semantic conventions. It represents
-	// the name of the connection pool; unique within the instrumented
-	// application. In case the connection pool implementation doesn't provide
-	// a name, instrumentation should use a combination of `server.address` and
-	// `server.port` attributes formatted as `server.address:server.port`.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'myDataSource'
-	DBClientConnectionsPoolNameKey = attribute.Key("db.client.connections.pool.name")
-
-	// DBClientConnectionsStateKey is the attribute Key conforming to the
-	// "db.client.connections.state" semantic conventions. It represents the
-	// state of a connection in the pool
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'idle'
-	DBClientConnectionsStateKey = attribute.Key("db.client.connections.state")
-
-	// DBCollectionNameKey is the attribute Key conforming to the
-	// "db.collection.name" semantic conventions. It represents the name of a
-	// collection (table, container) within the database.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'public.users', 'customers'
-	// Note: If the collection name is parsed from the query, it SHOULD match
-	// the value provided in the query and may be qualified with the schema and
-	// database name.
-	// It is RECOMMENDED to capture the value as provided by the application
-	// without attempting to do any case normalization.
-	DBCollectionNameKey = attribute.Key("db.collection.name")
-
-	// DBNamespaceKey is the attribute Key conforming to the "db.namespace"
-	// semantic conventions. It represents the name of the database, fully
-	// qualified within the server address and port.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'customers', 'test.users'
-	// Note: If a database system has multiple namespace components, they
-	// SHOULD be concatenated (potentially using database system specific
-	// conventions) from most general to most specific namespace component, and
-	// more specific namespaces SHOULD NOT be captured without the more general
-	// namespaces, to ensure that "startswith" queries for the more general
-	// namespaces will be valid.
-	// Semantic conventions for individual database systems SHOULD document
-	// what `db.namespace` means in the context of that system.
-	// It is RECOMMENDED to capture the value as provided by the application
-	// without attempting to do any case normalization.
-	DBNamespaceKey = attribute.Key("db.namespace")
-
-	// DBOperationNameKey is the attribute Key conforming to the
-	// "db.operation.name" semantic conventions. It represents the name of the
-	// operation or command being executed.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'findAndModify', 'HMSET', 'SELECT'
-	// Note: It is RECOMMENDED to capture the value as provided by the
-	// application without attempting to do any case normalization.
-	DBOperationNameKey = attribute.Key("db.operation.name")
-
-	// DBQueryTextKey is the attribute Key conforming to the "db.query.text"
-	// semantic conventions. It represents the database query being executed.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'SELECT * FROM wuser_table where username = ?', 'SET mykey
-	// "WuValue"'
-	DBQueryTextKey = attribute.Key("db.query.text")
-
-	// DBSystemKey is the attribute Key conforming to the "db.system" semantic
-	// conventions. It represents the database management system (DBMS) product
-	// as identified by the client instrumentation.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Note: The actual DBMS may differ from the one identified by the client.
-	// For example, when using PostgreSQL client libraries to connect to a
-	// CockroachDB, the `db.system` is set to `postgresql` based on the
-	// instrumentation's best knowledge.
-	DBSystemKey = attribute.Key("db.system")
-)
-
-var (
-	// idle
-	DBClientConnectionsStateIdle = DBClientConnectionsStateKey.String("idle")
-	// used
-	DBClientConnectionsStateUsed = DBClientConnectionsStateKey.String("used")
-)
-
-var (
-	// Some other SQL database. Fallback only. See notes
-	DBSystemOtherSQL = DBSystemKey.String("other_sql")
-	// Microsoft SQL Server
-	DBSystemMSSQL = DBSystemKey.String("mssql")
-	// Microsoft SQL Server Compact
-	DBSystemMssqlcompact = DBSystemKey.String("mssqlcompact")
-	// MySQL
-	DBSystemMySQL = DBSystemKey.String("mysql")
-	// Oracle Database
-	DBSystemOracle = DBSystemKey.String("oracle")
-	// IBM DB2
-	DBSystemDB2 = DBSystemKey.String("db2")
-	// PostgreSQL
-	DBSystemPostgreSQL = DBSystemKey.String("postgresql")
-	// Amazon Redshift
-	DBSystemRedshift = DBSystemKey.String("redshift")
-	// Apache Hive
-	DBSystemHive = DBSystemKey.String("hive")
-	// Cloudscape
-	DBSystemCloudscape = DBSystemKey.String("cloudscape")
-	// HyperSQL DataBase
-	DBSystemHSQLDB = DBSystemKey.String("hsqldb")
-	// Progress Database
-	DBSystemProgress = DBSystemKey.String("progress")
-	// SAP MaxDB
-	DBSystemMaxDB = DBSystemKey.String("maxdb")
-	// SAP HANA
-	DBSystemHanaDB = DBSystemKey.String("hanadb")
-	// Ingres
-	DBSystemIngres = DBSystemKey.String("ingres")
-	// FirstSQL
-	DBSystemFirstSQL = DBSystemKey.String("firstsql")
-	// EnterpriseDB
-	DBSystemEDB = DBSystemKey.String("edb")
-	// InterSystems Caché
-	DBSystemCache = DBSystemKey.String("cache")
-	// Adabas (Adaptable Database System)
-	DBSystemAdabas = DBSystemKey.String("adabas")
-	// Firebird
-	DBSystemFirebird = DBSystemKey.String("firebird")
-	// Apache Derby
-	DBSystemDerby = DBSystemKey.String("derby")
-	// FileMaker
-	DBSystemFilemaker = DBSystemKey.String("filemaker")
-	// Informix
-	DBSystemInformix = DBSystemKey.String("informix")
-	// InstantDB
-	DBSystemInstantDB = DBSystemKey.String("instantdb")
-	// InterBase
-	DBSystemInterbase = DBSystemKey.String("interbase")
-	// MariaDB
-	DBSystemMariaDB = DBSystemKey.String("mariadb")
-	// Netezza
-	DBSystemNetezza = DBSystemKey.String("netezza")
-	// Pervasive PSQL
-	DBSystemPervasive = DBSystemKey.String("pervasive")
-	// PointBase
-	DBSystemPointbase = DBSystemKey.String("pointbase")
-	// SQLite
-	DBSystemSqlite = DBSystemKey.String("sqlite")
-	// Sybase
-	DBSystemSybase = DBSystemKey.String("sybase")
-	// Teradata
-	DBSystemTeradata = DBSystemKey.String("teradata")
-	// Vertica
-	DBSystemVertica = DBSystemKey.String("vertica")
-	// H2
-	DBSystemH2 = DBSystemKey.String("h2")
-	// ColdFusion IMQ
-	DBSystemColdfusion = DBSystemKey.String("coldfusion")
-	// Apache Cassandra
-	DBSystemCassandra = DBSystemKey.String("cassandra")
-	// Apache HBase
-	DBSystemHBase = DBSystemKey.String("hbase")
-	// MongoDB
-	DBSystemMongoDB = DBSystemKey.String("mongodb")
-	// Redis
-	DBSystemRedis = DBSystemKey.String("redis")
-	// Couchbase
-	DBSystemCouchbase = DBSystemKey.String("couchbase")
-	// CouchDB
-	DBSystemCouchDB = DBSystemKey.String("couchdb")
-	// Microsoft Azure Cosmos DB
-	DBSystemCosmosDB = DBSystemKey.String("cosmosdb")
-	// Amazon DynamoDB
-	DBSystemDynamoDB = DBSystemKey.String("dynamodb")
-	// Neo4j
-	DBSystemNeo4j = DBSystemKey.String("neo4j")
-	// Apache Geode
-	DBSystemGeode = DBSystemKey.String("geode")
-	// Elasticsearch
-	DBSystemElasticsearch = DBSystemKey.String("elasticsearch")
-	// Memcached
-	DBSystemMemcached = DBSystemKey.String("memcached")
-	// CockroachDB
-	DBSystemCockroachdb = DBSystemKey.String("cockroachdb")
-	// OpenSearch
-	DBSystemOpensearch = DBSystemKey.String("opensearch")
-	// ClickHouse
-	DBSystemClickhouse = DBSystemKey.String("clickhouse")
-	// Cloud Spanner
-	DBSystemSpanner = DBSystemKey.String("spanner")
-	// Trino
-	DBSystemTrino = DBSystemKey.String("trino")
-)
-
-// DBClientConnectionsPoolName returns an attribute KeyValue conforming to
-// the "db.client.connections.pool.name" semantic conventions. It represents
-// the name of the connection pool; unique within the instrumented application.
-// In case the connection pool implementation doesn't provide a name,
-// instrumentation should use a combination of `server.address` and
-// `server.port` attributes formatted as `server.address:server.port`.
-func DBClientConnectionsPoolName(val string) attribute.KeyValue {
-	return DBClientConnectionsPoolNameKey.String(val)
-}
-
-// DBCollectionName returns an attribute KeyValue conforming to the
-// "db.collection.name" semantic conventions. It represents the name of a
-// collection (table, container) within the database.
-func DBCollectionName(val string) attribute.KeyValue {
-	return DBCollectionNameKey.String(val)
-}
-
-// DBNamespace returns an attribute KeyValue conforming to the
-// "db.namespace" semantic conventions. It represents the name of the database,
-// fully qualified within the server address and port.
-func DBNamespace(val string) attribute.KeyValue {
-	return DBNamespaceKey.String(val)
-}
-
-// DBOperationName returns an attribute KeyValue conforming to the
-// "db.operation.name" semantic conventions. It represents the name of the
-// operation or command being executed.
-func DBOperationName(val string) attribute.KeyValue {
-	return DBOperationNameKey.String(val)
-}
-
-// DBQueryText returns an attribute KeyValue conforming to the
-// "db.query.text" semantic conventions. It represents the database query being
-// executed.
-func DBQueryText(val string) attribute.KeyValue {
-	return DBQueryTextKey.String(val)
-}
-
-// This group defines attributes for Cassandra.
-const (
-	// DBCassandraConsistencyLevelKey is the attribute Key conforming to the
-	// "db.cassandra.consistency_level" semantic conventions. It represents the
-	// consistency level of the query. Based on consistency values from
-	// [CQL](https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/dml/dmlConfigConsistency.html).
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	DBCassandraConsistencyLevelKey = attribute.Key("db.cassandra.consistency_level")
-
-	// DBCassandraCoordinatorDCKey is the attribute Key conforming to the
-	// "db.cassandra.coordinator.dc" semantic conventions. It represents the
-	// data center of the coordinating node for a query.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'us-west-2'
-	DBCassandraCoordinatorDCKey = attribute.Key("db.cassandra.coordinator.dc")
-
-	// DBCassandraCoordinatorIDKey is the attribute Key conforming to the
-	// "db.cassandra.coordinator.id" semantic conventions. It represents the ID
-	// of the coordinating node for a query.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'be13faa2-8574-4d71-926d-27f16cf8a7af'
-	DBCassandraCoordinatorIDKey = attribute.Key("db.cassandra.coordinator.id")
-
-	// DBCassandraIdempotenceKey is the attribute Key conforming to the
-	// "db.cassandra.idempotence" semantic conventions. It represents the
-	// whether or not the query is idempotent.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	DBCassandraIdempotenceKey = attribute.Key("db.cassandra.idempotence")
-
-	// DBCassandraPageSizeKey is the attribute Key conforming to the
-	// "db.cassandra.page_size" semantic conventions. It represents the fetch
-	// size used for paging, i.e. how many rows will be returned at once.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 5000
-	DBCassandraPageSizeKey = attribute.Key("db.cassandra.page_size")
-
-	// DBCassandraSpeculativeExecutionCountKey is the attribute Key conforming
-	// to the "db.cassandra.speculative_execution_count" semantic conventions.
-	// It represents the number of times a query was speculatively executed.
-	// Not set or `0` if the query was not executed speculatively.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 0, 2
-	DBCassandraSpeculativeExecutionCountKey = attribute.Key("db.cassandra.speculative_execution_count")
-)
-
-var (
-	// all
-	DBCassandraConsistencyLevelAll = DBCassandraConsistencyLevelKey.String("all")
-	// each_quorum
-	DBCassandraConsistencyLevelEachQuorum = DBCassandraConsistencyLevelKey.String("each_quorum")
-	// quorum
-	DBCassandraConsistencyLevelQuorum = DBCassandraConsistencyLevelKey.String("quorum")
-	// local_quorum
-	DBCassandraConsistencyLevelLocalQuorum = DBCassandraConsistencyLevelKey.String("local_quorum")
-	// one
-	DBCassandraConsistencyLevelOne = DBCassandraConsistencyLevelKey.String("one")
-	// two
-	DBCassandraConsistencyLevelTwo = DBCassandraConsistencyLevelKey.String("two")
-	// three
-	DBCassandraConsistencyLevelThree = DBCassandraConsistencyLevelKey.String("three")
-	// local_one
-	DBCassandraConsistencyLevelLocalOne = DBCassandraConsistencyLevelKey.String("local_one")
-	// any
-	DBCassandraConsistencyLevelAny = DBCassandraConsistencyLevelKey.String("any")
-	// serial
-	DBCassandraConsistencyLevelSerial = DBCassandraConsistencyLevelKey.String("serial")
-	// local_serial
-	DBCassandraConsistencyLevelLocalSerial = DBCassandraConsistencyLevelKey.String("local_serial")
-)
-
-// DBCassandraCoordinatorDC returns an attribute KeyValue conforming to the
-// "db.cassandra.coordinator.dc" semantic conventions. It represents the data
-// center of the coordinating node for a query.
-func DBCassandraCoordinatorDC(val string) attribute.KeyValue {
-	return DBCassandraCoordinatorDCKey.String(val)
-}
-
-// DBCassandraCoordinatorID returns an attribute KeyValue conforming to the
-// "db.cassandra.coordinator.id" semantic conventions. It represents the ID of
-// the coordinating node for a query.
-func DBCassandraCoordinatorID(val string) attribute.KeyValue {
-	return DBCassandraCoordinatorIDKey.String(val)
-}
-
-// DBCassandraIdempotence returns an attribute KeyValue conforming to the
-// "db.cassandra.idempotence" semantic conventions. It represents the whether
-// or not the query is idempotent.
-func DBCassandraIdempotence(val bool) attribute.KeyValue {
-	return DBCassandraIdempotenceKey.Bool(val)
-}
-
-// DBCassandraPageSize returns an attribute KeyValue conforming to the
-// "db.cassandra.page_size" semantic conventions. It represents the fetch size
-// used for paging, i.e. how many rows will be returned at once.
-func DBCassandraPageSize(val int) attribute.KeyValue {
-	return DBCassandraPageSizeKey.Int(val)
-}
-
-// DBCassandraSpeculativeExecutionCount returns an attribute KeyValue
-// conforming to the "db.cassandra.speculative_execution_count" semantic
-// conventions. It represents the number of times a query was speculatively
-// executed. Not set or `0` if the query was not executed speculatively.
-func DBCassandraSpeculativeExecutionCount(val int) attribute.KeyValue {
-	return DBCassandraSpeculativeExecutionCountKey.Int(val)
-}
-
-// This group defines attributes for Azure Cosmos DB.
-const (
-	// DBCosmosDBClientIDKey is the attribute Key conforming to the
-	// "db.cosmosdb.client_id" semantic conventions. It represents the unique
-	// Cosmos client instance id.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '3ba4827d-4422-483f-b59f-85b74211c11d'
-	DBCosmosDBClientIDKey = attribute.Key("db.cosmosdb.client_id")
-
-	// DBCosmosDBConnectionModeKey is the attribute Key conforming to the
-	// "db.cosmosdb.connection_mode" semantic conventions. It represents the
-	// cosmos client connection mode.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	DBCosmosDBConnectionModeKey = attribute.Key("db.cosmosdb.connection_mode")
-
-	// DBCosmosDBOperationTypeKey is the attribute Key conforming to the
-	// "db.cosmosdb.operation_type" semantic conventions. It represents the
-	// cosmosDB Operation Type.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	DBCosmosDBOperationTypeKey = attribute.Key("db.cosmosdb.operation_type")
-
-	// DBCosmosDBRequestChargeKey is the attribute Key conforming to the
-	// "db.cosmosdb.request_charge" semantic conventions. It represents the rU
-	// consumed for that operation
-	//
-	// Type: double
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 46.18, 1.0
-	DBCosmosDBRequestChargeKey = attribute.Key("db.cosmosdb.request_charge")
-
-	// DBCosmosDBRequestContentLengthKey is the attribute Key conforming to the
-	// "db.cosmosdb.request_content_length" semantic conventions. It represents
-	// the request payload size in bytes
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	DBCosmosDBRequestContentLengthKey = attribute.Key("db.cosmosdb.request_content_length")
-
-	// DBCosmosDBStatusCodeKey is the attribute Key conforming to the
-	// "db.cosmosdb.status_code" semantic conventions. It represents the cosmos
-	// DB status code.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 200, 201
-	DBCosmosDBStatusCodeKey = attribute.Key("db.cosmosdb.status_code")
-
-	// DBCosmosDBSubStatusCodeKey is the attribute Key conforming to the
-	// "db.cosmosdb.sub_status_code" semantic conventions. It represents the
-	// cosmos DB sub status code.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1000, 1002
-	DBCosmosDBSubStatusCodeKey = attribute.Key("db.cosmosdb.sub_status_code")
-)
-
-var (
-	// Gateway (HTTP) connections mode
-	DBCosmosDBConnectionModeGateway = DBCosmosDBConnectionModeKey.String("gateway")
-	// Direct connection
-	DBCosmosDBConnectionModeDirect = DBCosmosDBConnectionModeKey.String("direct")
-)
-
-var (
-	// invalid
-	DBCosmosDBOperationTypeInvalid = DBCosmosDBOperationTypeKey.String("Invalid")
-	// create
-	DBCosmosDBOperationTypeCreate = DBCosmosDBOperationTypeKey.String("Create")
-	// patch
-	DBCosmosDBOperationTypePatch = DBCosmosDBOperationTypeKey.String("Patch")
-	// read
-	DBCosmosDBOperationTypeRead = DBCosmosDBOperationTypeKey.String("Read")
-	// read_feed
-	DBCosmosDBOperationTypeReadFeed = DBCosmosDBOperationTypeKey.String("ReadFeed")
-	// delete
-	DBCosmosDBOperationTypeDelete = DBCosmosDBOperationTypeKey.String("Delete")
-	// replace
-	DBCosmosDBOperationTypeReplace = DBCosmosDBOperationTypeKey.String("Replace")
-	// execute
-	DBCosmosDBOperationTypeExecute = DBCosmosDBOperationTypeKey.String("Execute")
-	// query
-	DBCosmosDBOperationTypeQuery = DBCosmosDBOperationTypeKey.String("Query")
-	// head
-	DBCosmosDBOperationTypeHead = DBCosmosDBOperationTypeKey.String("Head")
-	// head_feed
-	DBCosmosDBOperationTypeHeadFeed = DBCosmosDBOperationTypeKey.String("HeadFeed")
-	// upsert
-	DBCosmosDBOperationTypeUpsert = DBCosmosDBOperationTypeKey.String("Upsert")
-	// batch
-	DBCosmosDBOperationTypeBatch = DBCosmosDBOperationTypeKey.String("Batch")
-	// query_plan
-	DBCosmosDBOperationTypeQueryPlan = DBCosmosDBOperationTypeKey.String("QueryPlan")
-	// execute_javascript
-	DBCosmosDBOperationTypeExecuteJavascript = DBCosmosDBOperationTypeKey.String("ExecuteJavaScript")
-)
-
-// DBCosmosDBClientID returns an attribute KeyValue conforming to the
-// "db.cosmosdb.client_id" semantic conventions. It represents the unique
-// Cosmos client instance id.
-func DBCosmosDBClientID(val string) attribute.KeyValue {
-	return DBCosmosDBClientIDKey.String(val)
-}
-
-// DBCosmosDBRequestCharge returns an attribute KeyValue conforming to the
-// "db.cosmosdb.request_charge" semantic conventions. It represents the rU
-// consumed for that operation
-func DBCosmosDBRequestCharge(val float64) attribute.KeyValue {
-	return DBCosmosDBRequestChargeKey.Float64(val)
-}
-
-// DBCosmosDBRequestContentLength returns an attribute KeyValue conforming
-// to the "db.cosmosdb.request_content_length" semantic conventions. It
-// represents the request payload size in bytes
-func DBCosmosDBRequestContentLength(val int) attribute.KeyValue {
-	return DBCosmosDBRequestContentLengthKey.Int(val)
-}
-
-// DBCosmosDBStatusCode returns an attribute KeyValue conforming to the
-// "db.cosmosdb.status_code" semantic conventions. It represents the cosmos DB
-// status code.
-func DBCosmosDBStatusCode(val int) attribute.KeyValue {
-	return DBCosmosDBStatusCodeKey.Int(val)
-}
-
-// DBCosmosDBSubStatusCode returns an attribute KeyValue conforming to the
-// "db.cosmosdb.sub_status_code" semantic conventions. It represents the cosmos
-// DB sub status code.
-func DBCosmosDBSubStatusCode(val int) attribute.KeyValue {
-	return DBCosmosDBSubStatusCodeKey.Int(val)
-}
-
-// This group defines attributes for Elasticsearch.
-const (
-	// DBElasticsearchClusterNameKey is the attribute Key conforming to the
-	// "db.elasticsearch.cluster.name" semantic conventions. It represents the
-	// represents the identifier of an Elasticsearch cluster.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'e9106fc68e3044f0b1475b04bf4ffd5f'
-	DBElasticsearchClusterNameKey = attribute.Key("db.elasticsearch.cluster.name")
-
-	// DBElasticsearchNodeNameKey is the attribute Key conforming to the
-	// "db.elasticsearch.node.name" semantic conventions. It represents the
-	// represents the human-readable identifier of the node/instance to which a
-	// request was routed.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'instance-0000000001'
-	DBElasticsearchNodeNameKey = attribute.Key("db.elasticsearch.node.name")
-)
-
-// DBElasticsearchClusterName returns an attribute KeyValue conforming to
-// the "db.elasticsearch.cluster.name" semantic conventions. It represents the
-// represents the identifier of an Elasticsearch cluster.
-func DBElasticsearchClusterName(val string) attribute.KeyValue {
-	return DBElasticsearchClusterNameKey.String(val)
-}
-
-// DBElasticsearchNodeName returns an attribute KeyValue conforming to the
-// "db.elasticsearch.node.name" semantic conventions. It represents the
-// represents the human-readable identifier of the node/instance to which a
-// request was routed.
-func DBElasticsearchNodeName(val string) attribute.KeyValue {
-	return DBElasticsearchNodeNameKey.String(val)
-}
-
-// Attributes for software deployments.
-const (
-	// DeploymentEnvironmentKey is the attribute Key conforming to the
-	// "deployment.environment" semantic conventions. It represents the name of
-	// the [deployment
-	// environment](https://wikipedia.org/wiki/Deployment_environment) (aka
-	// deployment tier).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'staging', 'production'
-	// Note: `deployment.environment` does not affect the uniqueness
-	// constraints defined through
-	// the `service.namespace`, `service.name` and `service.instance.id`
-	// resource attributes.
-	// This implies that resources carrying the following attribute
-	// combinations MUST be
-	// considered to be identifying the same service:
-	//
-	// * `service.name=frontend`, `deployment.environment=production`
-	// * `service.name=frontend`, `deployment.environment=staging`.
-	DeploymentEnvironmentKey = attribute.Key("deployment.environment")
-)
-
-// DeploymentEnvironment returns an attribute KeyValue conforming to the
-// "deployment.environment" semantic conventions. It represents the name of the
-// [deployment environment](https://wikipedia.org/wiki/Deployment_environment)
-// (aka deployment tier).
-func DeploymentEnvironment(val string) attribute.KeyValue {
-	return DeploymentEnvironmentKey.String(val)
-}
-
-// Attributes that represents an occurrence of a lifecycle transition on the
-// Android platform.
-const (
-	// AndroidStateKey is the attribute Key conforming to the "android.state"
-	// semantic conventions. It represents the deprecated use the
-	// `device.app.lifecycle` event definition including `android.state` as a
-	// payload field instead.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Note: The Android lifecycle states are defined in [Activity lifecycle
-	// callbacks](https://developer.android.com/guide/components/activities/activity-lifecycle#lc),
-	// and from which the `OS identifiers` are derived.
-	AndroidStateKey = attribute.Key("android.state")
-)
-
-var (
-	// Any time before Activity.onResume() or, if the app has no Activity, Context.startService() has been called in the app for the first time
-	AndroidStateCreated = AndroidStateKey.String("created")
-	// Any time after Activity.onPause() or, if the app has no Activity, Context.stopService() has been called when the app was in the foreground state
-	AndroidStateBackground = AndroidStateKey.String("background")
-	// Any time after Activity.onResume() or, if the app has no Activity, Context.startService() has been called when the app was in either the created or background states
-	AndroidStateForeground = AndroidStateKey.String("foreground")
-)
-
-// These attributes may be used to describe the receiver of a network
-// exchange/packet. These should be used when there is no client/server
-// relationship between the two sides, or when that relationship is unknown.
-// This covers low-level network interactions (e.g. packet tracing) where you
-// don't know if there was a connection or which side initiated it. This also
-// covers unidirectional UDP flows and peer-to-peer communication where the
-// "user-facing" surface of the protocol / API doesn't expose a clear notion of
-// client and server.
-const (
-	// DestinationAddressKey is the attribute Key conforming to the
-	// "destination.address" semantic conventions. It represents the
-	// destination address - domain name if available without reverse DNS
-	// lookup; otherwise, IP address or Unix domain socket name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'destination.example.com', '10.1.2.80', '/tmp/my.sock'
-	// Note: When observed from the source side, and when communicating through
-	// an intermediary, `destination.address` SHOULD represent the destination
-	// address behind any intermediaries, for example proxies, if it's
-	// available.
-	DestinationAddressKey = attribute.Key("destination.address")
-
-	// DestinationPortKey is the attribute Key conforming to the
-	// "destination.port" semantic conventions. It represents the destination
-	// port number
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 3389, 2888
-	DestinationPortKey = attribute.Key("destination.port")
-)
-
-// DestinationAddress returns an attribute KeyValue conforming to the
-// "destination.address" semantic conventions. It represents the destination
-// address - domain name if available without reverse DNS lookup; otherwise, IP
-// address or Unix domain socket name.
-func DestinationAddress(val string) attribute.KeyValue {
-	return DestinationAddressKey.String(val)
-}
-
-// DestinationPort returns an attribute KeyValue conforming to the
-// "destination.port" semantic conventions. It represents the destination port
-// number
-func DestinationPort(val int) attribute.KeyValue {
-	return DestinationPortKey.Int(val)
-}
-
-// Describes device attributes.
-const (
-	// DeviceIDKey is the attribute Key conforming to the "device.id" semantic
-	// conventions. It represents a unique identifier representing the device
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2ab2916d-a51f-4ac8-80ee-45ac31a28092'
-	// Note: The device identifier MUST only be defined using the values
-	// outlined below. This value is not an advertising identifier and MUST NOT
-	// be used as such. On iOS (Swift or Objective-C), this value MUST be equal
-	// to the [vendor
-	// identifier](https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
-	// On Android (Java or Kotlin), this value MUST be equal to the Firebase
-	// Installation ID or a globally unique UUID which is persisted across
-	// sessions in your application. More information can be found
-	// [here](https://developer.android.com/training/articles/user-data-ids) on
-	// best practices and exact implementation details. Caution should be taken
-	// when storing personal data or anything which can identify a user. GDPR
-	// and data protection laws may apply, ensure you do your own due
-	// diligence.
-	DeviceIDKey = attribute.Key("device.id")
-
-	// DeviceManufacturerKey is the attribute Key conforming to the
-	// "device.manufacturer" semantic conventions. It represents the name of
-	// the device manufacturer
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Apple', 'Samsung'
-	// Note: The Android OS provides this field via
-	// [Build](https://developer.android.com/reference/android/os/Build#MANUFACTURER).
-	// iOS apps SHOULD hardcode the value `Apple`.
-	DeviceManufacturerKey = attribute.Key("device.manufacturer")
-
-	// DeviceModelIdentifierKey is the attribute Key conforming to the
-	// "device.model.identifier" semantic conventions. It represents the model
-	// identifier for the device
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'iPhone3,4', 'SM-G920F'
-	// Note: It's recommended this value represents a machine-readable version
-	// of the model identifier rather than the market or consumer-friendly name
-	// of the device.
-	DeviceModelIdentifierKey = attribute.Key("device.model.identifier")
-
-	// DeviceModelNameKey is the attribute Key conforming to the
-	// "device.model.name" semantic conventions. It represents the marketing
-	// name for the device model
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'iPhone 6s Plus', 'Samsung Galaxy S6'
-	// Note: It's recommended this value represents a human-readable version of
-	// the device model rather than a machine-readable alternative.
-	DeviceModelNameKey = attribute.Key("device.model.name")
-)
-
-// DeviceID returns an attribute KeyValue conforming to the "device.id"
-// semantic conventions. It represents a unique identifier representing the
-// device
-func DeviceID(val string) attribute.KeyValue {
-	return DeviceIDKey.String(val)
-}
-
-// DeviceManufacturer returns an attribute KeyValue conforming to the
-// "device.manufacturer" semantic conventions. It represents the name of the
-// device manufacturer
-func DeviceManufacturer(val string) attribute.KeyValue {
-	return DeviceManufacturerKey.String(val)
-}
-
-// DeviceModelIdentifier returns an attribute KeyValue conforming to the
-// "device.model.identifier" semantic conventions. It represents the model
-// identifier for the device
-func DeviceModelIdentifier(val string) attribute.KeyValue {
-	return DeviceModelIdentifierKey.String(val)
-}
-
-// DeviceModelName returns an attribute KeyValue conforming to the
-// "device.model.name" semantic conventions. It represents the marketing name
-// for the device model
-func DeviceModelName(val string) attribute.KeyValue {
-	return DeviceModelNameKey.String(val)
-}
-
-// These attributes may be used for any disk related operation.
-const (
-	// DiskIoDirectionKey is the attribute Key conforming to the
-	// "disk.io.direction" semantic conventions. It represents the disk IO
-	// operation direction.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'read'
-	DiskIoDirectionKey = attribute.Key("disk.io.direction")
-)
-
-var (
-	// read
-	DiskIoDirectionRead = DiskIoDirectionKey.String("read")
-	// write
-	DiskIoDirectionWrite = DiskIoDirectionKey.String("write")
-)
-
-// The shared attributes used to report a DNS query.
-const (
-	// DNSQuestionNameKey is the attribute Key conforming to the
-	// "dns.question.name" semantic conventions. It represents the name being
-	// queried.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'www.example.com', 'opentelemetry.io'
-	// Note: If the name field contains non-printable characters (below 32 or
-	// above 126), those characters should be represented as escaped base 10
-	// integers (\DDD). Back slashes and quotes should be escaped. Tabs,
-	// carriage returns, and line feeds should be converted to \t, \r, and \n
-	// respectively.
-	DNSQuestionNameKey = attribute.Key("dns.question.name")
-)
-
-// DNSQuestionName returns an attribute KeyValue conforming to the
-// "dns.question.name" semantic conventions. It represents the name being
-// queried.
-func DNSQuestionName(val string) attribute.KeyValue {
-	return DNSQuestionNameKey.String(val)
-}
-
-// Attributes for operations with an authenticated and/or authorized enduser.
-const (
-	// EnduserIDKey is the attribute Key conforming to the "enduser.id"
-	// semantic conventions. It represents the username or client_id extracted
-	// from the access token or
-	// [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header
-	// in the inbound request from outside the system.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'username'
-	EnduserIDKey = attribute.Key("enduser.id")
-
-	// EnduserRoleKey is the attribute Key conforming to the "enduser.role"
-	// semantic conventions. It represents the actual/assumed role the client
-	// is making the request under extracted from token or application security
-	// context.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'admin'
-	EnduserRoleKey = attribute.Key("enduser.role")
-
-	// EnduserScopeKey is the attribute Key conforming to the "enduser.scope"
-	// semantic conventions. It represents the scopes or granted authorities
-	// the client currently possesses extracted from token or application
-	// security context. The value would come from the scope associated with an
-	// [OAuth 2.0 Access
-	// Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute
-	// value in a [SAML 2.0
-	// Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'read:message, write:files'
-	EnduserScopeKey = attribute.Key("enduser.scope")
-)
-
-// EnduserID returns an attribute KeyValue conforming to the "enduser.id"
-// semantic conventions. It represents the username or client_id extracted from
-// the access token or
-// [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in
-// the inbound request from outside the system.
-func EnduserID(val string) attribute.KeyValue {
-	return EnduserIDKey.String(val)
-}
-
-// EnduserRole returns an attribute KeyValue conforming to the
-// "enduser.role" semantic conventions. It represents the actual/assumed role
-// the client is making the request under extracted from token or application
-// security context.
-func EnduserRole(val string) attribute.KeyValue {
-	return EnduserRoleKey.String(val)
-}
-
-// EnduserScope returns an attribute KeyValue conforming to the
-// "enduser.scope" semantic conventions. It represents the scopes or granted
-// authorities the client currently possesses extracted from token or
-// application security context. The value would come from the scope associated
-// with an [OAuth 2.0 Access
-// Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute
-// value in a [SAML 2.0
-// Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
-func EnduserScope(val string) attribute.KeyValue {
-	return EnduserScopeKey.String(val)
-}
-
-// The shared attributes used to report an error.
-const (
-	// ErrorTypeKey is the attribute Key conforming to the "error.type"
-	// semantic conventions. It represents the describes a class of error the
-	// operation ended with.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'timeout', 'java.net.UnknownHostException',
-	// 'server_certificate_invalid', '500'
-	// Note: The `error.type` SHOULD be predictable, and SHOULD have low
-	// cardinality.
-	//
-	// When `error.type` is set to a type (e.g., an exception type), its
-	// canonical class name identifying the type within the artifact SHOULD be
-	// used.
-	//
-	// Instrumentations SHOULD document the list of errors they report.
-	//
-	// The cardinality of `error.type` within one instrumentation library
-	// SHOULD be low.
-	// Telemetry consumers that aggregate data from multiple instrumentation
-	// libraries and applications
-	// should be prepared for `error.type` to have high cardinality at query
-	// time when no
-	// additional filters are applied.
-	//
-	// If the operation has completed successfully, instrumentations SHOULD NOT
-	// set `error.type`.
-	//
-	// If a specific domain defines its own set of error identifiers (such as
-	// HTTP or gRPC status codes),
-	// it's RECOMMENDED to:
-	//
-	// * Use a domain-specific attribute
-	// * Set `error.type` to capture all errors, regardless of whether they are
-	// defined within the domain-specific set or not.
-	ErrorTypeKey = attribute.Key("error.type")
-)
-
-var (
-	// A fallback error value to be used when the instrumentation doesn't define a custom value
-	ErrorTypeOther = ErrorTypeKey.String("_OTHER")
-)
-
-// Attributes for Events represented using Log Records.
-const (
-	// EventNameKey is the attribute Key conforming to the "event.name"
-	// semantic conventions. It represents the identifies the class / type of
-	// event.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'browser.mouse.click', 'device.app.lifecycle'
-	// Note: Event names are subject to the same rules as [attribute
-	// names](https://github.com/open-telemetry/opentelemetry-specification/tree/v1.33.0/specification/common/attribute-naming.md).
-	// Notably, event names are namespaced to avoid collisions and provide a
-	// clean separation of semantics for events in separate domains like
-	// browser, mobile, and kubernetes.
-	EventNameKey = attribute.Key("event.name")
-)
-
-// EventName returns an attribute KeyValue conforming to the "event.name"
-// semantic conventions. It represents the identifies the class / type of
-// event.
-func EventName(val string) attribute.KeyValue {
-	return EventNameKey.String(val)
-}
-
-// The shared attributes used to report a single exception associated with a
-// span or log.
-const (
-	// ExceptionEscapedKey is the attribute Key conforming to the
-	// "exception.escaped" semantic conventions. It represents the sHOULD be
-	// set to true if the exception event is recorded at a point where it is
-	// known that the exception is escaping the scope of the span.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Note: An exception is considered to have escaped (or left) the scope of
-	// a span,
-	// if that span is ended while the exception is still logically "in
-	// flight".
-	// This may be actually "in flight" in some languages (e.g. if the
-	// exception
-	// is passed to a Context manager's `__exit__` method in Python) but will
-	// usually be caught at the point of recording the exception in most
-	// languages.
-	//
-	// It is usually not possible to determine at the point where an exception
-	// is thrown
-	// whether it will escape the scope of a span.
-	// However, it is trivial to know that an exception
-	// will escape, if one checks for an active exception just before ending
-	// the span,
-	// as done in the [example for recording span
-	// exceptions](https://opentelemetry.io/docs/specs/semconv/exceptions/exceptions-spans/#recording-an-exception).
-	//
-	// It follows that an exception may still escape the scope of the span
-	// even if the `exception.escaped` attribute was not set or set to false,
-	// since the event might have been recorded at a time where it was not
-	// clear whether the exception will escape.
-	ExceptionEscapedKey = attribute.Key("exception.escaped")
-
-	// ExceptionMessageKey is the attribute Key conforming to the
-	// "exception.message" semantic conventions. It represents the exception
-	// message.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'Division by zero', "Can't convert 'int' object to str
-	// implicitly"
-	ExceptionMessageKey = attribute.Key("exception.message")
-
-	// ExceptionStacktraceKey is the attribute Key conforming to the
-	// "exception.stacktrace" semantic conventions. It represents a stacktrace
-	// as a string in the natural representation for the language runtime. The
-	// representation is to be determined and documented by each language SIG.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'Exception in thread "main" java.lang.RuntimeException: Test
-	// exception\\n at '
-	//  'com.example.GenerateTrace.methodB(GenerateTrace.java:13)\\n at '
-	//  'com.example.GenerateTrace.methodA(GenerateTrace.java:9)\\n at '
-	//  'com.example.GenerateTrace.main(GenerateTrace.java:5)'
-	ExceptionStacktraceKey = attribute.Key("exception.stacktrace")
-
-	// ExceptionTypeKey is the attribute Key conforming to the "exception.type"
-	// semantic conventions. It represents the type of the exception (its
-	// fully-qualified class name, if applicable). The dynamic type of the
-	// exception should be preferred over the static type in languages that
-	// support it.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'java.net.ConnectException', 'OSError'
-	ExceptionTypeKey = attribute.Key("exception.type")
-)
-
-// ExceptionEscaped returns an attribute KeyValue conforming to the
-// "exception.escaped" semantic conventions. It represents the sHOULD be set to
-// true if the exception event is recorded at a point where it is known that
-// the exception is escaping the scope of the span.
-func ExceptionEscaped(val bool) attribute.KeyValue {
-	return ExceptionEscapedKey.Bool(val)
-}
-
-// ExceptionMessage returns an attribute KeyValue conforming to the
-// "exception.message" semantic conventions. It represents the exception
-// message.
-func ExceptionMessage(val string) attribute.KeyValue {
-	return ExceptionMessageKey.String(val)
-}
-
-// ExceptionStacktrace returns an attribute KeyValue conforming to the
-// "exception.stacktrace" semantic conventions. It represents a stacktrace as a
-// string in the natural representation for the language runtime. The
-// representation is to be determined and documented by each language SIG.
-func ExceptionStacktrace(val string) attribute.KeyValue {
-	return ExceptionStacktraceKey.String(val)
-}
-
-// ExceptionType returns an attribute KeyValue conforming to the
-// "exception.type" semantic conventions. It represents the type of the
-// exception (its fully-qualified class name, if applicable). The dynamic type
-// of the exception should be preferred over the static type in languages that
-// support it.
-func ExceptionType(val string) attribute.KeyValue {
-	return ExceptionTypeKey.String(val)
-}
-
-// FaaS attributes
-const (
-	// FaaSColdstartKey is the attribute Key conforming to the "faas.coldstart"
-	// semantic conventions. It represents a boolean that is true if the
-	// serverless function is executed for the first time (aka cold-start).
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	FaaSColdstartKey = attribute.Key("faas.coldstart")
-
-	// FaaSCronKey is the attribute Key conforming to the "faas.cron" semantic
-	// conventions. It represents a string containing the schedule period as
-	// [Cron
-	// Expression](https://docs.oracle.com/cd/E12058_01/doc/doc.1014/e12030/cron_expressions.htm).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '0/5 * * * ? *'
-	FaaSCronKey = attribute.Key("faas.cron")
-
-	// FaaSDocumentCollectionKey is the attribute Key conforming to the
-	// "faas.document.collection" semantic conventions. It represents the name
-	// of the source on which the triggering operation was performed. For
-	// example, in Cloud Storage or S3 corresponds to the bucket name, and in
-	// Cosmos DB to the database name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'myBucketName', 'myDBName'
-	FaaSDocumentCollectionKey = attribute.Key("faas.document.collection")
-
-	// FaaSDocumentNameKey is the attribute Key conforming to the
-	// "faas.document.name" semantic conventions. It represents the document
-	// name/table subjected to the operation. For example, in Cloud Storage or
-	// S3 is the name of the file, and in Cosmos DB the table name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'myFile.txt', 'myTableName'
-	FaaSDocumentNameKey = attribute.Key("faas.document.name")
-
-	// FaaSDocumentOperationKey is the attribute Key conforming to the
-	// "faas.document.operation" semantic conventions. It represents the
-	// describes the type of the operation that was performed on the data.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	FaaSDocumentOperationKey = attribute.Key("faas.document.operation")
-
-	// FaaSDocumentTimeKey is the attribute Key conforming to the
-	// "faas.document.time" semantic conventions. It represents a string
-	// containing the time when the data was accessed in the [ISO
-	// 8601](https://www.iso.org/iso-8601-date-and-time-format.html) format
-	// expressed in [UTC](https://www.w3.org/TR/NOTE-datetime).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2020-01-23T13:47:06Z'
-	FaaSDocumentTimeKey = attribute.Key("faas.document.time")
-
-	// FaaSInstanceKey is the attribute Key conforming to the "faas.instance"
-	// semantic conventions. It represents the execution environment ID as a
-	// string, that will be potentially reused for other invocations to the
-	// same function/function version.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2021/06/28/[$LATEST]2f399eb14537447da05ab2a2e39309de'
-	// Note: * **AWS Lambda:** Use the (full) log stream name.
-	FaaSInstanceKey = attribute.Key("faas.instance")
-
-	// FaaSInvocationIDKey is the attribute Key conforming to the
-	// "faas.invocation_id" semantic conventions. It represents the invocation
-	// ID of the current function invocation.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'af9d5aa4-a685-4c5f-a22b-444f80b3cc28'
-	FaaSInvocationIDKey = attribute.Key("faas.invocation_id")
-
-	// FaaSInvokedNameKey is the attribute Key conforming to the
-	// "faas.invoked_name" semantic conventions. It represents the name of the
-	// invoked function.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'my-function'
-	// Note: SHOULD be equal to the `faas.name` resource attribute of the
-	// invoked function.
-	FaaSInvokedNameKey = attribute.Key("faas.invoked_name")
-
-	// FaaSInvokedProviderKey is the attribute Key conforming to the
-	// "faas.invoked_provider" semantic conventions. It represents the cloud
-	// provider of the invoked function.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Note: SHOULD be equal to the `cloud.provider` resource attribute of the
-	// invoked function.
-	FaaSInvokedProviderKey = attribute.Key("faas.invoked_provider")
-
-	// FaaSInvokedRegionKey is the attribute Key conforming to the
-	// "faas.invoked_region" semantic conventions. It represents the cloud
-	// region of the invoked function.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'eu-central-1'
-	// Note: SHOULD be equal to the `cloud.region` resource attribute of the
-	// invoked function.
-	FaaSInvokedRegionKey = attribute.Key("faas.invoked_region")
-
-	// FaaSMaxMemoryKey is the attribute Key conforming to the
-	// "faas.max_memory" semantic conventions. It represents the amount of
-	// memory available to the serverless function converted to Bytes.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 134217728
-	// Note: It's recommended to set this attribute since e.g. too little
-	// memory can easily stop a Java AWS Lambda function from working
-	// correctly. On AWS Lambda, the environment variable
-	// `AWS_LAMBDA_FUNCTION_MEMORY_SIZE` provides this information (which must
-	// be multiplied by 1,048,576).
-	FaaSMaxMemoryKey = attribute.Key("faas.max_memory")
-
-	// FaaSNameKey is the attribute Key conforming to the "faas.name" semantic
-	// conventions. It represents the name of the single function that this
-	// runtime instance executes.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'my-function', 'myazurefunctionapp/some-function-name'
-	// Note: This is the name of the function as configured/deployed on the
-	// FaaS
-	// platform and is usually different from the name of the callback
-	// function (which may be stored in the
-	// [`code.namespace`/`code.function`](/docs/general/attributes.md#source-code-attributes)
-	// span attributes).
-	//
-	// For some cloud providers, the above definition is ambiguous. The
-	// following
-	// definition of function name MUST be used for this attribute
-	// (and consequently the span name) for the listed cloud
-	// providers/products:
-	//
-	// * **Azure:**  The full name `/`, i.e., function app name
-	//   followed by a forward slash followed by the function name (this form
-	//   can also be seen in the resource JSON for the function).
-	//   This means that a span attribute MUST be used, as an Azure function
-	//   app can host multiple functions that would usually share
-	//   a TracerProvider (see also the `cloud.resource_id` attribute).
-	FaaSNameKey = attribute.Key("faas.name")
-
-	// FaaSTimeKey is the attribute Key conforming to the "faas.time" semantic
-	// conventions. It represents a string containing the function invocation
-	// time in the [ISO
-	// 8601](https://www.iso.org/iso-8601-date-and-time-format.html) format
-	// expressed in [UTC](https://www.w3.org/TR/NOTE-datetime).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2020-01-23T13:47:06Z'
-	FaaSTimeKey = attribute.Key("faas.time")
-
-	// FaaSTriggerKey is the attribute Key conforming to the "faas.trigger"
-	// semantic conventions. It represents the type of the trigger which caused
-	// this function invocation.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	FaaSTriggerKey = attribute.Key("faas.trigger")
-
-	// FaaSVersionKey is the attribute Key conforming to the "faas.version"
-	// semantic conventions. It represents the immutable version of the
-	// function being executed.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '26', 'pinkfroid-00002'
-	// Note: Depending on the cloud provider and platform, use:
-	//
-	// * **AWS Lambda:** The [function
-	// version](https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html)
-	//   (an integer represented as a decimal string).
-	// * **Google Cloud Run (Services):** The
-	// [revision](https://cloud.google.com/run/docs/managing/revisions)
-	//   (i.e., the function name plus the revision suffix).
-	// * **Google Cloud Functions:** The value of the
-	//   [`K_REVISION` environment
-	// variable](https://cloud.google.com/functions/docs/env-var#runtime_environment_variables_set_automatically).
-	// * **Azure Functions:** Not applicable. Do not set this attribute.
-	FaaSVersionKey = attribute.Key("faas.version")
-)
-
-var (
-	// When a new object is created
-	FaaSDocumentOperationInsert = FaaSDocumentOperationKey.String("insert")
-	// When an object is modified
-	FaaSDocumentOperationEdit = FaaSDocumentOperationKey.String("edit")
-	// When an object is deleted
-	FaaSDocumentOperationDelete = FaaSDocumentOperationKey.String("delete")
-)
-
-var (
-	// Alibaba Cloud
-	FaaSInvokedProviderAlibabaCloud = FaaSInvokedProviderKey.String("alibaba_cloud")
-	// Amazon Web Services
-	FaaSInvokedProviderAWS = FaaSInvokedProviderKey.String("aws")
-	// Microsoft Azure
-	FaaSInvokedProviderAzure = FaaSInvokedProviderKey.String("azure")
-	// Google Cloud Platform
-	FaaSInvokedProviderGCP = FaaSInvokedProviderKey.String("gcp")
-	// Tencent Cloud
-	FaaSInvokedProviderTencentCloud = FaaSInvokedProviderKey.String("tencent_cloud")
-)
-
-var (
-	// A response to some data source operation such as a database or filesystem read/write
-	FaaSTriggerDatasource = FaaSTriggerKey.String("datasource")
-	// To provide an answer to an inbound HTTP request
-	FaaSTriggerHTTP = FaaSTriggerKey.String("http")
-	// A function is set to be executed when messages are sent to a messaging system
-	FaaSTriggerPubsub = FaaSTriggerKey.String("pubsub")
-	// A function is scheduled to be executed regularly
-	FaaSTriggerTimer = FaaSTriggerKey.String("timer")
-	// If none of the others apply
-	FaaSTriggerOther = FaaSTriggerKey.String("other")
-)
-
-// FaaSColdstart returns an attribute KeyValue conforming to the
-// "faas.coldstart" semantic conventions. It represents a boolean that is true
-// if the serverless function is executed for the first time (aka cold-start).
-func FaaSColdstart(val bool) attribute.KeyValue {
-	return FaaSColdstartKey.Bool(val)
-}
-
-// FaaSCron returns an attribute KeyValue conforming to the "faas.cron"
-// semantic conventions. It represents a string containing the schedule period
-// as [Cron
-// Expression](https://docs.oracle.com/cd/E12058_01/doc/doc.1014/e12030/cron_expressions.htm).
-func FaaSCron(val string) attribute.KeyValue {
-	return FaaSCronKey.String(val)
-}
-
-// FaaSDocumentCollection returns an attribute KeyValue conforming to the
-// "faas.document.collection" semantic conventions. It represents the name of
-// the source on which the triggering operation was performed. For example, in
-// Cloud Storage or S3 corresponds to the bucket name, and in Cosmos DB to the
-// database name.
-func FaaSDocumentCollection(val string) attribute.KeyValue {
-	return FaaSDocumentCollectionKey.String(val)
-}
-
-// FaaSDocumentName returns an attribute KeyValue conforming to the
-// "faas.document.name" semantic conventions. It represents the document
-// name/table subjected to the operation. For example, in Cloud Storage or S3
-// is the name of the file, and in Cosmos DB the table name.
-func FaaSDocumentName(val string) attribute.KeyValue {
-	return FaaSDocumentNameKey.String(val)
-}
-
-// FaaSDocumentTime returns an attribute KeyValue conforming to the
-// "faas.document.time" semantic conventions. It represents a string containing
-// the time when the data was accessed in the [ISO
-// 8601](https://www.iso.org/iso-8601-date-and-time-format.html) format
-// expressed in [UTC](https://www.w3.org/TR/NOTE-datetime).
-func FaaSDocumentTime(val string) attribute.KeyValue {
-	return FaaSDocumentTimeKey.String(val)
-}
-
-// FaaSInstance returns an attribute KeyValue conforming to the
-// "faas.instance" semantic conventions. It represents the execution
-// environment ID as a string, that will be potentially reused for other
-// invocations to the same function/function version.
-func FaaSInstance(val string) attribute.KeyValue {
-	return FaaSInstanceKey.String(val)
-}
-
-// FaaSInvocationID returns an attribute KeyValue conforming to the
-// "faas.invocation_id" semantic conventions. It represents the invocation ID
-// of the current function invocation.
-func FaaSInvocationID(val string) attribute.KeyValue {
-	return FaaSInvocationIDKey.String(val)
-}
-
-// FaaSInvokedName returns an attribute KeyValue conforming to the
-// "faas.invoked_name" semantic conventions. It represents the name of the
-// invoked function.
-func FaaSInvokedName(val string) attribute.KeyValue {
-	return FaaSInvokedNameKey.String(val)
-}
-
-// FaaSInvokedRegion returns an attribute KeyValue conforming to the
-// "faas.invoked_region" semantic conventions. It represents the cloud region
-// of the invoked function.
-func FaaSInvokedRegion(val string) attribute.KeyValue {
-	return FaaSInvokedRegionKey.String(val)
-}
-
-// FaaSMaxMemory returns an attribute KeyValue conforming to the
-// "faas.max_memory" semantic conventions. It represents the amount of memory
-// available to the serverless function converted to Bytes.
-func FaaSMaxMemory(val int) attribute.KeyValue {
-	return FaaSMaxMemoryKey.Int(val)
-}
-
-// FaaSName returns an attribute KeyValue conforming to the "faas.name"
-// semantic conventions. It represents the name of the single function that
-// this runtime instance executes.
-func FaaSName(val string) attribute.KeyValue {
-	return FaaSNameKey.String(val)
-}
-
-// FaaSTime returns an attribute KeyValue conforming to the "faas.time"
-// semantic conventions. It represents a string containing the function
-// invocation time in the [ISO
-// 8601](https://www.iso.org/iso-8601-date-and-time-format.html) format
-// expressed in [UTC](https://www.w3.org/TR/NOTE-datetime).
-func FaaSTime(val string) attribute.KeyValue {
-	return FaaSTimeKey.String(val)
-}
-
-// FaaSVersion returns an attribute KeyValue conforming to the
-// "faas.version" semantic conventions. It represents the immutable version of
-// the function being executed.
-func FaaSVersion(val string) attribute.KeyValue {
-	return FaaSVersionKey.String(val)
-}
-
-// Attributes for Feature Flags.
-const (
-	// FeatureFlagKeyKey is the attribute Key conforming to the
-	// "feature_flag.key" semantic conventions. It represents the unique
-	// identifier of the feature flag.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'logo-color'
-	FeatureFlagKeyKey = attribute.Key("feature_flag.key")
-
-	// FeatureFlagProviderNameKey is the attribute Key conforming to the
-	// "feature_flag.provider_name" semantic conventions. It represents the
-	// name of the service provider that performs the flag evaluation.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Flag Manager'
-	FeatureFlagProviderNameKey = attribute.Key("feature_flag.provider_name")
-
-	// FeatureFlagVariantKey is the attribute Key conforming to the
-	// "feature_flag.variant" semantic conventions. It represents the sHOULD be
-	// a semantic identifier for a value. If one is unavailable, a stringified
-	// version of the value can be used.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'red', 'true', 'on'
-	// Note: A semantic identifier, commonly referred to as a variant, provides
-	// a means
-	// for referring to a value without including the value itself. This can
-	// provide additional context for understanding the meaning behind a value.
-	// For example, the variant `red` maybe be used for the value `#c05543`.
-	//
-	// A stringified version of the value can be used in situations where a
-	// semantic identifier is unavailable. String representation of the value
-	// should be determined by the implementer.
-	FeatureFlagVariantKey = attribute.Key("feature_flag.variant")
-)
-
-// FeatureFlagKey returns an attribute KeyValue conforming to the
-// "feature_flag.key" semantic conventions. It represents the unique identifier
-// of the feature flag.
-func FeatureFlagKey(val string) attribute.KeyValue {
-	return FeatureFlagKeyKey.String(val)
-}
-
-// FeatureFlagProviderName returns an attribute KeyValue conforming to the
-// "feature_flag.provider_name" semantic conventions. It represents the name of
-// the service provider that performs the flag evaluation.
-func FeatureFlagProviderName(val string) attribute.KeyValue {
-	return FeatureFlagProviderNameKey.String(val)
-}
-
-// FeatureFlagVariant returns an attribute KeyValue conforming to the
-// "feature_flag.variant" semantic conventions. It represents the sHOULD be a
-// semantic identifier for a value. If one is unavailable, a stringified
-// version of the value can be used.
-func FeatureFlagVariant(val string) attribute.KeyValue {
-	return FeatureFlagVariantKey.String(val)
-}
-
-// Describes file attributes.
-const (
-	// FileDirectoryKey is the attribute Key conforming to the "file.directory"
-	// semantic conventions. It represents the directory where the file is
-	// located. It should include the drive letter, when appropriate.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/home/user', 'C:\\Program Files\\MyApp'
-	FileDirectoryKey = attribute.Key("file.directory")
-
-	// FileExtensionKey is the attribute Key conforming to the "file.extension"
-	// semantic conventions. It represents the file extension, excluding the
-	// leading dot.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'png', 'gz'
-	// Note: When the file name has multiple extensions (example.tar.gz), only
-	// the last one should be captured ("gz", not "tar.gz").
-	FileExtensionKey = attribute.Key("file.extension")
-
-	// FileNameKey is the attribute Key conforming to the "file.name" semantic
-	// conventions. It represents the name of the file including the extension,
-	// without the directory.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'example.png'
-	FileNameKey = attribute.Key("file.name")
-
-	// FilePathKey is the attribute Key conforming to the "file.path" semantic
-	// conventions. It represents the full path to the file, including the file
-	// name. It should include the drive letter, when appropriate.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/home/alice/example.png', 'C:\\Program
-	// Files\\MyApp\\myapp.exe'
-	FilePathKey = attribute.Key("file.path")
-
-	// FileSizeKey is the attribute Key conforming to the "file.size" semantic
-	// conventions. It represents the file size in bytes.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	FileSizeKey = attribute.Key("file.size")
-)
-
-// FileDirectory returns an attribute KeyValue conforming to the
-// "file.directory" semantic conventions. It represents the directory where the
-// file is located. It should include the drive letter, when appropriate.
-func FileDirectory(val string) attribute.KeyValue {
-	return FileDirectoryKey.String(val)
-}
-
-// FileExtension returns an attribute KeyValue conforming to the
-// "file.extension" semantic conventions. It represents the file extension,
-// excluding the leading dot.
-func FileExtension(val string) attribute.KeyValue {
-	return FileExtensionKey.String(val)
-}
-
-// FileName returns an attribute KeyValue conforming to the "file.name"
-// semantic conventions. It represents the name of the file including the
-// extension, without the directory.
-func FileName(val string) attribute.KeyValue {
-	return FileNameKey.String(val)
-}
-
-// FilePath returns an attribute KeyValue conforming to the "file.path"
-// semantic conventions. It represents the full path to the file, including the
-// file name. It should include the drive letter, when appropriate.
-func FilePath(val string) attribute.KeyValue {
-	return FilePathKey.String(val)
-}
-
-// FileSize returns an attribute KeyValue conforming to the "file.size"
-// semantic conventions. It represents the file size in bytes.
-func FileSize(val int) attribute.KeyValue {
-	return FileSizeKey.Int(val)
-}
-
-// Attributes for Google Cloud Run.
-const (
-	// GCPCloudRunJobExecutionKey is the attribute Key conforming to the
-	// "gcp.cloud_run.job.execution" semantic conventions. It represents the
-	// name of the Cloud Run
-	// [execution](https://cloud.google.com/run/docs/managing/job-executions)
-	// being run for the Job, as set by the
-	// [`CLOUD_RUN_EXECUTION`](https://cloud.google.com/run/docs/container-contract#jobs-env-vars)
-	// environment variable.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'job-name-xxxx', 'sample-job-mdw84'
-	GCPCloudRunJobExecutionKey = attribute.Key("gcp.cloud_run.job.execution")
-
-	// GCPCloudRunJobTaskIndexKey is the attribute Key conforming to the
-	// "gcp.cloud_run.job.task_index" semantic conventions. It represents the
-	// index for a task within an execution as provided by the
-	// [`CLOUD_RUN_TASK_INDEX`](https://cloud.google.com/run/docs/container-contract#jobs-env-vars)
-	// environment variable.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 0, 1
-	GCPCloudRunJobTaskIndexKey = attribute.Key("gcp.cloud_run.job.task_index")
-)
-
-// GCPCloudRunJobExecution returns an attribute KeyValue conforming to the
-// "gcp.cloud_run.job.execution" semantic conventions. It represents the name
-// of the Cloud Run
-// [execution](https://cloud.google.com/run/docs/managing/job-executions) being
-// run for the Job, as set by the
-// [`CLOUD_RUN_EXECUTION`](https://cloud.google.com/run/docs/container-contract#jobs-env-vars)
-// environment variable.
-func GCPCloudRunJobExecution(val string) attribute.KeyValue {
-	return GCPCloudRunJobExecutionKey.String(val)
-}
-
-// GCPCloudRunJobTaskIndex returns an attribute KeyValue conforming to the
-// "gcp.cloud_run.job.task_index" semantic conventions. It represents the index
-// for a task within an execution as provided by the
-// [`CLOUD_RUN_TASK_INDEX`](https://cloud.google.com/run/docs/container-contract#jobs-env-vars)
-// environment variable.
-func GCPCloudRunJobTaskIndex(val int) attribute.KeyValue {
-	return GCPCloudRunJobTaskIndexKey.Int(val)
-}
-
-// Attributes for Google Compute Engine (GCE).
-const (
-	// GCPGceInstanceHostnameKey is the attribute Key conforming to the
-	// "gcp.gce.instance.hostname" semantic conventions. It represents the
-	// hostname of a GCE instance. This is the full value of the default or
-	// [custom
-	// hostname](https://cloud.google.com/compute/docs/instances/custom-hostname-vm).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'my-host1234.example.com',
-	// 'sample-vm.us-west1-b.c.my-project.internal'
-	GCPGceInstanceHostnameKey = attribute.Key("gcp.gce.instance.hostname")
-
-	// GCPGceInstanceNameKey is the attribute Key conforming to the
-	// "gcp.gce.instance.name" semantic conventions. It represents the instance
-	// name of a GCE instance. This is the value provided by `host.name`, the
-	// visible name of the instance in the Cloud Console UI, and the prefix for
-	// the default hostname of the instance as defined by the [default internal
-	// DNS
-	// name](https://cloud.google.com/compute/docs/internal-dns#instance-fully-qualified-domain-names).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'instance-1', 'my-vm-name'
-	GCPGceInstanceNameKey = attribute.Key("gcp.gce.instance.name")
-)
-
-// GCPGceInstanceHostname returns an attribute KeyValue conforming to the
-// "gcp.gce.instance.hostname" semantic conventions. It represents the hostname
-// of a GCE instance. This is the full value of the default or [custom
-// hostname](https://cloud.google.com/compute/docs/instances/custom-hostname-vm).
-func GCPGceInstanceHostname(val string) attribute.KeyValue {
-	return GCPGceInstanceHostnameKey.String(val)
-}
-
-// GCPGceInstanceName returns an attribute KeyValue conforming to the
-// "gcp.gce.instance.name" semantic conventions. It represents the instance
-// name of a GCE instance. This is the value provided by `host.name`, the
-// visible name of the instance in the Cloud Console UI, and the prefix for the
-// default hostname of the instance as defined by the [default internal DNS
-// name](https://cloud.google.com/compute/docs/internal-dns#instance-fully-qualified-domain-names).
-func GCPGceInstanceName(val string) attribute.KeyValue {
-	return GCPGceInstanceNameKey.String(val)
-}
-
-// The attributes used to describe telemetry in the context of LLM (Large
-// Language Models) requests and responses.
-const (
-	// GenAiCompletionKey is the attribute Key conforming to the
-	// "gen_ai.completion" semantic conventions. It represents the full
-	// response received from the LLM.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: "[{'role': 'assistant', 'content': 'The capital of France is
-	// Paris.'}]"
-	// Note: It's RECOMMENDED to format completions as JSON string matching
-	// [OpenAI messages
-	// format](https://platform.openai.com/docs/guides/text-generation)
-	GenAiCompletionKey = attribute.Key("gen_ai.completion")
-
-	// GenAiPromptKey is the attribute Key conforming to the "gen_ai.prompt"
-	// semantic conventions. It represents the full prompt sent to an LLM.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: "[{'role': 'user', 'content': 'What is the capital of
-	// France?'}]"
-	// Note: It's RECOMMENDED to format prompts as JSON string matching [OpenAI
-	// messages
-	// format](https://platform.openai.com/docs/guides/text-generation)
-	GenAiPromptKey = attribute.Key("gen_ai.prompt")
-
-	// GenAiRequestMaxTokensKey is the attribute Key conforming to the
-	// "gen_ai.request.max_tokens" semantic conventions. It represents the
-	// maximum number of tokens the LLM generates for a request.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 100
-	GenAiRequestMaxTokensKey = attribute.Key("gen_ai.request.max_tokens")
-
-	// GenAiRequestModelKey is the attribute Key conforming to the
-	// "gen_ai.request.model" semantic conventions. It represents the name of
-	// the LLM a request is being made to.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'gpt-4'
-	GenAiRequestModelKey = attribute.Key("gen_ai.request.model")
-
-	// GenAiRequestTemperatureKey is the attribute Key conforming to the
-	// "gen_ai.request.temperature" semantic conventions. It represents the
-	// temperature setting for the LLM request.
-	//
-	// Type: double
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 0.0
-	GenAiRequestTemperatureKey = attribute.Key("gen_ai.request.temperature")
-
-	// GenAiRequestTopPKey is the attribute Key conforming to the
-	// "gen_ai.request.top_p" semantic conventions. It represents the top_p
-	// sampling setting for the LLM request.
-	//
-	// Type: double
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1.0
-	GenAiRequestTopPKey = attribute.Key("gen_ai.request.top_p")
-
-	// GenAiResponseFinishReasonsKey is the attribute Key conforming to the
-	// "gen_ai.response.finish_reasons" semantic conventions. It represents the
-	// array of reasons the model stopped generating tokens, corresponding to
-	// each generation received.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'stop'
-	GenAiResponseFinishReasonsKey = attribute.Key("gen_ai.response.finish_reasons")
-
-	// GenAiResponseIDKey is the attribute Key conforming to the
-	// "gen_ai.response.id" semantic conventions. It represents the unique
-	// identifier for the completion.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'chatcmpl-123'
-	GenAiResponseIDKey = attribute.Key("gen_ai.response.id")
-
-	// GenAiResponseModelKey is the attribute Key conforming to the
-	// "gen_ai.response.model" semantic conventions. It represents the name of
-	// the LLM a response was generated from.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'gpt-4-0613'
-	GenAiResponseModelKey = attribute.Key("gen_ai.response.model")
-
-	// GenAiSystemKey is the attribute Key conforming to the "gen_ai.system"
-	// semantic conventions. It represents the Generative AI product as
-	// identified by the client instrumentation.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'openai'
-	// Note: The actual GenAI product may differ from the one identified by the
-	// client. For example, when using OpenAI client libraries to communicate
-	// with Mistral, the `gen_ai.system` is set to `openai` based on the
-	// instrumentation's best knowledge.
-	GenAiSystemKey = attribute.Key("gen_ai.system")
-
-	// GenAiUsageCompletionTokensKey is the attribute Key conforming to the
-	// "gen_ai.usage.completion_tokens" semantic conventions. It represents the
-	// number of tokens used in the LLM response (completion).
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 180
-	GenAiUsageCompletionTokensKey = attribute.Key("gen_ai.usage.completion_tokens")
-
-	// GenAiUsagePromptTokensKey is the attribute Key conforming to the
-	// "gen_ai.usage.prompt_tokens" semantic conventions. It represents the
-	// number of tokens used in the LLM prompt.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 100
-	GenAiUsagePromptTokensKey = attribute.Key("gen_ai.usage.prompt_tokens")
-)
-
-var (
-	// OpenAI
-	GenAiSystemOpenai = GenAiSystemKey.String("openai")
-)
-
-// GenAiCompletion returns an attribute KeyValue conforming to the
-// "gen_ai.completion" semantic conventions. It represents the full response
-// received from the LLM.
-func GenAiCompletion(val string) attribute.KeyValue {
-	return GenAiCompletionKey.String(val)
-}
-
-// GenAiPrompt returns an attribute KeyValue conforming to the
-// "gen_ai.prompt" semantic conventions. It represents the full prompt sent to
-// an LLM.
-func GenAiPrompt(val string) attribute.KeyValue {
-	return GenAiPromptKey.String(val)
-}
-
-// GenAiRequestMaxTokens returns an attribute KeyValue conforming to the
-// "gen_ai.request.max_tokens" semantic conventions. It represents the maximum
-// number of tokens the LLM generates for a request.
-func GenAiRequestMaxTokens(val int) attribute.KeyValue {
-	return GenAiRequestMaxTokensKey.Int(val)
-}
-
-// GenAiRequestModel returns an attribute KeyValue conforming to the
-// "gen_ai.request.model" semantic conventions. It represents the name of the
-// LLM a request is being made to.
-func GenAiRequestModel(val string) attribute.KeyValue {
-	return GenAiRequestModelKey.String(val)
-}
-
-// GenAiRequestTemperature returns an attribute KeyValue conforming to the
-// "gen_ai.request.temperature" semantic conventions. It represents the
-// temperature setting for the LLM request.
-func GenAiRequestTemperature(val float64) attribute.KeyValue {
-	return GenAiRequestTemperatureKey.Float64(val)
-}
-
-// GenAiRequestTopP returns an attribute KeyValue conforming to the
-// "gen_ai.request.top_p" semantic conventions. It represents the top_p
-// sampling setting for the LLM request.
-func GenAiRequestTopP(val float64) attribute.KeyValue {
-	return GenAiRequestTopPKey.Float64(val)
-}
-
-// GenAiResponseFinishReasons returns an attribute KeyValue conforming to
-// the "gen_ai.response.finish_reasons" semantic conventions. It represents the
-// array of reasons the model stopped generating tokens, corresponding to each
-// generation received.
-func GenAiResponseFinishReasons(val ...string) attribute.KeyValue {
-	return GenAiResponseFinishReasonsKey.StringSlice(val)
-}
-
-// GenAiResponseID returns an attribute KeyValue conforming to the
-// "gen_ai.response.id" semantic conventions. It represents the unique
-// identifier for the completion.
-func GenAiResponseID(val string) attribute.KeyValue {
-	return GenAiResponseIDKey.String(val)
-}
-
-// GenAiResponseModel returns an attribute KeyValue conforming to the
-// "gen_ai.response.model" semantic conventions. It represents the name of the
-// LLM a response was generated from.
-func GenAiResponseModel(val string) attribute.KeyValue {
-	return GenAiResponseModelKey.String(val)
-}
-
-// GenAiUsageCompletionTokens returns an attribute KeyValue conforming to
-// the "gen_ai.usage.completion_tokens" semantic conventions. It represents the
-// number of tokens used in the LLM response (completion).
-func GenAiUsageCompletionTokens(val int) attribute.KeyValue {
-	return GenAiUsageCompletionTokensKey.Int(val)
-}
-
-// GenAiUsagePromptTokens returns an attribute KeyValue conforming to the
-// "gen_ai.usage.prompt_tokens" semantic conventions. It represents the number
-// of tokens used in the LLM prompt.
-func GenAiUsagePromptTokens(val int) attribute.KeyValue {
-	return GenAiUsagePromptTokensKey.Int(val)
-}
-
-// Attributes for GraphQL.
-const (
-	// GraphqlDocumentKey is the attribute Key conforming to the
-	// "graphql.document" semantic conventions. It represents the GraphQL
-	// document being executed.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'query findBookByID { bookByID(id: ?) { name } }'
-	// Note: The value may be sanitized to exclude sensitive information.
-	GraphqlDocumentKey = attribute.Key("graphql.document")
-
-	// GraphqlOperationNameKey is the attribute Key conforming to the
-	// "graphql.operation.name" semantic conventions. It represents the name of
-	// the operation being executed.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'findBookByID'
-	GraphqlOperationNameKey = attribute.Key("graphql.operation.name")
-
-	// GraphqlOperationTypeKey is the attribute Key conforming to the
-	// "graphql.operation.type" semantic conventions. It represents the type of
-	// the operation being executed.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'query', 'mutation', 'subscription'
-	GraphqlOperationTypeKey = attribute.Key("graphql.operation.type")
-)
-
-var (
-	// GraphQL query
-	GraphqlOperationTypeQuery = GraphqlOperationTypeKey.String("query")
-	// GraphQL mutation
-	GraphqlOperationTypeMutation = GraphqlOperationTypeKey.String("mutation")
-	// GraphQL subscription
-	GraphqlOperationTypeSubscription = GraphqlOperationTypeKey.String("subscription")
-)
-
-// GraphqlDocument returns an attribute KeyValue conforming to the
-// "graphql.document" semantic conventions. It represents the GraphQL document
-// being executed.
-func GraphqlDocument(val string) attribute.KeyValue {
-	return GraphqlDocumentKey.String(val)
-}
-
-// GraphqlOperationName returns an attribute KeyValue conforming to the
-// "graphql.operation.name" semantic conventions. It represents the name of the
-// operation being executed.
-func GraphqlOperationName(val string) attribute.KeyValue {
-	return GraphqlOperationNameKey.String(val)
-}
-
-// Attributes for the Android platform on which the Android application is
-// running.
-const (
-	// HerokuAppIDKey is the attribute Key conforming to the "heroku.app.id"
-	// semantic conventions. It represents the unique identifier for the
-	// application
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2daa2797-e42b-4624-9322-ec3f968df4da'
-	HerokuAppIDKey = attribute.Key("heroku.app.id")
-
-	// HerokuReleaseCommitKey is the attribute Key conforming to the
-	// "heroku.release.commit" semantic conventions. It represents the commit
-	// hash for the current release
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'e6134959463efd8966b20e75b913cafe3f5ec'
-	HerokuReleaseCommitKey = attribute.Key("heroku.release.commit")
-
-	// HerokuReleaseCreationTimestampKey is the attribute Key conforming to the
-	// "heroku.release.creation_timestamp" semantic conventions. It represents
-	// the time and date the release was created
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2022-10-23T18:00:42Z'
-	HerokuReleaseCreationTimestampKey = attribute.Key("heroku.release.creation_timestamp")
-)
-
-// HerokuAppID returns an attribute KeyValue conforming to the
-// "heroku.app.id" semantic conventions. It represents the unique identifier
-// for the application
-func HerokuAppID(val string) attribute.KeyValue {
-	return HerokuAppIDKey.String(val)
-}
-
-// HerokuReleaseCommit returns an attribute KeyValue conforming to the
-// "heroku.release.commit" semantic conventions. It represents the commit hash
-// for the current release
-func HerokuReleaseCommit(val string) attribute.KeyValue {
-	return HerokuReleaseCommitKey.String(val)
-}
-
-// HerokuReleaseCreationTimestamp returns an attribute KeyValue conforming
-// to the "heroku.release.creation_timestamp" semantic conventions. It
-// represents the time and date the release was created
-func HerokuReleaseCreationTimestamp(val string) attribute.KeyValue {
-	return HerokuReleaseCreationTimestampKey.String(val)
-}
-
-// A host is defined as a computing instance. For example, physical servers,
-// virtual machines, switches or disk array.
-const (
-	// HostArchKey is the attribute Key conforming to the "host.arch" semantic
-	// conventions. It represents the CPU architecture the host system is
-	// running on.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	HostArchKey = attribute.Key("host.arch")
-
-	// HostCPUCacheL2SizeKey is the attribute Key conforming to the
-	// "host.cpu.cache.l2.size" semantic conventions. It represents the amount
-	// of level 2 memory cache available to the processor (in Bytes).
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 12288000
-	HostCPUCacheL2SizeKey = attribute.Key("host.cpu.cache.l2.size")
-
-	// HostCPUFamilyKey is the attribute Key conforming to the
-	// "host.cpu.family" semantic conventions. It represents the family or
-	// generation of the CPU.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '6', 'PA-RISC 1.1e'
-	HostCPUFamilyKey = attribute.Key("host.cpu.family")
-
-	// HostCPUModelIDKey is the attribute Key conforming to the
-	// "host.cpu.model.id" semantic conventions. It represents the model
-	// identifier. It provides more granular information about the CPU,
-	// distinguishing it from other CPUs within the same family.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '6', '9000/778/B180L'
-	HostCPUModelIDKey = attribute.Key("host.cpu.model.id")
-
-	// HostCPUModelNameKey is the attribute Key conforming to the
-	// "host.cpu.model.name" semantic conventions. It represents the model
-	// designation of the processor.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz'
-	HostCPUModelNameKey = attribute.Key("host.cpu.model.name")
-
-	// HostCPUSteppingKey is the attribute Key conforming to the
-	// "host.cpu.stepping" semantic conventions. It represents the stepping or
-	// core revisions.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '1', 'r1p1'
-	HostCPUSteppingKey = attribute.Key("host.cpu.stepping")
-
-	// HostCPUVendorIDKey is the attribute Key conforming to the
-	// "host.cpu.vendor.id" semantic conventions. It represents the processor
-	// manufacturer identifier. A maximum 12-character string.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'GenuineIntel'
-	// Note: [CPUID](https://wiki.osdev.org/CPUID) command returns the vendor
-	// ID string in EBX, EDX and ECX registers. Writing these to memory in this
-	// order results in a 12-character string.
-	HostCPUVendorIDKey = attribute.Key("host.cpu.vendor.id")
-
-	// HostIDKey is the attribute Key conforming to the "host.id" semantic
-	// conventions. It represents the unique host ID. For Cloud, this must be
-	// the instance_id assigned by the cloud provider. For non-containerized
-	// systems, this should be the `machine-id`. See the table below for the
-	// sources to use to determine the `machine-id` based on operating system.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'fdbf79e8af94cb7f9e8df36789187052'
-	HostIDKey = attribute.Key("host.id")
-
-	// HostImageIDKey is the attribute Key conforming to the "host.image.id"
-	// semantic conventions. It represents the vM image ID or host OS image ID.
-	// For Cloud, this value is from the provider.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'ami-07b06b442921831e5'
-	HostImageIDKey = attribute.Key("host.image.id")
-
-	// HostImageNameKey is the attribute Key conforming to the
-	// "host.image.name" semantic conventions. It represents the name of the VM
-	// image or OS install the host was instantiated from.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'infra-ami-eks-worker-node-7d4ec78312', 'CentOS-8-x86_64-1905'
-	HostImageNameKey = attribute.Key("host.image.name")
-
-	// HostImageVersionKey is the attribute Key conforming to the
-	// "host.image.version" semantic conventions. It represents the version
-	// string of the VM image or host OS as defined in [Version
-	// Attributes](/docs/resource/README.md#version-attributes).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '0.1'
-	HostImageVersionKey = attribute.Key("host.image.version")
-
-	// HostIPKey is the attribute Key conforming to the "host.ip" semantic
-	// conventions. It represents the available IP addresses of the host,
-	// excluding loopback interfaces.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '192.168.1.140', 'fe80::abc2:4a28:737a:609e'
-	// Note: IPv4 Addresses MUST be specified in dotted-quad notation. IPv6
-	// addresses MUST be specified in the [RFC
-	// 5952](https://www.rfc-editor.org/rfc/rfc5952.html) format.
-	HostIPKey = attribute.Key("host.ip")
-
-	// HostMacKey is the attribute Key conforming to the "host.mac" semantic
-	// conventions. It represents the available MAC addresses of the host,
-	// excluding loopback interfaces.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'AC-DE-48-23-45-67', 'AC-DE-48-23-45-67-01-9F'
-	// Note: MAC Addresses MUST be represented in [IEEE RA hexadecimal
-	// form](https://standards.ieee.org/wp-content/uploads/import/documents/tutorials/eui.pdf):
-	// as hyphen-separated octets in uppercase hexadecimal form from most to
-	// least significant.
-	HostMacKey = attribute.Key("host.mac")
-
-	// HostNameKey is the attribute Key conforming to the "host.name" semantic
-	// conventions. It represents the name of the host. On Unix systems, it may
-	// contain what the hostname command returns, or the fully qualified
-	// hostname, or another name specified by the user.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry-test'
-	HostNameKey = attribute.Key("host.name")
-
-	// HostTypeKey is the attribute Key conforming to the "host.type" semantic
-	// conventions. It represents the type of host. For Cloud, this must be the
-	// machine type.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'n1-standard-1'
-	HostTypeKey = attribute.Key("host.type")
-)
-
-var (
-	// AMD64
-	HostArchAMD64 = HostArchKey.String("amd64")
-	// ARM32
-	HostArchARM32 = HostArchKey.String("arm32")
-	// ARM64
-	HostArchARM64 = HostArchKey.String("arm64")
-	// Itanium
-	HostArchIA64 = HostArchKey.String("ia64")
-	// 32-bit PowerPC
-	HostArchPPC32 = HostArchKey.String("ppc32")
-	// 64-bit PowerPC
-	HostArchPPC64 = HostArchKey.String("ppc64")
-	// IBM z/Architecture
-	HostArchS390x = HostArchKey.String("s390x")
-	// 32-bit x86
-	HostArchX86 = HostArchKey.String("x86")
-)
-
-// HostCPUCacheL2Size returns an attribute KeyValue conforming to the
-// "host.cpu.cache.l2.size" semantic conventions. It represents the amount of
-// level 2 memory cache available to the processor (in Bytes).
-func HostCPUCacheL2Size(val int) attribute.KeyValue {
-	return HostCPUCacheL2SizeKey.Int(val)
-}
-
-// HostCPUFamily returns an attribute KeyValue conforming to the
-// "host.cpu.family" semantic conventions. It represents the family or
-// generation of the CPU.
-func HostCPUFamily(val string) attribute.KeyValue {
-	return HostCPUFamilyKey.String(val)
-}
-
-// HostCPUModelID returns an attribute KeyValue conforming to the
-// "host.cpu.model.id" semantic conventions. It represents the model
-// identifier. It provides more granular information about the CPU,
-// distinguishing it from other CPUs within the same family.
-func HostCPUModelID(val string) attribute.KeyValue {
-	return HostCPUModelIDKey.String(val)
-}
-
-// HostCPUModelName returns an attribute KeyValue conforming to the
-// "host.cpu.model.name" semantic conventions. It represents the model
-// designation of the processor.
-func HostCPUModelName(val string) attribute.KeyValue {
-	return HostCPUModelNameKey.String(val)
-}
-
-// HostCPUStepping returns an attribute KeyValue conforming to the
-// "host.cpu.stepping" semantic conventions. It represents the stepping or core
-// revisions.
-func HostCPUStepping(val string) attribute.KeyValue {
-	return HostCPUSteppingKey.String(val)
-}
-
-// HostCPUVendorID returns an attribute KeyValue conforming to the
-// "host.cpu.vendor.id" semantic conventions. It represents the processor
-// manufacturer identifier. A maximum 12-character string.
-func HostCPUVendorID(val string) attribute.KeyValue {
-	return HostCPUVendorIDKey.String(val)
-}
-
-// HostID returns an attribute KeyValue conforming to the "host.id" semantic
-// conventions. It represents the unique host ID. For Cloud, this must be the
-// instance_id assigned by the cloud provider. For non-containerized systems,
-// this should be the `machine-id`. See the table below for the sources to use
-// to determine the `machine-id` based on operating system.
-func HostID(val string) attribute.KeyValue {
-	return HostIDKey.String(val)
-}
-
-// HostImageID returns an attribute KeyValue conforming to the
-// "host.image.id" semantic conventions. It represents the vM image ID or host
-// OS image ID. For Cloud, this value is from the provider.
-func HostImageID(val string) attribute.KeyValue {
-	return HostImageIDKey.String(val)
-}
-
-// HostImageName returns an attribute KeyValue conforming to the
-// "host.image.name" semantic conventions. It represents the name of the VM
-// image or OS install the host was instantiated from.
-func HostImageName(val string) attribute.KeyValue {
-	return HostImageNameKey.String(val)
-}
-
-// HostImageVersion returns an attribute KeyValue conforming to the
-// "host.image.version" semantic conventions. It represents the version string
-// of the VM image or host OS as defined in [Version
-// Attributes](/docs/resource/README.md#version-attributes).
-func HostImageVersion(val string) attribute.KeyValue {
-	return HostImageVersionKey.String(val)
-}
-
-// HostIP returns an attribute KeyValue conforming to the "host.ip" semantic
-// conventions. It represents the available IP addresses of the host, excluding
-// loopback interfaces.
-func HostIP(val ...string) attribute.KeyValue {
-	return HostIPKey.StringSlice(val)
-}
-
-// HostMac returns an attribute KeyValue conforming to the "host.mac"
-// semantic conventions. It represents the available MAC addresses of the host,
-// excluding loopback interfaces.
-func HostMac(val ...string) attribute.KeyValue {
-	return HostMacKey.StringSlice(val)
-}
-
-// HostName returns an attribute KeyValue conforming to the "host.name"
-// semantic conventions. It represents the name of the host. On Unix systems,
-// it may contain what the hostname command returns, or the fully qualified
-// hostname, or another name specified by the user.
-func HostName(val string) attribute.KeyValue {
-	return HostNameKey.String(val)
-}
-
-// HostType returns an attribute KeyValue conforming to the "host.type"
-// semantic conventions. It represents the type of host. For Cloud, this must
-// be the machine type.
-func HostType(val string) attribute.KeyValue {
-	return HostTypeKey.String(val)
-}
-
-// Semantic convention attributes in the HTTP namespace.
-const (
-	// HTTPConnectionStateKey is the attribute Key conforming to the
-	// "http.connection.state" semantic conventions. It represents the state of
-	// the HTTP connection in the HTTP connection pool.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'active', 'idle'
-	HTTPConnectionStateKey = attribute.Key("http.connection.state")
-
-	// HTTPRequestBodySizeKey is the attribute Key conforming to the
-	// "http.request.body.size" semantic conventions. It represents the size of
-	// the request payload body in bytes. This is the number of bytes
-	// transferred excluding headers and is often, but not always, present as
-	// the
-	// [Content-Length](https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length)
-	// header. For requests using transport encoding, this should be the
-	// compressed size.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 3495
-	HTTPRequestBodySizeKey = attribute.Key("http.request.body.size")
-
-	// HTTPRequestMethodKey is the attribute Key conforming to the
-	// "http.request.method" semantic conventions. It represents the hTTP
-	// request method.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'GET', 'POST', 'HEAD'
-	// Note: HTTP request method value SHOULD be "known" to the
-	// instrumentation.
-	// By default, this convention defines "known" methods as the ones listed
-	// in [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#name-methods)
-	// and the PATCH method defined in
-	// [RFC5789](https://www.rfc-editor.org/rfc/rfc5789.html).
-	//
-	// If the HTTP request method is not known to instrumentation, it MUST set
-	// the `http.request.method` attribute to `_OTHER`.
-	//
-	// If the HTTP instrumentation could end up converting valid HTTP request
-	// methods to `_OTHER`, then it MUST provide a way to override
-	// the list of known HTTP methods. If this override is done via environment
-	// variable, then the environment variable MUST be named
-	// OTEL_INSTRUMENTATION_HTTP_KNOWN_METHODS and support a comma-separated
-	// list of case-sensitive known HTTP methods
-	// (this list MUST be a full override of the default known method, it is
-	// not a list of known methods in addition to the defaults).
-	//
-	// HTTP method names are case-sensitive and `http.request.method` attribute
-	// value MUST match a known HTTP method name exactly.
-	// Instrumentations for specific web frameworks that consider HTTP methods
-	// to be case insensitive, SHOULD populate a canonical equivalent.
-	// Tracing instrumentations that do so, MUST also set
-	// `http.request.method_original` to the original value.
-	HTTPRequestMethodKey = attribute.Key("http.request.method")
-
-	// HTTPRequestMethodOriginalKey is the attribute Key conforming to the
-	// "http.request.method_original" semantic conventions. It represents the
-	// original HTTP method sent by the client in the request line.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'GeT', 'ACL', 'foo'
-	HTTPRequestMethodOriginalKey = attribute.Key("http.request.method_original")
-
-	// HTTPRequestResendCountKey is the attribute Key conforming to the
-	// "http.request.resend_count" semantic conventions. It represents the
-	// ordinal number of request resending attempt (for any reason, including
-	// redirects).
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 3
-	// Note: The resend count SHOULD be updated each time an HTTP request gets
-	// resent by the client, regardless of what was the cause of the resending
-	// (e.g. redirection, authorization failure, 503 Server Unavailable,
-	// network issues, or any other).
-	HTTPRequestResendCountKey = attribute.Key("http.request.resend_count")
-
-	// HTTPRequestSizeKey is the attribute Key conforming to the
-	// "http.request.size" semantic conventions. It represents the total size
-	// of the request in bytes. This should be the total number of bytes sent
-	// over the wire, including the request line (HTTP/1.1), framing (HTTP/2
-	// and HTTP/3), headers, and request body if any.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1437
-	HTTPRequestSizeKey = attribute.Key("http.request.size")
-
-	// HTTPResponseBodySizeKey is the attribute Key conforming to the
-	// "http.response.body.size" semantic conventions. It represents the size
-	// of the response payload body in bytes. This is the number of bytes
-	// transferred excluding headers and is often, but not always, present as
-	// the
-	// [Content-Length](https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length)
-	// header. For requests using transport encoding, this should be the
-	// compressed size.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 3495
-	HTTPResponseBodySizeKey = attribute.Key("http.response.body.size")
-
-	// HTTPResponseSizeKey is the attribute Key conforming to the
-	// "http.response.size" semantic conventions. It represents the total size
-	// of the response in bytes. This should be the total number of bytes sent
-	// over the wire, including the status line (HTTP/1.1), framing (HTTP/2 and
-	// HTTP/3), headers, and response body and trailers if any.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1437
-	HTTPResponseSizeKey = attribute.Key("http.response.size")
-
-	// HTTPResponseStatusCodeKey is the attribute Key conforming to the
-	// "http.response.status_code" semantic conventions. It represents the
-	// [HTTP response status
-	// code](https://tools.ietf.org/html/rfc7231#section-6).
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 200
-	HTTPResponseStatusCodeKey = attribute.Key("http.response.status_code")
-
-	// HTTPRouteKey is the attribute Key conforming to the "http.route"
-	// semantic conventions. It represents the matched route, that is, the path
-	// template in the format used by the respective server framework.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: '/users/:userID?', '{controller}/{action}/{id?}'
-	// Note: MUST NOT be populated when this is not supported by the HTTP
-	// server framework as the route attribute should have low-cardinality and
-	// the URI path can NOT substitute it.
-	// SHOULD include the [application
-	// root](/docs/http/http-spans.md#http-server-definitions) if there is one.
-	HTTPRouteKey = attribute.Key("http.route")
-)
-
-var (
-	// active state
-	HTTPConnectionStateActive = HTTPConnectionStateKey.String("active")
-	// idle state
-	HTTPConnectionStateIdle = HTTPConnectionStateKey.String("idle")
-)
-
-var (
-	// CONNECT method
-	HTTPRequestMethodConnect = HTTPRequestMethodKey.String("CONNECT")
-	// DELETE method
-	HTTPRequestMethodDelete = HTTPRequestMethodKey.String("DELETE")
-	// GET method
-	HTTPRequestMethodGet = HTTPRequestMethodKey.String("GET")
-	// HEAD method
-	HTTPRequestMethodHead = HTTPRequestMethodKey.String("HEAD")
-	// OPTIONS method
-	HTTPRequestMethodOptions = HTTPRequestMethodKey.String("OPTIONS")
-	// PATCH method
-	HTTPRequestMethodPatch = HTTPRequestMethodKey.String("PATCH")
-	// POST method
-	HTTPRequestMethodPost = HTTPRequestMethodKey.String("POST")
-	// PUT method
-	HTTPRequestMethodPut = HTTPRequestMethodKey.String("PUT")
-	// TRACE method
-	HTTPRequestMethodTrace = HTTPRequestMethodKey.String("TRACE")
-	// Any HTTP method that the instrumentation has no prior knowledge of
-	HTTPRequestMethodOther = HTTPRequestMethodKey.String("_OTHER")
-)
-
-// HTTPRequestBodySize returns an attribute KeyValue conforming to the
-// "http.request.body.size" semantic conventions. It represents the size of the
-// request payload body in bytes. This is the number of bytes transferred
-// excluding headers and is often, but not always, present as the
-// [Content-Length](https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length)
-// header. For requests using transport encoding, this should be the compressed
-// size.
-func HTTPRequestBodySize(val int) attribute.KeyValue {
-	return HTTPRequestBodySizeKey.Int(val)
-}
-
-// HTTPRequestMethodOriginal returns an attribute KeyValue conforming to the
-// "http.request.method_original" semantic conventions. It represents the
-// original HTTP method sent by the client in the request line.
-func HTTPRequestMethodOriginal(val string) attribute.KeyValue {
-	return HTTPRequestMethodOriginalKey.String(val)
-}
-
-// HTTPRequestResendCount returns an attribute KeyValue conforming to the
-// "http.request.resend_count" semantic conventions. It represents the ordinal
-// number of request resending attempt (for any reason, including redirects).
-func HTTPRequestResendCount(val int) attribute.KeyValue {
-	return HTTPRequestResendCountKey.Int(val)
-}
-
-// HTTPRequestSize returns an attribute KeyValue conforming to the
-// "http.request.size" semantic conventions. It represents the total size of
-// the request in bytes. This should be the total number of bytes sent over the
-// wire, including the request line (HTTP/1.1), framing (HTTP/2 and HTTP/3),
-// headers, and request body if any.
-func HTTPRequestSize(val int) attribute.KeyValue {
-	return HTTPRequestSizeKey.Int(val)
-}
-
-// HTTPResponseBodySize returns an attribute KeyValue conforming to the
-// "http.response.body.size" semantic conventions. It represents the size of
-// the response payload body in bytes. This is the number of bytes transferred
-// excluding headers and is often, but not always, present as the
-// [Content-Length](https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length)
-// header. For requests using transport encoding, this should be the compressed
-// size.
-func HTTPResponseBodySize(val int) attribute.KeyValue {
-	return HTTPResponseBodySizeKey.Int(val)
-}
-
-// HTTPResponseSize returns an attribute KeyValue conforming to the
-// "http.response.size" semantic conventions. It represents the total size of
-// the response in bytes. This should be the total number of bytes sent over
-// the wire, including the status line (HTTP/1.1), framing (HTTP/2 and HTTP/3),
-// headers, and response body and trailers if any.
-func HTTPResponseSize(val int) attribute.KeyValue {
-	return HTTPResponseSizeKey.Int(val)
-}
-
-// HTTPResponseStatusCode returns an attribute KeyValue conforming to the
-// "http.response.status_code" semantic conventions. It represents the [HTTP
-// response status code](https://tools.ietf.org/html/rfc7231#section-6).
-func HTTPResponseStatusCode(val int) attribute.KeyValue {
-	return HTTPResponseStatusCodeKey.Int(val)
-}
-
-// HTTPRoute returns an attribute KeyValue conforming to the "http.route"
-// semantic conventions. It represents the matched route, that is, the path
-// template in the format used by the respective server framework.
-func HTTPRoute(val string) attribute.KeyValue {
-	return HTTPRouteKey.String(val)
-}
-
-// Java Virtual machine related attributes.
-const (
-	// JvmBufferPoolNameKey is the attribute Key conforming to the
-	// "jvm.buffer.pool.name" semantic conventions. It represents the name of
-	// the buffer pool.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'mapped', 'direct'
-	// Note: Pool names are generally obtained via
-	// [BufferPoolMXBean#getName()](https://docs.oracle.com/en/java/javase/11/docs/api/java.management/java/lang/management/BufferPoolMXBean.html#getName()).
-	JvmBufferPoolNameKey = attribute.Key("jvm.buffer.pool.name")
-
-	// JvmGcActionKey is the attribute Key conforming to the "jvm.gc.action"
-	// semantic conventions. It represents the name of the garbage collector
-	// action.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'end of minor GC', 'end of major GC'
-	// Note: Garbage collector action is generally obtained via
-	// [GarbageCollectionNotificationInfo#getGcAction()](https://docs.oracle.com/en/java/javase/11/docs/api/jdk.management/com/sun/management/GarbageCollectionNotificationInfo.html#getGcAction()).
-	JvmGcActionKey = attribute.Key("jvm.gc.action")
-
-	// JvmGcNameKey is the attribute Key conforming to the "jvm.gc.name"
-	// semantic conventions. It represents the name of the garbage collector.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'G1 Young Generation', 'G1 Old Generation'
-	// Note: Garbage collector name is generally obtained via
-	// [GarbageCollectionNotificationInfo#getGcName()](https://docs.oracle.com/en/java/javase/11/docs/api/jdk.management/com/sun/management/GarbageCollectionNotificationInfo.html#getGcName()).
-	JvmGcNameKey = attribute.Key("jvm.gc.name")
-
-	// JvmMemoryPoolNameKey is the attribute Key conforming to the
-	// "jvm.memory.pool.name" semantic conventions. It represents the name of
-	// the memory pool.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'G1 Old Gen', 'G1 Eden space', 'G1 Survivor Space'
-	// Note: Pool names are generally obtained via
-	// [MemoryPoolMXBean#getName()](https://docs.oracle.com/en/java/javase/11/docs/api/java.management/java/lang/management/MemoryPoolMXBean.html#getName()).
-	JvmMemoryPoolNameKey = attribute.Key("jvm.memory.pool.name")
-
-	// JvmMemoryTypeKey is the attribute Key conforming to the
-	// "jvm.memory.type" semantic conventions. It represents the type of
-	// memory.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'heap', 'non_heap'
-	JvmMemoryTypeKey = attribute.Key("jvm.memory.type")
-
-	// JvmThreadDaemonKey is the attribute Key conforming to the
-	// "jvm.thread.daemon" semantic conventions. It represents the whether the
-	// thread is daemon or not.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: stable
-	JvmThreadDaemonKey = attribute.Key("jvm.thread.daemon")
-
-	// JvmThreadStateKey is the attribute Key conforming to the
-	// "jvm.thread.state" semantic conventions. It represents the state of the
-	// thread.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'runnable', 'blocked'
-	JvmThreadStateKey = attribute.Key("jvm.thread.state")
-)
-
-var (
-	// Heap memory
-	JvmMemoryTypeHeap = JvmMemoryTypeKey.String("heap")
-	// Non-heap memory
-	JvmMemoryTypeNonHeap = JvmMemoryTypeKey.String("non_heap")
-)
-
-var (
-	// A thread that has not yet started is in this state
-	JvmThreadStateNew = JvmThreadStateKey.String("new")
-	// A thread executing in the Java virtual machine is in this state
-	JvmThreadStateRunnable = JvmThreadStateKey.String("runnable")
-	// A thread that is blocked waiting for a monitor lock is in this state
-	JvmThreadStateBlocked = JvmThreadStateKey.String("blocked")
-	// A thread that is waiting indefinitely for another thread to perform a particular action is in this state
-	JvmThreadStateWaiting = JvmThreadStateKey.String("waiting")
-	// A thread that is waiting for another thread to perform an action for up to a specified waiting time is in this state
-	JvmThreadStateTimedWaiting = JvmThreadStateKey.String("timed_waiting")
-	// A thread that has exited is in this state
-	JvmThreadStateTerminated = JvmThreadStateKey.String("terminated")
-)
-
-// JvmBufferPoolName returns an attribute KeyValue conforming to the
-// "jvm.buffer.pool.name" semantic conventions. It represents the name of the
-// buffer pool.
-func JvmBufferPoolName(val string) attribute.KeyValue {
-	return JvmBufferPoolNameKey.String(val)
-}
-
-// JvmGcAction returns an attribute KeyValue conforming to the
-// "jvm.gc.action" semantic conventions. It represents the name of the garbage
-// collector action.
-func JvmGcAction(val string) attribute.KeyValue {
-	return JvmGcActionKey.String(val)
-}
-
-// JvmGcName returns an attribute KeyValue conforming to the "jvm.gc.name"
-// semantic conventions. It represents the name of the garbage collector.
-func JvmGcName(val string) attribute.KeyValue {
-	return JvmGcNameKey.String(val)
-}
-
-// JvmMemoryPoolName returns an attribute KeyValue conforming to the
-// "jvm.memory.pool.name" semantic conventions. It represents the name of the
-// memory pool.
-func JvmMemoryPoolName(val string) attribute.KeyValue {
-	return JvmMemoryPoolNameKey.String(val)
-}
-
-// JvmThreadDaemon returns an attribute KeyValue conforming to the
-// "jvm.thread.daemon" semantic conventions. It represents the whether the
-// thread is daemon or not.
-func JvmThreadDaemon(val bool) attribute.KeyValue {
-	return JvmThreadDaemonKey.Bool(val)
-}
-
-// Kubernetes resource attributes.
-const (
-	// K8SClusterNameKey is the attribute Key conforming to the
-	// "k8s.cluster.name" semantic conventions. It represents the name of the
-	// cluster.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry-cluster'
-	K8SClusterNameKey = attribute.Key("k8s.cluster.name")
-
-	// K8SClusterUIDKey is the attribute Key conforming to the
-	// "k8s.cluster.uid" semantic conventions. It represents a pseudo-ID for
-	// the cluster, set to the UID of the `kube-system` namespace.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '218fc5a9-a5f1-4b54-aa05-46717d0ab26d'
-	// Note: K8S doesn't have support for obtaining a cluster ID. If this is
-	// ever
-	// added, we will recommend collecting the `k8s.cluster.uid` through the
-	// official APIs. In the meantime, we are able to use the `uid` of the
-	// `kube-system` namespace as a proxy for cluster ID. Read on for the
-	// rationale.
-	//
-	// Every object created in a K8S cluster is assigned a distinct UID. The
-	// `kube-system` namespace is used by Kubernetes itself and will exist
-	// for the lifetime of the cluster. Using the `uid` of the `kube-system`
-	// namespace is a reasonable proxy for the K8S ClusterID as it will only
-	// change if the cluster is rebuilt. Furthermore, Kubernetes UIDs are
-	// UUIDs as standardized by
-	// [ISO/IEC 9834-8 and ITU-T
-	// X.667](https://www.itu.int/ITU-T/studygroups/com17/oid.html).
-	// Which states:
-	//
-	// > If generated according to one of the mechanisms defined in Rec.
-	//   ITU-T X.667 | ISO/IEC 9834-8, a UUID is either guaranteed to be
-	//   different from all other UUIDs generated before 3603 A.D., or is
-	//   extremely likely to be different (depending on the mechanism chosen).
-	//
-	// Therefore, UIDs between clusters should be extremely unlikely to
-	// conflict.
-	K8SClusterUIDKey = attribute.Key("k8s.cluster.uid")
-
-	// K8SContainerNameKey is the attribute Key conforming to the
-	// "k8s.container.name" semantic conventions. It represents the name of the
-	// Container from Pod specification, must be unique within a Pod. Container
-	// runtime usually uses different globally unique name (`container.name`).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'redis'
-	K8SContainerNameKey = attribute.Key("k8s.container.name")
-
-	// K8SContainerRestartCountKey is the attribute Key conforming to the
-	// "k8s.container.restart_count" semantic conventions. It represents the
-	// number of times the container was restarted. This attribute can be used
-	// to identify a particular container (running or stopped) within a
-	// container spec.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	K8SContainerRestartCountKey = attribute.Key("k8s.container.restart_count")
-
-	// K8SContainerStatusLastTerminatedReasonKey is the attribute Key
-	// conforming to the "k8s.container.status.last_terminated_reason" semantic
-	// conventions. It represents the last terminated reason of the Container.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Evicted', 'Error'
-	K8SContainerStatusLastTerminatedReasonKey = attribute.Key("k8s.container.status.last_terminated_reason")
-
-	// K8SCronJobNameKey is the attribute Key conforming to the
-	// "k8s.cronjob.name" semantic conventions. It represents the name of the
-	// CronJob.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry'
-	K8SCronJobNameKey = attribute.Key("k8s.cronjob.name")
-
-	// K8SCronJobUIDKey is the attribute Key conforming to the
-	// "k8s.cronjob.uid" semantic conventions. It represents the UID of the
-	// CronJob.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '275ecb36-5aa8-4c2a-9c47-d8bb681b9aff'
-	K8SCronJobUIDKey = attribute.Key("k8s.cronjob.uid")
-
-	// K8SDaemonSetNameKey is the attribute Key conforming to the
-	// "k8s.daemonset.name" semantic conventions. It represents the name of the
-	// DaemonSet.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry'
-	K8SDaemonSetNameKey = attribute.Key("k8s.daemonset.name")
-
-	// K8SDaemonSetUIDKey is the attribute Key conforming to the
-	// "k8s.daemonset.uid" semantic conventions. It represents the UID of the
-	// DaemonSet.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '275ecb36-5aa8-4c2a-9c47-d8bb681b9aff'
-	K8SDaemonSetUIDKey = attribute.Key("k8s.daemonset.uid")
-
-	// K8SDeploymentNameKey is the attribute Key conforming to the
-	// "k8s.deployment.name" semantic conventions. It represents the name of
-	// the Deployment.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry'
-	K8SDeploymentNameKey = attribute.Key("k8s.deployment.name")
-
-	// K8SDeploymentUIDKey is the attribute Key conforming to the
-	// "k8s.deployment.uid" semantic conventions. It represents the UID of the
-	// Deployment.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '275ecb36-5aa8-4c2a-9c47-d8bb681b9aff'
-	K8SDeploymentUIDKey = attribute.Key("k8s.deployment.uid")
-
-	// K8SJobNameKey is the attribute Key conforming to the "k8s.job.name"
-	// semantic conventions. It represents the name of the Job.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry'
-	K8SJobNameKey = attribute.Key("k8s.job.name")
-
-	// K8SJobUIDKey is the attribute Key conforming to the "k8s.job.uid"
-	// semantic conventions. It represents the UID of the Job.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '275ecb36-5aa8-4c2a-9c47-d8bb681b9aff'
-	K8SJobUIDKey = attribute.Key("k8s.job.uid")
-
-	// K8SNamespaceNameKey is the attribute Key conforming to the
-	// "k8s.namespace.name" semantic conventions. It represents the name of the
-	// namespace that the pod is running in.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'default'
-	K8SNamespaceNameKey = attribute.Key("k8s.namespace.name")
-
-	// K8SNodeNameKey is the attribute Key conforming to the "k8s.node.name"
-	// semantic conventions. It represents the name of the Node.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'node-1'
-	K8SNodeNameKey = attribute.Key("k8s.node.name")
-
-	// K8SNodeUIDKey is the attribute Key conforming to the "k8s.node.uid"
-	// semantic conventions. It represents the UID of the Node.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '1eb3a0c6-0477-4080-a9cb-0cb7db65c6a2'
-	K8SNodeUIDKey = attribute.Key("k8s.node.uid")
-
-	// K8SPodNameKey is the attribute Key conforming to the "k8s.pod.name"
-	// semantic conventions. It represents the name of the Pod.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry-pod-autoconf'
-	K8SPodNameKey = attribute.Key("k8s.pod.name")
-
-	// K8SPodUIDKey is the attribute Key conforming to the "k8s.pod.uid"
-	// semantic conventions. It represents the UID of the Pod.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '275ecb36-5aa8-4c2a-9c47-d8bb681b9aff'
-	K8SPodUIDKey = attribute.Key("k8s.pod.uid")
-
-	// K8SReplicaSetNameKey is the attribute Key conforming to the
-	// "k8s.replicaset.name" semantic conventions. It represents the name of
-	// the ReplicaSet.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry'
-	K8SReplicaSetNameKey = attribute.Key("k8s.replicaset.name")
-
-	// K8SReplicaSetUIDKey is the attribute Key conforming to the
-	// "k8s.replicaset.uid" semantic conventions. It represents the UID of the
-	// ReplicaSet.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '275ecb36-5aa8-4c2a-9c47-d8bb681b9aff'
-	K8SReplicaSetUIDKey = attribute.Key("k8s.replicaset.uid")
-
-	// K8SStatefulSetNameKey is the attribute Key conforming to the
-	// "k8s.statefulset.name" semantic conventions. It represents the name of
-	// the StatefulSet.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry'
-	K8SStatefulSetNameKey = attribute.Key("k8s.statefulset.name")
-
-	// K8SStatefulSetUIDKey is the attribute Key conforming to the
-	// "k8s.statefulset.uid" semantic conventions. It represents the UID of the
-	// StatefulSet.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '275ecb36-5aa8-4c2a-9c47-d8bb681b9aff'
-	K8SStatefulSetUIDKey = attribute.Key("k8s.statefulset.uid")
-)
-
-// K8SClusterName returns an attribute KeyValue conforming to the
-// "k8s.cluster.name" semantic conventions. It represents the name of the
-// cluster.
-func K8SClusterName(val string) attribute.KeyValue {
-	return K8SClusterNameKey.String(val)
-}
-
-// K8SClusterUID returns an attribute KeyValue conforming to the
-// "k8s.cluster.uid" semantic conventions. It represents a pseudo-ID for the
-// cluster, set to the UID of the `kube-system` namespace.
-func K8SClusterUID(val string) attribute.KeyValue {
-	return K8SClusterUIDKey.String(val)
-}
-
-// K8SContainerName returns an attribute KeyValue conforming to the
-// "k8s.container.name" semantic conventions. It represents the name of the
-// Container from Pod specification, must be unique within a Pod. Container
-// runtime usually uses different globally unique name (`container.name`).
-func K8SContainerName(val string) attribute.KeyValue {
-	return K8SContainerNameKey.String(val)
-}
-
-// K8SContainerRestartCount returns an attribute KeyValue conforming to the
-// "k8s.container.restart_count" semantic conventions. It represents the number
-// of times the container was restarted. This attribute can be used to identify
-// a particular container (running or stopped) within a container spec.
-func K8SContainerRestartCount(val int) attribute.KeyValue {
-	return K8SContainerRestartCountKey.Int(val)
-}
-
-// K8SContainerStatusLastTerminatedReason returns an attribute KeyValue
-// conforming to the "k8s.container.status.last_terminated_reason" semantic
-// conventions. It represents the last terminated reason of the Container.
-func K8SContainerStatusLastTerminatedReason(val string) attribute.KeyValue {
-	return K8SContainerStatusLastTerminatedReasonKey.String(val)
-}
-
-// K8SCronJobName returns an attribute KeyValue conforming to the
-// "k8s.cronjob.name" semantic conventions. It represents the name of the
-// CronJob.
-func K8SCronJobName(val string) attribute.KeyValue {
-	return K8SCronJobNameKey.String(val)
-}
-
-// K8SCronJobUID returns an attribute KeyValue conforming to the
-// "k8s.cronjob.uid" semantic conventions. It represents the UID of the
-// CronJob.
-func K8SCronJobUID(val string) attribute.KeyValue {
-	return K8SCronJobUIDKey.String(val)
-}
-
-// K8SDaemonSetName returns an attribute KeyValue conforming to the
-// "k8s.daemonset.name" semantic conventions. It represents the name of the
-// DaemonSet.
-func K8SDaemonSetName(val string) attribute.KeyValue {
-	return K8SDaemonSetNameKey.String(val)
-}
-
-// K8SDaemonSetUID returns an attribute KeyValue conforming to the
-// "k8s.daemonset.uid" semantic conventions. It represents the UID of the
-// DaemonSet.
-func K8SDaemonSetUID(val string) attribute.KeyValue {
-	return K8SDaemonSetUIDKey.String(val)
-}
-
-// K8SDeploymentName returns an attribute KeyValue conforming to the
-// "k8s.deployment.name" semantic conventions. It represents the name of the
-// Deployment.
-func K8SDeploymentName(val string) attribute.KeyValue {
-	return K8SDeploymentNameKey.String(val)
-}
-
-// K8SDeploymentUID returns an attribute KeyValue conforming to the
-// "k8s.deployment.uid" semantic conventions. It represents the UID of the
-// Deployment.
-func K8SDeploymentUID(val string) attribute.KeyValue {
-	return K8SDeploymentUIDKey.String(val)
-}
-
-// K8SJobName returns an attribute KeyValue conforming to the "k8s.job.name"
-// semantic conventions. It represents the name of the Job.
-func K8SJobName(val string) attribute.KeyValue {
-	return K8SJobNameKey.String(val)
-}
-
-// K8SJobUID returns an attribute KeyValue conforming to the "k8s.job.uid"
-// semantic conventions. It represents the UID of the Job.
-func K8SJobUID(val string) attribute.KeyValue {
-	return K8SJobUIDKey.String(val)
-}
-
-// K8SNamespaceName returns an attribute KeyValue conforming to the
-// "k8s.namespace.name" semantic conventions. It represents the name of the
-// namespace that the pod is running in.
-func K8SNamespaceName(val string) attribute.KeyValue {
-	return K8SNamespaceNameKey.String(val)
-}
-
-// K8SNodeName returns an attribute KeyValue conforming to the
-// "k8s.node.name" semantic conventions. It represents the name of the Node.
-func K8SNodeName(val string) attribute.KeyValue {
-	return K8SNodeNameKey.String(val)
-}
-
-// K8SNodeUID returns an attribute KeyValue conforming to the "k8s.node.uid"
-// semantic conventions. It represents the UID of the Node.
-func K8SNodeUID(val string) attribute.KeyValue {
-	return K8SNodeUIDKey.String(val)
-}
-
-// K8SPodName returns an attribute KeyValue conforming to the "k8s.pod.name"
-// semantic conventions. It represents the name of the Pod.
-func K8SPodName(val string) attribute.KeyValue {
-	return K8SPodNameKey.String(val)
-}
-
-// K8SPodUID returns an attribute KeyValue conforming to the "k8s.pod.uid"
-// semantic conventions. It represents the UID of the Pod.
-func K8SPodUID(val string) attribute.KeyValue {
-	return K8SPodUIDKey.String(val)
-}
-
-// K8SReplicaSetName returns an attribute KeyValue conforming to the
-// "k8s.replicaset.name" semantic conventions. It represents the name of the
-// ReplicaSet.
-func K8SReplicaSetName(val string) attribute.KeyValue {
-	return K8SReplicaSetNameKey.String(val)
-}
-
-// K8SReplicaSetUID returns an attribute KeyValue conforming to the
-// "k8s.replicaset.uid" semantic conventions. It represents the UID of the
-// ReplicaSet.
-func K8SReplicaSetUID(val string) attribute.KeyValue {
-	return K8SReplicaSetUIDKey.String(val)
-}
-
-// K8SStatefulSetName returns an attribute KeyValue conforming to the
-// "k8s.statefulset.name" semantic conventions. It represents the name of the
-// StatefulSet.
-func K8SStatefulSetName(val string) attribute.KeyValue {
-	return K8SStatefulSetNameKey.String(val)
-}
-
-// K8SStatefulSetUID returns an attribute KeyValue conforming to the
-// "k8s.statefulset.uid" semantic conventions. It represents the UID of the
-// StatefulSet.
-func K8SStatefulSetUID(val string) attribute.KeyValue {
-	return K8SStatefulSetUIDKey.String(val)
-}
-
-// Log attributes
-const (
-	// LogIostreamKey is the attribute Key conforming to the "log.iostream"
-	// semantic conventions. It represents the stream associated with the log.
-	// See below for a list of well-known values.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	LogIostreamKey = attribute.Key("log.iostream")
-)
-
-var (
-	// Logs from stdout stream
-	LogIostreamStdout = LogIostreamKey.String("stdout")
-	// Events from stderr stream
-	LogIostreamStderr = LogIostreamKey.String("stderr")
-)
-
-// Attributes for a file to which log was emitted.
-const (
-	// LogFileNameKey is the attribute Key conforming to the "log.file.name"
-	// semantic conventions. It represents the basename of the file.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'audit.log'
-	LogFileNameKey = attribute.Key("log.file.name")
-
-	// LogFileNameResolvedKey is the attribute Key conforming to the
-	// "log.file.name_resolved" semantic conventions. It represents the
-	// basename of the file, with symlinks resolved.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'uuid.log'
-	LogFileNameResolvedKey = attribute.Key("log.file.name_resolved")
-
-	// LogFilePathKey is the attribute Key conforming to the "log.file.path"
-	// semantic conventions. It represents the full path to the file.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/var/log/mysql/audit.log'
-	LogFilePathKey = attribute.Key("log.file.path")
-
-	// LogFilePathResolvedKey is the attribute Key conforming to the
-	// "log.file.path_resolved" semantic conventions. It represents the full
-	// path to the file, with symlinks resolved.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/var/lib/docker/uuid.log'
-	LogFilePathResolvedKey = attribute.Key("log.file.path_resolved")
-)
-
-// LogFileName returns an attribute KeyValue conforming to the
-// "log.file.name" semantic conventions. It represents the basename of the
-// file.
-func LogFileName(val string) attribute.KeyValue {
-	return LogFileNameKey.String(val)
-}
-
-// LogFileNameResolved returns an attribute KeyValue conforming to the
-// "log.file.name_resolved" semantic conventions. It represents the basename of
-// the file, with symlinks resolved.
-func LogFileNameResolved(val string) attribute.KeyValue {
-	return LogFileNameResolvedKey.String(val)
-}
-
-// LogFilePath returns an attribute KeyValue conforming to the
-// "log.file.path" semantic conventions. It represents the full path to the
-// file.
-func LogFilePath(val string) attribute.KeyValue {
-	return LogFilePathKey.String(val)
-}
-
-// LogFilePathResolved returns an attribute KeyValue conforming to the
-// "log.file.path_resolved" semantic conventions. It represents the full path
-// to the file, with symlinks resolved.
-func LogFilePathResolved(val string) attribute.KeyValue {
-	return LogFilePathResolvedKey.String(val)
-}
-
-// The generic attributes that may be used in any Log Record.
-const (
-	// LogRecordUIDKey is the attribute Key conforming to the "log.record.uid"
-	// semantic conventions. It represents a unique identifier for the Log
-	// Record.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '01ARZ3NDEKTSV4RRFFQ69G5FAV'
-	// Note: If an id is provided, other log records with the same id will be
-	// considered duplicates and can be removed safely. This means, that two
-	// distinguishable log records MUST have different values.
-	// The id MAY be an [Universally Unique Lexicographically Sortable
-	// Identifier (ULID)](https://github.com/ulid/spec), but other identifiers
-	// (e.g. UUID) may be used as needed.
-	LogRecordUIDKey = attribute.Key("log.record.uid")
-)
-
-// LogRecordUID returns an attribute KeyValue conforming to the
-// "log.record.uid" semantic conventions. It represents a unique identifier for
-// the Log Record.
-func LogRecordUID(val string) attribute.KeyValue {
-	return LogRecordUIDKey.String(val)
-}
-
-// Attributes describing telemetry around messaging systems and messaging
-// activities.
-const (
-	// MessagingBatchMessageCountKey is the attribute Key conforming to the
-	// "messaging.batch.message_count" semantic conventions. It represents the
-	// number of messages sent, received, or processed in the scope of the
-	// batching operation.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 0, 1, 2
-	// Note: Instrumentations SHOULD NOT set `messaging.batch.message_count` on
-	// spans that operate with a single message. When a messaging client
-	// library supports both batch and single-message API for the same
-	// operation, instrumentations SHOULD use `messaging.batch.message_count`
-	// for batching APIs and SHOULD NOT use it for single-message APIs.
-	MessagingBatchMessageCountKey = attribute.Key("messaging.batch.message_count")
-
-	// MessagingClientIDKey is the attribute Key conforming to the
-	// "messaging.client.id" semantic conventions. It represents a unique
-	// identifier for the client that consumes or produces a message.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'client-5', 'myhost@8742@s8083jm'
-	MessagingClientIDKey = attribute.Key("messaging.client.id")
-
-	// MessagingDestinationAnonymousKey is the attribute Key conforming to the
-	// "messaging.destination.anonymous" semantic conventions. It represents a
-	// boolean that is true if the message destination is anonymous (could be
-	// unnamed or have auto-generated name).
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	MessagingDestinationAnonymousKey = attribute.Key("messaging.destination.anonymous")
-
-	// MessagingDestinationNameKey is the attribute Key conforming to the
-	// "messaging.destination.name" semantic conventions. It represents the
-	// message destination name
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'MyQueue', 'MyTopic'
-	// Note: Destination name SHOULD uniquely identify a specific queue, topic
-	// or other entity within the broker. If
-	// the broker doesn't have such notion, the destination name SHOULD
-	// uniquely identify the broker.
-	MessagingDestinationNameKey = attribute.Key("messaging.destination.name")
-
-	// MessagingDestinationPartitionIDKey is the attribute Key conforming to
-	// the "messaging.destination.partition.id" semantic conventions. It
-	// represents the identifier of the partition messages are sent to or
-	// received from, unique within the `messaging.destination.name`.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '1'
-	MessagingDestinationPartitionIDKey = attribute.Key("messaging.destination.partition.id")
-
-	// MessagingDestinationTemplateKey is the attribute Key conforming to the
-	// "messaging.destination.template" semantic conventions. It represents the
-	// low cardinality representation of the messaging destination name
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/customers/{customerID}'
-	// Note: Destination names could be constructed from templates. An example
-	// would be a destination name involving a user name or product id.
-	// Although the destination name in this case is of high cardinality, the
-	// underlying template is of low cardinality and can be effectively used
-	// for grouping and aggregation.
-	MessagingDestinationTemplateKey = attribute.Key("messaging.destination.template")
-
-	// MessagingDestinationTemporaryKey is the attribute Key conforming to the
-	// "messaging.destination.temporary" semantic conventions. It represents a
-	// boolean that is true if the message destination is temporary and might
-	// not exist anymore after messages are processed.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	MessagingDestinationTemporaryKey = attribute.Key("messaging.destination.temporary")
-
-	// MessagingDestinationPublishAnonymousKey is the attribute Key conforming
-	// to the "messaging.destination_publish.anonymous" semantic conventions.
-	// It represents a boolean that is true if the publish message destination
-	// is anonymous (could be unnamed or have auto-generated name).
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	MessagingDestinationPublishAnonymousKey = attribute.Key("messaging.destination_publish.anonymous")
-
-	// MessagingDestinationPublishNameKey is the attribute Key conforming to
-	// the "messaging.destination_publish.name" semantic conventions. It
-	// represents the name of the original destination the message was
-	// published to
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'MyQueue', 'MyTopic'
-	// Note: The name SHOULD uniquely identify a specific queue, topic, or
-	// other entity within the broker. If
-	// the broker doesn't have such notion, the original destination name
-	// SHOULD uniquely identify the broker.
-	MessagingDestinationPublishNameKey = attribute.Key("messaging.destination_publish.name")
-
-	// MessagingMessageBodySizeKey is the attribute Key conforming to the
-	// "messaging.message.body.size" semantic conventions. It represents the
-	// size of the message body in bytes.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1439
-	// Note: This can refer to both the compressed or uncompressed body size.
-	// If both sizes are known, the uncompressed
-	// body size should be used.
-	MessagingMessageBodySizeKey = attribute.Key("messaging.message.body.size")
-
-	// MessagingMessageConversationIDKey is the attribute Key conforming to the
-	// "messaging.message.conversation_id" semantic conventions. It represents
-	// the conversation ID identifying the conversation to which the message
-	// belongs, represented as a string. Sometimes called "Correlation ID".
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'MyConversationID'
-	MessagingMessageConversationIDKey = attribute.Key("messaging.message.conversation_id")
-
-	// MessagingMessageEnvelopeSizeKey is the attribute Key conforming to the
-	// "messaging.message.envelope.size" semantic conventions. It represents
-	// the size of the message body and metadata in bytes.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 2738
-	// Note: This can refer to both the compressed or uncompressed size. If
-	// both sizes are known, the uncompressed
-	// size should be used.
-	MessagingMessageEnvelopeSizeKey = attribute.Key("messaging.message.envelope.size")
-
-	// MessagingMessageIDKey is the attribute Key conforming to the
-	// "messaging.message.id" semantic conventions. It represents a value used
-	// by the messaging system as an identifier for the message, represented as
-	// a string.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '452a7c7c7c7048c2f887f61572b18fc2'
-	MessagingMessageIDKey = attribute.Key("messaging.message.id")
-
-	// MessagingOperationNameKey is the attribute Key conforming to the
-	// "messaging.operation.name" semantic conventions. It represents the
-	// system-specific name of the messaging operation.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'ack', 'nack', 'send'
-	MessagingOperationNameKey = attribute.Key("messaging.operation.name")
-
-	// MessagingOperationTypeKey is the attribute Key conforming to the
-	// "messaging.operation.type" semantic conventions. It represents a string
-	// identifying the type of the messaging operation.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Note: If a custom value is used, it MUST be of low cardinality.
-	MessagingOperationTypeKey = attribute.Key("messaging.operation.type")
-
-	// MessagingSystemKey is the attribute Key conforming to the
-	// "messaging.system" semantic conventions. It represents the messaging
-	// system as identified by the client instrumentation.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Note: The actual messaging system may differ from the one known by the
-	// client. For example, when using Kafka client libraries to communicate
-	// with Azure Event Hubs, the `messaging.system` is set to `kafka` based on
-	// the instrumentation's best knowledge.
-	MessagingSystemKey = attribute.Key("messaging.system")
-)
-
-var (
-	// One or more messages are provided for publishing to an intermediary. If a single message is published, the context of the "Publish" span can be used as the creation context and no "Create" span needs to be created
-	MessagingOperationTypePublish = MessagingOperationTypeKey.String("publish")
-	// A message is created. "Create" spans always refer to a single message and are used to provide a unique creation context for messages in batch publishing scenarios
-	MessagingOperationTypeCreate = MessagingOperationTypeKey.String("create")
-	// One or more messages are requested by a consumer. This operation refers to pull-based scenarios, where consumers explicitly call methods of messaging SDKs to receive messages
-	MessagingOperationTypeReceive = MessagingOperationTypeKey.String("receive")
-	// One or more messages are delivered to or processed by a consumer
-	MessagingOperationTypeDeliver = MessagingOperationTypeKey.String("process")
-	// One or more messages are settled
-	MessagingOperationTypeSettle = MessagingOperationTypeKey.String("settle")
-)
-
-var (
-	// Apache ActiveMQ
-	MessagingSystemActivemq = MessagingSystemKey.String("activemq")
-	// Amazon Simple Queue Service (SQS)
-	MessagingSystemAWSSqs = MessagingSystemKey.String("aws_sqs")
-	// Azure Event Grid
-	MessagingSystemEventgrid = MessagingSystemKey.String("eventgrid")
-	// Azure Event Hubs
-	MessagingSystemEventhubs = MessagingSystemKey.String("eventhubs")
-	// Azure Service Bus
-	MessagingSystemServicebus = MessagingSystemKey.String("servicebus")
-	// Google Cloud Pub/Sub
-	MessagingSystemGCPPubsub = MessagingSystemKey.String("gcp_pubsub")
-	// Java Message Service
-	MessagingSystemJms = MessagingSystemKey.String("jms")
-	// Apache Kafka
-	MessagingSystemKafka = MessagingSystemKey.String("kafka")
-	// RabbitMQ
-	MessagingSystemRabbitmq = MessagingSystemKey.String("rabbitmq")
-	// Apache RocketMQ
-	MessagingSystemRocketmq = MessagingSystemKey.String("rocketmq")
-)
-
-// MessagingBatchMessageCount returns an attribute KeyValue conforming to
-// the "messaging.batch.message_count" semantic conventions. It represents the
-// number of messages sent, received, or processed in the scope of the batching
-// operation.
-func MessagingBatchMessageCount(val int) attribute.KeyValue {
-	return MessagingBatchMessageCountKey.Int(val)
-}
-
-// MessagingClientID returns an attribute KeyValue conforming to the
-// "messaging.client.id" semantic conventions. It represents a unique
-// identifier for the client that consumes or produces a message.
-func MessagingClientID(val string) attribute.KeyValue {
-	return MessagingClientIDKey.String(val)
-}
-
-// MessagingDestinationAnonymous returns an attribute KeyValue conforming to
-// the "messaging.destination.anonymous" semantic conventions. It represents a
-// boolean that is true if the message destination is anonymous (could be
-// unnamed or have auto-generated name).
-func MessagingDestinationAnonymous(val bool) attribute.KeyValue {
-	return MessagingDestinationAnonymousKey.Bool(val)
-}
-
-// MessagingDestinationName returns an attribute KeyValue conforming to the
-// "messaging.destination.name" semantic conventions. It represents the message
-// destination name
-func MessagingDestinationName(val string) attribute.KeyValue {
-	return MessagingDestinationNameKey.String(val)
-}
-
-// MessagingDestinationPartitionID returns an attribute KeyValue conforming
-// to the "messaging.destination.partition.id" semantic conventions. It
-// represents the identifier of the partition messages are sent to or received
-// from, unique within the `messaging.destination.name`.
-func MessagingDestinationPartitionID(val string) attribute.KeyValue {
-	return MessagingDestinationPartitionIDKey.String(val)
-}
-
-// MessagingDestinationTemplate returns an attribute KeyValue conforming to
-// the "messaging.destination.template" semantic conventions. It represents the
-// low cardinality representation of the messaging destination name
-func MessagingDestinationTemplate(val string) attribute.KeyValue {
-	return MessagingDestinationTemplateKey.String(val)
-}
-
-// MessagingDestinationTemporary returns an attribute KeyValue conforming to
-// the "messaging.destination.temporary" semantic conventions. It represents a
-// boolean that is true if the message destination is temporary and might not
-// exist anymore after messages are processed.
-func MessagingDestinationTemporary(val bool) attribute.KeyValue {
-	return MessagingDestinationTemporaryKey.Bool(val)
-}
-
-// MessagingDestinationPublishAnonymous returns an attribute KeyValue
-// conforming to the "messaging.destination_publish.anonymous" semantic
-// conventions. It represents a boolean that is true if the publish message
-// destination is anonymous (could be unnamed or have auto-generated name).
-func MessagingDestinationPublishAnonymous(val bool) attribute.KeyValue {
-	return MessagingDestinationPublishAnonymousKey.Bool(val)
-}
-
-// MessagingDestinationPublishName returns an attribute KeyValue conforming
-// to the "messaging.destination_publish.name" semantic conventions. It
-// represents the name of the original destination the message was published to
-func MessagingDestinationPublishName(val string) attribute.KeyValue {
-	return MessagingDestinationPublishNameKey.String(val)
-}
-
-// MessagingMessageBodySize returns an attribute KeyValue conforming to the
-// "messaging.message.body.size" semantic conventions. It represents the size
-// of the message body in bytes.
-func MessagingMessageBodySize(val int) attribute.KeyValue {
-	return MessagingMessageBodySizeKey.Int(val)
-}
-
-// MessagingMessageConversationID returns an attribute KeyValue conforming
-// to the "messaging.message.conversation_id" semantic conventions. It
-// represents the conversation ID identifying the conversation to which the
-// message belongs, represented as a string. Sometimes called "Correlation ID".
-func MessagingMessageConversationID(val string) attribute.KeyValue {
-	return MessagingMessageConversationIDKey.String(val)
-}
-
-// MessagingMessageEnvelopeSize returns an attribute KeyValue conforming to
-// the "messaging.message.envelope.size" semantic conventions. It represents
-// the size of the message body and metadata in bytes.
-func MessagingMessageEnvelopeSize(val int) attribute.KeyValue {
-	return MessagingMessageEnvelopeSizeKey.Int(val)
-}
-
-// MessagingMessageID returns an attribute KeyValue conforming to the
-// "messaging.message.id" semantic conventions. It represents a value used by
-// the messaging system as an identifier for the message, represented as a
-// string.
-func MessagingMessageID(val string) attribute.KeyValue {
-	return MessagingMessageIDKey.String(val)
-}
-
-// MessagingOperationName returns an attribute KeyValue conforming to the
-// "messaging.operation.name" semantic conventions. It represents the
-// system-specific name of the messaging operation.
-func MessagingOperationName(val string) attribute.KeyValue {
-	return MessagingOperationNameKey.String(val)
-}
-
-// This group describes attributes specific to Apache Kafka.
-const (
-	// MessagingKafkaConsumerGroupKey is the attribute Key conforming to the
-	// "messaging.kafka.consumer.group" semantic conventions. It represents the
-	// name of the Kafka Consumer Group that is handling the message. Only
-	// applies to consumers, not producers.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'my-group'
-	MessagingKafkaConsumerGroupKey = attribute.Key("messaging.kafka.consumer.group")
-
-	// MessagingKafkaMessageKeyKey is the attribute Key conforming to the
-	// "messaging.kafka.message.key" semantic conventions. It represents the
-	// message keys in Kafka are used for grouping alike messages to ensure
-	// they're processed on the same partition. They differ from
-	// `messaging.message.id` in that they're not unique. If the key is `null`,
-	// the attribute MUST NOT be set.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'myKey'
-	// Note: If the key type is not string, it's string representation has to
-	// be supplied for the attribute. If the key has no unambiguous, canonical
-	// string form, don't include its value.
-	MessagingKafkaMessageKeyKey = attribute.Key("messaging.kafka.message.key")
-
-	// MessagingKafkaMessageOffsetKey is the attribute Key conforming to the
-	// "messaging.kafka.message.offset" semantic conventions. It represents the
-	// offset of a record in the corresponding Kafka partition.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 42
-	MessagingKafkaMessageOffsetKey = attribute.Key("messaging.kafka.message.offset")
-
-	// MessagingKafkaMessageTombstoneKey is the attribute Key conforming to the
-	// "messaging.kafka.message.tombstone" semantic conventions. It represents
-	// a boolean that is true if the message is a tombstone.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	MessagingKafkaMessageTombstoneKey = attribute.Key("messaging.kafka.message.tombstone")
-)
-
-// MessagingKafkaConsumerGroup returns an attribute KeyValue conforming to
-// the "messaging.kafka.consumer.group" semantic conventions. It represents the
-// name of the Kafka Consumer Group that is handling the message. Only applies
-// to consumers, not producers.
-func MessagingKafkaConsumerGroup(val string) attribute.KeyValue {
-	return MessagingKafkaConsumerGroupKey.String(val)
-}
-
-// MessagingKafkaMessageKey returns an attribute KeyValue conforming to the
-// "messaging.kafka.message.key" semantic conventions. It represents the
-// message keys in Kafka are used for grouping alike messages to ensure they're
-// processed on the same partition. They differ from `messaging.message.id` in
-// that they're not unique. If the key is `null`, the attribute MUST NOT be
-// set.
-func MessagingKafkaMessageKey(val string) attribute.KeyValue {
-	return MessagingKafkaMessageKeyKey.String(val)
-}
-
-// MessagingKafkaMessageOffset returns an attribute KeyValue conforming to
-// the "messaging.kafka.message.offset" semantic conventions. It represents the
-// offset of a record in the corresponding Kafka partition.
-func MessagingKafkaMessageOffset(val int) attribute.KeyValue {
-	return MessagingKafkaMessageOffsetKey.Int(val)
-}
-
-// MessagingKafkaMessageTombstone returns an attribute KeyValue conforming
-// to the "messaging.kafka.message.tombstone" semantic conventions. It
-// represents a boolean that is true if the message is a tombstone.
-func MessagingKafkaMessageTombstone(val bool) attribute.KeyValue {
-	return MessagingKafkaMessageTombstoneKey.Bool(val)
-}
-
-// This group describes attributes specific to RabbitMQ.
-const (
-	// MessagingRabbitmqDestinationRoutingKeyKey is the attribute Key
-	// conforming to the "messaging.rabbitmq.destination.routing_key" semantic
-	// conventions. It represents the rabbitMQ message routing key.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'myKey'
-	MessagingRabbitmqDestinationRoutingKeyKey = attribute.Key("messaging.rabbitmq.destination.routing_key")
-
-	// MessagingRabbitmqMessageDeliveryTagKey is the attribute Key conforming
-	// to the "messaging.rabbitmq.message.delivery_tag" semantic conventions.
-	// It represents the rabbitMQ message delivery tag
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 123
-	MessagingRabbitmqMessageDeliveryTagKey = attribute.Key("messaging.rabbitmq.message.delivery_tag")
-)
-
-// MessagingRabbitmqDestinationRoutingKey returns an attribute KeyValue
-// conforming to the "messaging.rabbitmq.destination.routing_key" semantic
-// conventions. It represents the rabbitMQ message routing key.
-func MessagingRabbitmqDestinationRoutingKey(val string) attribute.KeyValue {
-	return MessagingRabbitmqDestinationRoutingKeyKey.String(val)
-}
-
-// MessagingRabbitmqMessageDeliveryTag returns an attribute KeyValue
-// conforming to the "messaging.rabbitmq.message.delivery_tag" semantic
-// conventions. It represents the rabbitMQ message delivery tag
-func MessagingRabbitmqMessageDeliveryTag(val int) attribute.KeyValue {
-	return MessagingRabbitmqMessageDeliveryTagKey.Int(val)
-}
-
-// This group describes attributes specific to RocketMQ.
-const (
-	// MessagingRocketmqClientGroupKey is the attribute Key conforming to the
-	// "messaging.rocketmq.client_group" semantic conventions. It represents
-	// the name of the RocketMQ producer/consumer group that is handling the
-	// message. The client type is identified by the SpanKind.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'myConsumerGroup'
-	MessagingRocketmqClientGroupKey = attribute.Key("messaging.rocketmq.client_group")
-
-	// MessagingRocketmqConsumptionModelKey is the attribute Key conforming to
-	// the "messaging.rocketmq.consumption_model" semantic conventions. It
-	// represents the model of message consumption. This only applies to
-	// consumer spans.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	MessagingRocketmqConsumptionModelKey = attribute.Key("messaging.rocketmq.consumption_model")
-
-	// MessagingRocketmqMessageDelayTimeLevelKey is the attribute Key
-	// conforming to the "messaging.rocketmq.message.delay_time_level" semantic
-	// conventions. It represents the delay time level for delay message, which
-	// determines the message delay time.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 3
-	MessagingRocketmqMessageDelayTimeLevelKey = attribute.Key("messaging.rocketmq.message.delay_time_level")
-
-	// MessagingRocketmqMessageDeliveryTimestampKey is the attribute Key
-	// conforming to the "messaging.rocketmq.message.delivery_timestamp"
-	// semantic conventions. It represents the timestamp in milliseconds that
-	// the delay message is expected to be delivered to consumer.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1665987217045
-	MessagingRocketmqMessageDeliveryTimestampKey = attribute.Key("messaging.rocketmq.message.delivery_timestamp")
-
-	// MessagingRocketmqMessageGroupKey is the attribute Key conforming to the
-	// "messaging.rocketmq.message.group" semantic conventions. It represents
-	// the it is essential for FIFO message. Messages that belong to the same
-	// message group are always processed one by one within the same consumer
-	// group.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'myMessageGroup'
-	MessagingRocketmqMessageGroupKey = attribute.Key("messaging.rocketmq.message.group")
-
-	// MessagingRocketmqMessageKeysKey is the attribute Key conforming to the
-	// "messaging.rocketmq.message.keys" semantic conventions. It represents
-	// the key(s) of message, another way to mark message besides message id.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'keyA', 'keyB'
-	MessagingRocketmqMessageKeysKey = attribute.Key("messaging.rocketmq.message.keys")
-
-	// MessagingRocketmqMessageTagKey is the attribute Key conforming to the
-	// "messaging.rocketmq.message.tag" semantic conventions. It represents the
-	// secondary classifier of message besides topic.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'tagA'
-	MessagingRocketmqMessageTagKey = attribute.Key("messaging.rocketmq.message.tag")
-
-	// MessagingRocketmqMessageTypeKey is the attribute Key conforming to the
-	// "messaging.rocketmq.message.type" semantic conventions. It represents
-	// the type of message.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	MessagingRocketmqMessageTypeKey = attribute.Key("messaging.rocketmq.message.type")
-
-	// MessagingRocketmqNamespaceKey is the attribute Key conforming to the
-	// "messaging.rocketmq.namespace" semantic conventions. It represents the
-	// namespace of RocketMQ resources, resources in different namespaces are
-	// individual.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'myNamespace'
-	MessagingRocketmqNamespaceKey = attribute.Key("messaging.rocketmq.namespace")
-)
-
-var (
-	// Clustering consumption model
-	MessagingRocketmqConsumptionModelClustering = MessagingRocketmqConsumptionModelKey.String("clustering")
-	// Broadcasting consumption model
-	MessagingRocketmqConsumptionModelBroadcasting = MessagingRocketmqConsumptionModelKey.String("broadcasting")
-)
-
-var (
-	// Normal message
-	MessagingRocketmqMessageTypeNormal = MessagingRocketmqMessageTypeKey.String("normal")
-	// FIFO message
-	MessagingRocketmqMessageTypeFifo = MessagingRocketmqMessageTypeKey.String("fifo")
-	// Delay message
-	MessagingRocketmqMessageTypeDelay = MessagingRocketmqMessageTypeKey.String("delay")
-	// Transaction message
-	MessagingRocketmqMessageTypeTransaction = MessagingRocketmqMessageTypeKey.String("transaction")
-)
-
-// MessagingRocketmqClientGroup returns an attribute KeyValue conforming to
-// the "messaging.rocketmq.client_group" semantic conventions. It represents
-// the name of the RocketMQ producer/consumer group that is handling the
-// message. The client type is identified by the SpanKind.
-func MessagingRocketmqClientGroup(val string) attribute.KeyValue {
-	return MessagingRocketmqClientGroupKey.String(val)
-}
-
-// MessagingRocketmqMessageDelayTimeLevel returns an attribute KeyValue
-// conforming to the "messaging.rocketmq.message.delay_time_level" semantic
-// conventions. It represents the delay time level for delay message, which
-// determines the message delay time.
-func MessagingRocketmqMessageDelayTimeLevel(val int) attribute.KeyValue {
-	return MessagingRocketmqMessageDelayTimeLevelKey.Int(val)
-}
-
-// MessagingRocketmqMessageDeliveryTimestamp returns an attribute KeyValue
-// conforming to the "messaging.rocketmq.message.delivery_timestamp" semantic
-// conventions. It represents the timestamp in milliseconds that the delay
-// message is expected to be delivered to consumer.
-func MessagingRocketmqMessageDeliveryTimestamp(val int) attribute.KeyValue {
-	return MessagingRocketmqMessageDeliveryTimestampKey.Int(val)
-}
-
-// MessagingRocketmqMessageGroup returns an attribute KeyValue conforming to
-// the "messaging.rocketmq.message.group" semantic conventions. It represents
-// the it is essential for FIFO message. Messages that belong to the same
-// message group are always processed one by one within the same consumer
-// group.
-func MessagingRocketmqMessageGroup(val string) attribute.KeyValue {
-	return MessagingRocketmqMessageGroupKey.String(val)
-}
-
-// MessagingRocketmqMessageKeys returns an attribute KeyValue conforming to
-// the "messaging.rocketmq.message.keys" semantic conventions. It represents
-// the key(s) of message, another way to mark message besides message id.
-func MessagingRocketmqMessageKeys(val ...string) attribute.KeyValue {
-	return MessagingRocketmqMessageKeysKey.StringSlice(val)
-}
-
-// MessagingRocketmqMessageTag returns an attribute KeyValue conforming to
-// the "messaging.rocketmq.message.tag" semantic conventions. It represents the
-// secondary classifier of message besides topic.
-func MessagingRocketmqMessageTag(val string) attribute.KeyValue {
-	return MessagingRocketmqMessageTagKey.String(val)
-}
-
-// MessagingRocketmqNamespace returns an attribute KeyValue conforming to
-// the "messaging.rocketmq.namespace" semantic conventions. It represents the
-// namespace of RocketMQ resources, resources in different namespaces are
-// individual.
-func MessagingRocketmqNamespace(val string) attribute.KeyValue {
-	return MessagingRocketmqNamespaceKey.String(val)
-}
-
-// This group describes attributes specific to GCP Pub/Sub.
-const (
-	// MessagingGCPPubsubMessageAckDeadlineKey is the attribute Key conforming
-	// to the "messaging.gcp_pubsub.message.ack_deadline" semantic conventions.
-	// It represents the ack deadline in seconds set for the modify ack
-	// deadline request.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 10
-	MessagingGCPPubsubMessageAckDeadlineKey = attribute.Key("messaging.gcp_pubsub.message.ack_deadline")
-
-	// MessagingGCPPubsubMessageAckIDKey is the attribute Key conforming to the
-	// "messaging.gcp_pubsub.message.ack_id" semantic conventions. It
-	// represents the ack id for a given message.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'ack_id'
-	MessagingGCPPubsubMessageAckIDKey = attribute.Key("messaging.gcp_pubsub.message.ack_id")
-
-	// MessagingGCPPubsubMessageDeliveryAttemptKey is the attribute Key
-	// conforming to the "messaging.gcp_pubsub.message.delivery_attempt"
-	// semantic conventions. It represents the delivery attempt for a given
-	// message.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 2
-	MessagingGCPPubsubMessageDeliveryAttemptKey = attribute.Key("messaging.gcp_pubsub.message.delivery_attempt")
-
-	// MessagingGCPPubsubMessageOrderingKeyKey is the attribute Key conforming
-	// to the "messaging.gcp_pubsub.message.ordering_key" semantic conventions.
-	// It represents the ordering key for a given message. If the attribute is
-	// not present, the message does not have an ordering key.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'ordering_key'
-	MessagingGCPPubsubMessageOrderingKeyKey = attribute.Key("messaging.gcp_pubsub.message.ordering_key")
-)
-
-// MessagingGCPPubsubMessageAckDeadline returns an attribute KeyValue
-// conforming to the "messaging.gcp_pubsub.message.ack_deadline" semantic
-// conventions. It represents the ack deadline in seconds set for the modify
-// ack deadline request.
-func MessagingGCPPubsubMessageAckDeadline(val int) attribute.KeyValue {
-	return MessagingGCPPubsubMessageAckDeadlineKey.Int(val)
-}
-
-// MessagingGCPPubsubMessageAckID returns an attribute KeyValue conforming
-// to the "messaging.gcp_pubsub.message.ack_id" semantic conventions. It
-// represents the ack id for a given message.
-func MessagingGCPPubsubMessageAckID(val string) attribute.KeyValue {
-	return MessagingGCPPubsubMessageAckIDKey.String(val)
-}
-
-// MessagingGCPPubsubMessageDeliveryAttempt returns an attribute KeyValue
-// conforming to the "messaging.gcp_pubsub.message.delivery_attempt" semantic
-// conventions. It represents the delivery attempt for a given message.
-func MessagingGCPPubsubMessageDeliveryAttempt(val int) attribute.KeyValue {
-	return MessagingGCPPubsubMessageDeliveryAttemptKey.Int(val)
-}
-
-// MessagingGCPPubsubMessageOrderingKey returns an attribute KeyValue
-// conforming to the "messaging.gcp_pubsub.message.ordering_key" semantic
-// conventions. It represents the ordering key for a given message. If the
-// attribute is not present, the message does not have an ordering key.
-func MessagingGCPPubsubMessageOrderingKey(val string) attribute.KeyValue {
-	return MessagingGCPPubsubMessageOrderingKeyKey.String(val)
-}
-
-// This group describes attributes specific to Azure Service Bus.
-const (
-	// MessagingServicebusDestinationSubscriptionNameKey is the attribute Key
-	// conforming to the "messaging.servicebus.destination.subscription_name"
-	// semantic conventions. It represents the name of the subscription in the
-	// topic messages are received from.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'mySubscription'
-	MessagingServicebusDestinationSubscriptionNameKey = attribute.Key("messaging.servicebus.destination.subscription_name")
-
-	// MessagingServicebusDispositionStatusKey is the attribute Key conforming
-	// to the "messaging.servicebus.disposition_status" semantic conventions.
-	// It represents the describes the [settlement
-	// type](https://learn.microsoft.com/azure/service-bus-messaging/message-transfers-locks-settlement#peeklock).
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	MessagingServicebusDispositionStatusKey = attribute.Key("messaging.servicebus.disposition_status")
-
-	// MessagingServicebusMessageDeliveryCountKey is the attribute Key
-	// conforming to the "messaging.servicebus.message.delivery_count" semantic
-	// conventions. It represents the number of deliveries that have been
-	// attempted for this message.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 2
-	MessagingServicebusMessageDeliveryCountKey = attribute.Key("messaging.servicebus.message.delivery_count")
-
-	// MessagingServicebusMessageEnqueuedTimeKey is the attribute Key
-	// conforming to the "messaging.servicebus.message.enqueued_time" semantic
-	// conventions. It represents the UTC epoch seconds at which the message
-	// has been accepted and stored in the entity.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1701393730
-	MessagingServicebusMessageEnqueuedTimeKey = attribute.Key("messaging.servicebus.message.enqueued_time")
-)
-
-var (
-	// Message is completed
-	MessagingServicebusDispositionStatusComplete = MessagingServicebusDispositionStatusKey.String("complete")
-	// Message is abandoned
-	MessagingServicebusDispositionStatusAbandon = MessagingServicebusDispositionStatusKey.String("abandon")
-	// Message is sent to dead letter queue
-	MessagingServicebusDispositionStatusDeadLetter = MessagingServicebusDispositionStatusKey.String("dead_letter")
-	// Message is deferred
-	MessagingServicebusDispositionStatusDefer = MessagingServicebusDispositionStatusKey.String("defer")
-)
-
-// MessagingServicebusDestinationSubscriptionName returns an attribute
-// KeyValue conforming to the
-// "messaging.servicebus.destination.subscription_name" semantic conventions.
-// It represents the name of the subscription in the topic messages are
-// received from.
-func MessagingServicebusDestinationSubscriptionName(val string) attribute.KeyValue {
-	return MessagingServicebusDestinationSubscriptionNameKey.String(val)
-}
-
-// MessagingServicebusMessageDeliveryCount returns an attribute KeyValue
-// conforming to the "messaging.servicebus.message.delivery_count" semantic
-// conventions. It represents the number of deliveries that have been attempted
-// for this message.
-func MessagingServicebusMessageDeliveryCount(val int) attribute.KeyValue {
-	return MessagingServicebusMessageDeliveryCountKey.Int(val)
-}
-
-// MessagingServicebusMessageEnqueuedTime returns an attribute KeyValue
-// conforming to the "messaging.servicebus.message.enqueued_time" semantic
-// conventions. It represents the UTC epoch seconds at which the message has
-// been accepted and stored in the entity.
-func MessagingServicebusMessageEnqueuedTime(val int) attribute.KeyValue {
-	return MessagingServicebusMessageEnqueuedTimeKey.Int(val)
-}
-
-// This group describes attributes specific to Azure Event Hubs.
-const (
-	// MessagingEventhubsConsumerGroupKey is the attribute Key conforming to
-	// the "messaging.eventhubs.consumer.group" semantic conventions. It
-	// represents the name of the consumer group the event consumer is
-	// associated with.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'indexer'
-	MessagingEventhubsConsumerGroupKey = attribute.Key("messaging.eventhubs.consumer.group")
-
-	// MessagingEventhubsMessageEnqueuedTimeKey is the attribute Key conforming
-	// to the "messaging.eventhubs.message.enqueued_time" semantic conventions.
-	// It represents the UTC epoch seconds at which the message has been
-	// accepted and stored in the entity.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1701393730
-	MessagingEventhubsMessageEnqueuedTimeKey = attribute.Key("messaging.eventhubs.message.enqueued_time")
-)
-
-// MessagingEventhubsConsumerGroup returns an attribute KeyValue conforming
-// to the "messaging.eventhubs.consumer.group" semantic conventions. It
-// represents the name of the consumer group the event consumer is associated
-// with.
-func MessagingEventhubsConsumerGroup(val string) attribute.KeyValue {
-	return MessagingEventhubsConsumerGroupKey.String(val)
-}
-
-// MessagingEventhubsMessageEnqueuedTime returns an attribute KeyValue
-// conforming to the "messaging.eventhubs.message.enqueued_time" semantic
-// conventions. It represents the UTC epoch seconds at which the message has
-// been accepted and stored in the entity.
-func MessagingEventhubsMessageEnqueuedTime(val int) attribute.KeyValue {
-	return MessagingEventhubsMessageEnqueuedTimeKey.Int(val)
-}
-
-// These attributes may be used for any network related operation.
-const (
-	// NetworkCarrierIccKey is the attribute Key conforming to the
-	// "network.carrier.icc" semantic conventions. It represents the ISO 3166-1
-	// alpha-2 2-character country code associated with the mobile carrier
-	// network.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'DE'
-	NetworkCarrierIccKey = attribute.Key("network.carrier.icc")
-
-	// NetworkCarrierMccKey is the attribute Key conforming to the
-	// "network.carrier.mcc" semantic conventions. It represents the mobile
-	// carrier country code.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '310'
-	NetworkCarrierMccKey = attribute.Key("network.carrier.mcc")
-
-	// NetworkCarrierMncKey is the attribute Key conforming to the
-	// "network.carrier.mnc" semantic conventions. It represents the mobile
-	// carrier network code.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '001'
-	NetworkCarrierMncKey = attribute.Key("network.carrier.mnc")
-
-	// NetworkCarrierNameKey is the attribute Key conforming to the
-	// "network.carrier.name" semantic conventions. It represents the name of
-	// the mobile carrier.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'sprint'
-	NetworkCarrierNameKey = attribute.Key("network.carrier.name")
-
-	// NetworkConnectionSubtypeKey is the attribute Key conforming to the
-	// "network.connection.subtype" semantic conventions. It represents the
-	// this describes more details regarding the connection.type. It may be the
-	// type of cell technology connection, but it could be used for describing
-	// details about a wifi connection.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'LTE'
-	NetworkConnectionSubtypeKey = attribute.Key("network.connection.subtype")
-
-	// NetworkConnectionTypeKey is the attribute Key conforming to the
-	// "network.connection.type" semantic conventions. It represents the
-	// internet connection type.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'wifi'
-	NetworkConnectionTypeKey = attribute.Key("network.connection.type")
-
-	// NetworkIoDirectionKey is the attribute Key conforming to the
-	// "network.io.direction" semantic conventions. It represents the network
-	// IO operation direction.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'transmit'
-	NetworkIoDirectionKey = attribute.Key("network.io.direction")
-
-	// NetworkLocalAddressKey is the attribute Key conforming to the
-	// "network.local.address" semantic conventions. It represents the local
-	// address of the network connection - IP address or Unix domain socket
-	// name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: '10.1.2.80', '/tmp/my.sock'
-	NetworkLocalAddressKey = attribute.Key("network.local.address")
-
-	// NetworkLocalPortKey is the attribute Key conforming to the
-	// "network.local.port" semantic conventions. It represents the local port
-	// number of the network connection.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 65123
-	NetworkLocalPortKey = attribute.Key("network.local.port")
-
-	// NetworkPeerAddressKey is the attribute Key conforming to the
-	// "network.peer.address" semantic conventions. It represents the peer
-	// address of the network connection - IP address or Unix domain socket
-	// name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: '10.1.2.80', '/tmp/my.sock'
-	NetworkPeerAddressKey = attribute.Key("network.peer.address")
-
-	// NetworkPeerPortKey is the attribute Key conforming to the
-	// "network.peer.port" semantic conventions. It represents the peer port
-	// number of the network connection.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 65123
-	NetworkPeerPortKey = attribute.Key("network.peer.port")
-
-	// NetworkProtocolNameKey is the attribute Key conforming to the
-	// "network.protocol.name" semantic conventions. It represents the [OSI
-	// application layer](https://osi-model.com/application-layer/) or non-OSI
-	// equivalent.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'amqp', 'http', 'mqtt'
-	// Note: The value SHOULD be normalized to lowercase.
-	NetworkProtocolNameKey = attribute.Key("network.protocol.name")
-
-	// NetworkProtocolVersionKey is the attribute Key conforming to the
-	// "network.protocol.version" semantic conventions. It represents the
-	// actual version of the protocol used for network communication.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: '1.1', '2'
-	// Note: If protocol version is subject to negotiation (for example using
-	// [ALPN](https://www.rfc-editor.org/rfc/rfc7301.html)), this attribute
-	// SHOULD be set to the negotiated version. If the actual protocol version
-	// is not known, this attribute SHOULD NOT be set.
-	NetworkProtocolVersionKey = attribute.Key("network.protocol.version")
-
-	// NetworkTransportKey is the attribute Key conforming to the
-	// "network.transport" semantic conventions. It represents the [OSI
-	// transport layer](https://osi-model.com/transport-layer/) or
-	// [inter-process communication
-	// method](https://wikipedia.org/wiki/Inter-process_communication).
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'tcp', 'udp'
-	// Note: The value SHOULD be normalized to lowercase.
-	//
-	// Consider always setting the transport when setting a port number, since
-	// a port number is ambiguous without knowing the transport. For example
-	// different processes could be listening on TCP port 12345 and UDP port
-	// 12345.
-	NetworkTransportKey = attribute.Key("network.transport")
-
-	// NetworkTypeKey is the attribute Key conforming to the "network.type"
-	// semantic conventions. It represents the [OSI network
-	// layer](https://osi-model.com/network-layer/) or non-OSI equivalent.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'ipv4', 'ipv6'
-	// Note: The value SHOULD be normalized to lowercase.
-	NetworkTypeKey = attribute.Key("network.type")
-)
-
-var (
-	// GPRS
-	NetworkConnectionSubtypeGprs = NetworkConnectionSubtypeKey.String("gprs")
-	// EDGE
-	NetworkConnectionSubtypeEdge = NetworkConnectionSubtypeKey.String("edge")
-	// UMTS
-	NetworkConnectionSubtypeUmts = NetworkConnectionSubtypeKey.String("umts")
-	// CDMA
-	NetworkConnectionSubtypeCdma = NetworkConnectionSubtypeKey.String("cdma")
-	// EVDO Rel. 0
-	NetworkConnectionSubtypeEvdo0 = NetworkConnectionSubtypeKey.String("evdo_0")
-	// EVDO Rev. A
-	NetworkConnectionSubtypeEvdoA = NetworkConnectionSubtypeKey.String("evdo_a")
-	// CDMA2000 1XRTT
-	NetworkConnectionSubtypeCdma20001xrtt = NetworkConnectionSubtypeKey.String("cdma2000_1xrtt")
-	// HSDPA
-	NetworkConnectionSubtypeHsdpa = NetworkConnectionSubtypeKey.String("hsdpa")
-	// HSUPA
-	NetworkConnectionSubtypeHsupa = NetworkConnectionSubtypeKey.String("hsupa")
-	// HSPA
-	NetworkConnectionSubtypeHspa = NetworkConnectionSubtypeKey.String("hspa")
-	// IDEN
-	NetworkConnectionSubtypeIden = NetworkConnectionSubtypeKey.String("iden")
-	// EVDO Rev. B
-	NetworkConnectionSubtypeEvdoB = NetworkConnectionSubtypeKey.String("evdo_b")
-	// LTE
-	NetworkConnectionSubtypeLte = NetworkConnectionSubtypeKey.String("lte")
-	// EHRPD
-	NetworkConnectionSubtypeEhrpd = NetworkConnectionSubtypeKey.String("ehrpd")
-	// HSPAP
-	NetworkConnectionSubtypeHspap = NetworkConnectionSubtypeKey.String("hspap")
-	// GSM
-	NetworkConnectionSubtypeGsm = NetworkConnectionSubtypeKey.String("gsm")
-	// TD-SCDMA
-	NetworkConnectionSubtypeTdScdma = NetworkConnectionSubtypeKey.String("td_scdma")
-	// IWLAN
-	NetworkConnectionSubtypeIwlan = NetworkConnectionSubtypeKey.String("iwlan")
-	// 5G NR (New Radio)
-	NetworkConnectionSubtypeNr = NetworkConnectionSubtypeKey.String("nr")
-	// 5G NRNSA (New Radio Non-Standalone)
-	NetworkConnectionSubtypeNrnsa = NetworkConnectionSubtypeKey.String("nrnsa")
-	// LTE CA
-	NetworkConnectionSubtypeLteCa = NetworkConnectionSubtypeKey.String("lte_ca")
-)
-
-var (
-	// wifi
-	NetworkConnectionTypeWifi = NetworkConnectionTypeKey.String("wifi")
-	// wired
-	NetworkConnectionTypeWired = NetworkConnectionTypeKey.String("wired")
-	// cell
-	NetworkConnectionTypeCell = NetworkConnectionTypeKey.String("cell")
-	// unavailable
-	NetworkConnectionTypeUnavailable = NetworkConnectionTypeKey.String("unavailable")
-	// unknown
-	NetworkConnectionTypeUnknown = NetworkConnectionTypeKey.String("unknown")
-)
-
-var (
-	// transmit
-	NetworkIoDirectionTransmit = NetworkIoDirectionKey.String("transmit")
-	// receive
-	NetworkIoDirectionReceive = NetworkIoDirectionKey.String("receive")
-)
-
-var (
-	// TCP
-	NetworkTransportTCP = NetworkTransportKey.String("tcp")
-	// UDP
-	NetworkTransportUDP = NetworkTransportKey.String("udp")
-	// Named or anonymous pipe
-	NetworkTransportPipe = NetworkTransportKey.String("pipe")
-	// Unix domain socket
-	NetworkTransportUnix = NetworkTransportKey.String("unix")
-)
-
-var (
-	// IPv4
-	NetworkTypeIpv4 = NetworkTypeKey.String("ipv4")
-	// IPv6
-	NetworkTypeIpv6 = NetworkTypeKey.String("ipv6")
-)
-
-// NetworkCarrierIcc returns an attribute KeyValue conforming to the
-// "network.carrier.icc" semantic conventions. It represents the ISO 3166-1
-// alpha-2 2-character country code associated with the mobile carrier network.
-func NetworkCarrierIcc(val string) attribute.KeyValue {
-	return NetworkCarrierIccKey.String(val)
-}
-
-// NetworkCarrierMcc returns an attribute KeyValue conforming to the
-// "network.carrier.mcc" semantic conventions. It represents the mobile carrier
-// country code.
-func NetworkCarrierMcc(val string) attribute.KeyValue {
-	return NetworkCarrierMccKey.String(val)
-}
-
-// NetworkCarrierMnc returns an attribute KeyValue conforming to the
-// "network.carrier.mnc" semantic conventions. It represents the mobile carrier
-// network code.
-func NetworkCarrierMnc(val string) attribute.KeyValue {
-	return NetworkCarrierMncKey.String(val)
-}
-
-// NetworkCarrierName returns an attribute KeyValue conforming to the
-// "network.carrier.name" semantic conventions. It represents the name of the
-// mobile carrier.
-func NetworkCarrierName(val string) attribute.KeyValue {
-	return NetworkCarrierNameKey.String(val)
-}
-
-// NetworkLocalAddress returns an attribute KeyValue conforming to the
-// "network.local.address" semantic conventions. It represents the local
-// address of the network connection - IP address or Unix domain socket name.
-func NetworkLocalAddress(val string) attribute.KeyValue {
-	return NetworkLocalAddressKey.String(val)
-}
-
-// NetworkLocalPort returns an attribute KeyValue conforming to the
-// "network.local.port" semantic conventions. It represents the local port
-// number of the network connection.
-func NetworkLocalPort(val int) attribute.KeyValue {
-	return NetworkLocalPortKey.Int(val)
-}
-
-// NetworkPeerAddress returns an attribute KeyValue conforming to the
-// "network.peer.address" semantic conventions. It represents the peer address
-// of the network connection - IP address or Unix domain socket name.
-func NetworkPeerAddress(val string) attribute.KeyValue {
-	return NetworkPeerAddressKey.String(val)
-}
-
-// NetworkPeerPort returns an attribute KeyValue conforming to the
-// "network.peer.port" semantic conventions. It represents the peer port number
-// of the network connection.
-func NetworkPeerPort(val int) attribute.KeyValue {
-	return NetworkPeerPortKey.Int(val)
-}
-
-// NetworkProtocolName returns an attribute KeyValue conforming to the
-// "network.protocol.name" semantic conventions. It represents the [OSI
-// application layer](https://osi-model.com/application-layer/) or non-OSI
-// equivalent.
-func NetworkProtocolName(val string) attribute.KeyValue {
-	return NetworkProtocolNameKey.String(val)
-}
-
-// NetworkProtocolVersion returns an attribute KeyValue conforming to the
-// "network.protocol.version" semantic conventions. It represents the actual
-// version of the protocol used for network communication.
-func NetworkProtocolVersion(val string) attribute.KeyValue {
-	return NetworkProtocolVersionKey.String(val)
-}
-
-// An OCI image manifest.
-const (
-	// OciManifestDigestKey is the attribute Key conforming to the
-	// "oci.manifest.digest" semantic conventions. It represents the digest of
-	// the OCI image manifest. For container images specifically is the digest
-	// by which the container image is known.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// 'sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4'
-	// Note: Follows [OCI Image Manifest
-	// Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md),
-	// and specifically the [Digest
-	// property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests).
-	// An example can be found in [Example Image
-	// Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest).
-	OciManifestDigestKey = attribute.Key("oci.manifest.digest")
-)
-
-// OciManifestDigest returns an attribute KeyValue conforming to the
-// "oci.manifest.digest" semantic conventions. It represents the digest of the
-// OCI image manifest. For container images specifically is the digest by which
-// the container image is known.
-func OciManifestDigest(val string) attribute.KeyValue {
-	return OciManifestDigestKey.String(val)
-}
-
-// Attributes used by the OpenTracing Shim layer.
-const (
-	// OpentracingRefTypeKey is the attribute Key conforming to the
-	// "opentracing.ref_type" semantic conventions. It represents the
-	// parent-child Reference type
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Note: The causal relationship between a child Span and a parent Span.
-	OpentracingRefTypeKey = attribute.Key("opentracing.ref_type")
-)
-
-var (
-	// The parent Span depends on the child Span in some capacity
-	OpentracingRefTypeChildOf = OpentracingRefTypeKey.String("child_of")
-	// The parent Span doesn't depend in any way on the result of the child Span
-	OpentracingRefTypeFollowsFrom = OpentracingRefTypeKey.String("follows_from")
-)
-
-// The operating system (OS) on which the process represented by this resource
-// is running.
-const (
-	// OSBuildIDKey is the attribute Key conforming to the "os.build_id"
-	// semantic conventions. It represents the unique identifier for a
-	// particular build or compilation of the operating system.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'TQ3C.230805.001.B2', '20E247', '22621'
-	OSBuildIDKey = attribute.Key("os.build_id")
-
-	// OSDescriptionKey is the attribute Key conforming to the "os.description"
-	// semantic conventions. It represents the human readable (not intended to
-	// be parsed) OS version information, like e.g. reported by `ver` or
-	// `lsb_release -a` commands.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Microsoft Windows [Version 10.0.18363.778]', 'Ubuntu 18.04.1
-	// LTS'
-	OSDescriptionKey = attribute.Key("os.description")
-
-	// OSNameKey is the attribute Key conforming to the "os.name" semantic
-	// conventions. It represents the human readable operating system name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'iOS', 'Android', 'Ubuntu'
-	OSNameKey = attribute.Key("os.name")
-
-	// OSTypeKey is the attribute Key conforming to the "os.type" semantic
-	// conventions. It represents the operating system type.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	OSTypeKey = attribute.Key("os.type")
-
-	// OSVersionKey is the attribute Key conforming to the "os.version"
-	// semantic conventions. It represents the version string of the operating
-	// system as defined in [Version
-	// Attributes](/docs/resource/README.md#version-attributes).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '14.2.1', '18.04.1'
-	OSVersionKey = attribute.Key("os.version")
-)
-
-var (
-	// Microsoft Windows
-	OSTypeWindows = OSTypeKey.String("windows")
-	// Linux
-	OSTypeLinux = OSTypeKey.String("linux")
-	// Apple Darwin
-	OSTypeDarwin = OSTypeKey.String("darwin")
-	// FreeBSD
-	OSTypeFreeBSD = OSTypeKey.String("freebsd")
-	// NetBSD
-	OSTypeNetBSD = OSTypeKey.String("netbsd")
-	// OpenBSD
-	OSTypeOpenBSD = OSTypeKey.String("openbsd")
-	// DragonFly BSD
-	OSTypeDragonflyBSD = OSTypeKey.String("dragonflybsd")
-	// HP-UX (Hewlett Packard Unix)
-	OSTypeHPUX = OSTypeKey.String("hpux")
-	// AIX (Advanced Interactive eXecutive)
-	OSTypeAIX = OSTypeKey.String("aix")
-	// SunOS, Oracle Solaris
-	OSTypeSolaris = OSTypeKey.String("solaris")
-	// IBM z/OS
-	OSTypeZOS = OSTypeKey.String("z_os")
-)
-
-// OSBuildID returns an attribute KeyValue conforming to the "os.build_id"
-// semantic conventions. It represents the unique identifier for a particular
-// build or compilation of the operating system.
-func OSBuildID(val string) attribute.KeyValue {
-	return OSBuildIDKey.String(val)
-}
-
-// OSDescription returns an attribute KeyValue conforming to the
-// "os.description" semantic conventions. It represents the human readable (not
-// intended to be parsed) OS version information, like e.g. reported by `ver`
-// or `lsb_release -a` commands.
-func OSDescription(val string) attribute.KeyValue {
-	return OSDescriptionKey.String(val)
-}
-
-// OSName returns an attribute KeyValue conforming to the "os.name" semantic
-// conventions. It represents the human readable operating system name.
-func OSName(val string) attribute.KeyValue {
-	return OSNameKey.String(val)
-}
-
-// OSVersion returns an attribute KeyValue conforming to the "os.version"
-// semantic conventions. It represents the version string of the operating
-// system as defined in [Version
-// Attributes](/docs/resource/README.md#version-attributes).
-func OSVersion(val string) attribute.KeyValue {
-	return OSVersionKey.String(val)
-}
-
-// Attributes reserved for OpenTelemetry
-const (
-	// OTelStatusCodeKey is the attribute Key conforming to the
-	// "otel.status_code" semantic conventions. It represents the name of the
-	// code, either "OK" or "ERROR". MUST NOT be set if the status code is
-	// UNSET.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	OTelStatusCodeKey = attribute.Key("otel.status_code")
-
-	// OTelStatusDescriptionKey is the attribute Key conforming to the
-	// "otel.status_description" semantic conventions. It represents the
-	// description of the Status if it has a value, otherwise not set.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'resource not found'
-	OTelStatusDescriptionKey = attribute.Key("otel.status_description")
-)
-
-var (
-	// The operation has been validated by an Application developer or Operator to have completed successfully
-	OTelStatusCodeOk = OTelStatusCodeKey.String("OK")
-	// The operation contains an error
-	OTelStatusCodeError = OTelStatusCodeKey.String("ERROR")
-)
-
-// OTelStatusDescription returns an attribute KeyValue conforming to the
-// "otel.status_description" semantic conventions. It represents the
-// description of the Status if it has a value, otherwise not set.
-func OTelStatusDescription(val string) attribute.KeyValue {
-	return OTelStatusDescriptionKey.String(val)
-}
-
-// Attributes used by non-OTLP exporters to represent OpenTelemetry Scope's
-// concepts.
-const (
-	// OTelScopeNameKey is the attribute Key conforming to the
-	// "otel.scope.name" semantic conventions. It represents the name of the
-	// instrumentation scope - (`InstrumentationScope.Name` in OTLP).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'io.opentelemetry.contrib.mongodb'
-	OTelScopeNameKey = attribute.Key("otel.scope.name")
-
-	// OTelScopeVersionKey is the attribute Key conforming to the
-	// "otel.scope.version" semantic conventions. It represents the version of
-	// the instrumentation scope - (`InstrumentationScope.Version` in OTLP).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: '1.0.0'
-	OTelScopeVersionKey = attribute.Key("otel.scope.version")
-)
-
-// OTelScopeName returns an attribute KeyValue conforming to the
-// "otel.scope.name" semantic conventions. It represents the name of the
-// instrumentation scope - (`InstrumentationScope.Name` in OTLP).
-func OTelScopeName(val string) attribute.KeyValue {
-	return OTelScopeNameKey.String(val)
-}
-
-// OTelScopeVersion returns an attribute KeyValue conforming to the
-// "otel.scope.version" semantic conventions. It represents the version of the
-// instrumentation scope - (`InstrumentationScope.Version` in OTLP).
-func OTelScopeVersion(val string) attribute.KeyValue {
-	return OTelScopeVersionKey.String(val)
-}
-
-// Operations that access some remote service.
-const (
-	// PeerServiceKey is the attribute Key conforming to the "peer.service"
-	// semantic conventions. It represents the
-	// [`service.name`](/docs/resource/README.md#service) of the remote
-	// service. SHOULD be equal to the actual `service.name` resource attribute
-	// of the remote service if any.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'AuthTokenCache'
-	PeerServiceKey = attribute.Key("peer.service")
-)
-
-// PeerService returns an attribute KeyValue conforming to the
-// "peer.service" semantic conventions. It represents the
-// [`service.name`](/docs/resource/README.md#service) of the remote service.
-// SHOULD be equal to the actual `service.name` resource attribute of the
-// remote service if any.
-func PeerService(val string) attribute.KeyValue {
-	return PeerServiceKey.String(val)
-}
-
-// An operating system process.
-const (
-	// ProcessCommandKey is the attribute Key conforming to the
-	// "process.command" semantic conventions. It represents the command used
-	// to launch the process (i.e. the command name). On Linux based systems,
-	// can be set to the zeroth string in `proc/[pid]/cmdline`. On Windows, can
-	// be set to the first parameter extracted from `GetCommandLineW`.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'cmd/otelcol'
-	ProcessCommandKey = attribute.Key("process.command")
-
-	// ProcessCommandArgsKey is the attribute Key conforming to the
-	// "process.command_args" semantic conventions. It represents the all the
-	// command arguments (including the command/executable itself) as received
-	// by the process. On Linux-based systems (and some other Unixoid systems
-	// supporting procfs), can be set according to the list of null-delimited
-	// strings extracted from `proc/[pid]/cmdline`. For libc-based executables,
-	// this would be the full argv vector passed to `main`.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'cmd/otecol', '--config=config.yaml'
-	ProcessCommandArgsKey = attribute.Key("process.command_args")
-
-	// ProcessCommandLineKey is the attribute Key conforming to the
-	// "process.command_line" semantic conventions. It represents the full
-	// command used to launch the process as a single string representing the
-	// full command. On Windows, can be set to the result of `GetCommandLineW`.
-	// Do not set this if you have to assemble it just for monitoring; use
-	// `process.command_args` instead.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'C:\\cmd\\otecol --config="my directory\\config.yaml"'
-	ProcessCommandLineKey = attribute.Key("process.command_line")
-
-	// ProcessContextSwitchTypeKey is the attribute Key conforming to the
-	// "process.context_switch_type" semantic conventions. It represents the
-	// specifies whether the context switches for this data point were
-	// voluntary or involuntary.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	ProcessContextSwitchTypeKey = attribute.Key("process.context_switch_type")
-
-	// ProcessCreationTimeKey is the attribute Key conforming to the
-	// "process.creation.time" semantic conventions. It represents the date and
-	// time the process was created, in ISO 8601 format.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2023-11-21T09:25:34.853Z'
-	ProcessCreationTimeKey = attribute.Key("process.creation.time")
-
-	// ProcessExecutableNameKey is the attribute Key conforming to the
-	// "process.executable.name" semantic conventions. It represents the name
-	// of the process executable. On Linux based systems, can be set to the
-	// `Name` in `proc/[pid]/status`. On Windows, can be set to the base name
-	// of `GetProcessImageFileNameW`.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'otelcol'
-	ProcessExecutableNameKey = attribute.Key("process.executable.name")
-
-	// ProcessExecutablePathKey is the attribute Key conforming to the
-	// "process.executable.path" semantic conventions. It represents the full
-	// path to the process executable. On Linux based systems, can be set to
-	// the target of `proc/[pid]/exe`. On Windows, can be set to the result of
-	// `GetProcessImageFileNameW`.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/usr/bin/cmd/otelcol'
-	ProcessExecutablePathKey = attribute.Key("process.executable.path")
-
-	// ProcessExitCodeKey is the attribute Key conforming to the
-	// "process.exit.code" semantic conventions. It represents the exit code of
-	// the process.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 127
-	ProcessExitCodeKey = attribute.Key("process.exit.code")
-
-	// ProcessExitTimeKey is the attribute Key conforming to the
-	// "process.exit.time" semantic conventions. It represents the date and
-	// time the process exited, in ISO 8601 format.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2023-11-21T09:26:12.315Z'
-	ProcessExitTimeKey = attribute.Key("process.exit.time")
-
-	// ProcessGroupLeaderPIDKey is the attribute Key conforming to the
-	// "process.group_leader.pid" semantic conventions. It represents the PID
-	// of the process's group leader. This is also the process group ID (PGID)
-	// of the process.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 23
-	ProcessGroupLeaderPIDKey = attribute.Key("process.group_leader.pid")
-
-	// ProcessInteractiveKey is the attribute Key conforming to the
-	// "process.interactive" semantic conventions. It represents the whether
-	// the process is connected to an interactive shell.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	ProcessInteractiveKey = attribute.Key("process.interactive")
-
-	// ProcessOwnerKey is the attribute Key conforming to the "process.owner"
-	// semantic conventions. It represents the username of the user that owns
-	// the process.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'root'
-	ProcessOwnerKey = attribute.Key("process.owner")
-
-	// ProcessPagingFaultTypeKey is the attribute Key conforming to the
-	// "process.paging.fault_type" semantic conventions. It represents the type
-	// of page fault for this data point. Type `major` is for major/hard page
-	// faults, and `minor` is for minor/soft page faults.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	ProcessPagingFaultTypeKey = attribute.Key("process.paging.fault_type")
-
-	// ProcessParentPIDKey is the attribute Key conforming to the
-	// "process.parent_pid" semantic conventions. It represents the parent
-	// Process identifier (PPID).
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 111
-	ProcessParentPIDKey = attribute.Key("process.parent_pid")
-
-	// ProcessPIDKey is the attribute Key conforming to the "process.pid"
-	// semantic conventions. It represents the process identifier (PID).
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1234
-	ProcessPIDKey = attribute.Key("process.pid")
-
-	// ProcessRealUserIDKey is the attribute Key conforming to the
-	// "process.real_user.id" semantic conventions. It represents the real user
-	// ID (RUID) of the process.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1000
-	ProcessRealUserIDKey = attribute.Key("process.real_user.id")
-
-	// ProcessRealUserNameKey is the attribute Key conforming to the
-	// "process.real_user.name" semantic conventions. It represents the
-	// username of the real user of the process.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'operator'
-	ProcessRealUserNameKey = attribute.Key("process.real_user.name")
-
-	// ProcessRuntimeDescriptionKey is the attribute Key conforming to the
-	// "process.runtime.description" semantic conventions. It represents an
-	// additional description about the runtime of the process, for example a
-	// specific vendor customization of the runtime environment.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Eclipse OpenJ9 Eclipse OpenJ9 VM openj9-0.21.0'
-	ProcessRuntimeDescriptionKey = attribute.Key("process.runtime.description")
-
-	// ProcessRuntimeNameKey is the attribute Key conforming to the
-	// "process.runtime.name" semantic conventions. It represents the name of
-	// the runtime of this process. For compiled native binaries, this SHOULD
-	// be the name of the compiler.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'OpenJDK Runtime Environment'
-	ProcessRuntimeNameKey = attribute.Key("process.runtime.name")
-
-	// ProcessRuntimeVersionKey is the attribute Key conforming to the
-	// "process.runtime.version" semantic conventions. It represents the
-	// version of the runtime of this process, as returned by the runtime
-	// without modification.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '14.0.2'
-	ProcessRuntimeVersionKey = attribute.Key("process.runtime.version")
-
-	// ProcessSavedUserIDKey is the attribute Key conforming to the
-	// "process.saved_user.id" semantic conventions. It represents the saved
-	// user ID (SUID) of the process.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1002
-	ProcessSavedUserIDKey = attribute.Key("process.saved_user.id")
-
-	// ProcessSavedUserNameKey is the attribute Key conforming to the
-	// "process.saved_user.name" semantic conventions. It represents the
-	// username of the saved user.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'operator'
-	ProcessSavedUserNameKey = attribute.Key("process.saved_user.name")
-
-	// ProcessSessionLeaderPIDKey is the attribute Key conforming to the
-	// "process.session_leader.pid" semantic conventions. It represents the PID
-	// of the process's session leader. This is also the session ID (SID) of
-	// the process.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 14
-	ProcessSessionLeaderPIDKey = attribute.Key("process.session_leader.pid")
-
-	// ProcessUserIDKey is the attribute Key conforming to the
-	// "process.user.id" semantic conventions. It represents the effective user
-	// ID (EUID) of the process.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1001
-	ProcessUserIDKey = attribute.Key("process.user.id")
-
-	// ProcessUserNameKey is the attribute Key conforming to the
-	// "process.user.name" semantic conventions. It represents the username of
-	// the effective user of the process.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'root'
-	ProcessUserNameKey = attribute.Key("process.user.name")
-
-	// ProcessVpidKey is the attribute Key conforming to the "process.vpid"
-	// semantic conventions. It represents the virtual process identifier.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 12
-	// Note: The process ID within a PID namespace. This is not necessarily
-	// unique across all processes on the host but it is unique within the
-	// process namespace that the process exists within.
-	ProcessVpidKey = attribute.Key("process.vpid")
-)
-
-var (
-	// voluntary
-	ProcessContextSwitchTypeVoluntary = ProcessContextSwitchTypeKey.String("voluntary")
-	// involuntary
-	ProcessContextSwitchTypeInvoluntary = ProcessContextSwitchTypeKey.String("involuntary")
-)
-
-var (
-	// major
-	ProcessPagingFaultTypeMajor = ProcessPagingFaultTypeKey.String("major")
-	// minor
-	ProcessPagingFaultTypeMinor = ProcessPagingFaultTypeKey.String("minor")
-)
-
-// ProcessCommand returns an attribute KeyValue conforming to the
-// "process.command" semantic conventions. It represents the command used to
-// launch the process (i.e. the command name). On Linux based systems, can be
-// set to the zeroth string in `proc/[pid]/cmdline`. On Windows, can be set to
-// the first parameter extracted from `GetCommandLineW`.
-func ProcessCommand(val string) attribute.KeyValue {
-	return ProcessCommandKey.String(val)
-}
-
-// ProcessCommandArgs returns an attribute KeyValue conforming to the
-// "process.command_args" semantic conventions. It represents the all the
-// command arguments (including the command/executable itself) as received by
-// the process. On Linux-based systems (and some other Unixoid systems
-// supporting procfs), can be set according to the list of null-delimited
-// strings extracted from `proc/[pid]/cmdline`. For libc-based executables,
-// this would be the full argv vector passed to `main`.
-func ProcessCommandArgs(val ...string) attribute.KeyValue {
-	return ProcessCommandArgsKey.StringSlice(val)
-}
-
-// ProcessCommandLine returns an attribute KeyValue conforming to the
-// "process.command_line" semantic conventions. It represents the full command
-// used to launch the process as a single string representing the full command.
-// On Windows, can be set to the result of `GetCommandLineW`. Do not set this
-// if you have to assemble it just for monitoring; use `process.command_args`
-// instead.
-func ProcessCommandLine(val string) attribute.KeyValue {
-	return ProcessCommandLineKey.String(val)
-}
-
-// ProcessCreationTime returns an attribute KeyValue conforming to the
-// "process.creation.time" semantic conventions. It represents the date and
-// time the process was created, in ISO 8601 format.
-func ProcessCreationTime(val string) attribute.KeyValue {
-	return ProcessCreationTimeKey.String(val)
-}
-
-// ProcessExecutableName returns an attribute KeyValue conforming to the
-// "process.executable.name" semantic conventions. It represents the name of
-// the process executable. On Linux based systems, can be set to the `Name` in
-// `proc/[pid]/status`. On Windows, can be set to the base name of
-// `GetProcessImageFileNameW`.
-func ProcessExecutableName(val string) attribute.KeyValue {
-	return ProcessExecutableNameKey.String(val)
-}
-
-// ProcessExecutablePath returns an attribute KeyValue conforming to the
-// "process.executable.path" semantic conventions. It represents the full path
-// to the process executable. On Linux based systems, can be set to the target
-// of `proc/[pid]/exe`. On Windows, can be set to the result of
-// `GetProcessImageFileNameW`.
-func ProcessExecutablePath(val string) attribute.KeyValue {
-	return ProcessExecutablePathKey.String(val)
-}
-
-// ProcessExitCode returns an attribute KeyValue conforming to the
-// "process.exit.code" semantic conventions. It represents the exit code of the
-// process.
-func ProcessExitCode(val int) attribute.KeyValue {
-	return ProcessExitCodeKey.Int(val)
-}
-
-// ProcessExitTime returns an attribute KeyValue conforming to the
-// "process.exit.time" semantic conventions. It represents the date and time
-// the process exited, in ISO 8601 format.
-func ProcessExitTime(val string) attribute.KeyValue {
-	return ProcessExitTimeKey.String(val)
-}
-
-// ProcessGroupLeaderPID returns an attribute KeyValue conforming to the
-// "process.group_leader.pid" semantic conventions. It represents the PID of
-// the process's group leader. This is also the process group ID (PGID) of the
-// process.
-func ProcessGroupLeaderPID(val int) attribute.KeyValue {
-	return ProcessGroupLeaderPIDKey.Int(val)
-}
-
-// ProcessInteractive returns an attribute KeyValue conforming to the
-// "process.interactive" semantic conventions. It represents the whether the
-// process is connected to an interactive shell.
-func ProcessInteractive(val bool) attribute.KeyValue {
-	return ProcessInteractiveKey.Bool(val)
-}
-
-// ProcessOwner returns an attribute KeyValue conforming to the
-// "process.owner" semantic conventions. It represents the username of the user
-// that owns the process.
-func ProcessOwner(val string) attribute.KeyValue {
-	return ProcessOwnerKey.String(val)
-}
-
-// ProcessParentPID returns an attribute KeyValue conforming to the
-// "process.parent_pid" semantic conventions. It represents the parent Process
-// identifier (PPID).
-func ProcessParentPID(val int) attribute.KeyValue {
-	return ProcessParentPIDKey.Int(val)
-}
-
-// ProcessPID returns an attribute KeyValue conforming to the "process.pid"
-// semantic conventions. It represents the process identifier (PID).
-func ProcessPID(val int) attribute.KeyValue {
-	return ProcessPIDKey.Int(val)
-}
-
-// ProcessRealUserID returns an attribute KeyValue conforming to the
-// "process.real_user.id" semantic conventions. It represents the real user ID
-// (RUID) of the process.
-func ProcessRealUserID(val int) attribute.KeyValue {
-	return ProcessRealUserIDKey.Int(val)
-}
-
-// ProcessRealUserName returns an attribute KeyValue conforming to the
-// "process.real_user.name" semantic conventions. It represents the username of
-// the real user of the process.
-func ProcessRealUserName(val string) attribute.KeyValue {
-	return ProcessRealUserNameKey.String(val)
-}
-
-// ProcessRuntimeDescription returns an attribute KeyValue conforming to the
-// "process.runtime.description" semantic conventions. It represents an
-// additional description about the runtime of the process, for example a
-// specific vendor customization of the runtime environment.
-func ProcessRuntimeDescription(val string) attribute.KeyValue {
-	return ProcessRuntimeDescriptionKey.String(val)
-}
-
-// ProcessRuntimeName returns an attribute KeyValue conforming to the
-// "process.runtime.name" semantic conventions. It represents the name of the
-// runtime of this process. For compiled native binaries, this SHOULD be the
-// name of the compiler.
-func ProcessRuntimeName(val string) attribute.KeyValue {
-	return ProcessRuntimeNameKey.String(val)
-}
-
-// ProcessRuntimeVersion returns an attribute KeyValue conforming to the
-// "process.runtime.version" semantic conventions. It represents the version of
-// the runtime of this process, as returned by the runtime without
-// modification.
-func ProcessRuntimeVersion(val string) attribute.KeyValue {
-	return ProcessRuntimeVersionKey.String(val)
-}
-
-// ProcessSavedUserID returns an attribute KeyValue conforming to the
-// "process.saved_user.id" semantic conventions. It represents the saved user
-// ID (SUID) of the process.
-func ProcessSavedUserID(val int) attribute.KeyValue {
-	return ProcessSavedUserIDKey.Int(val)
-}
-
-// ProcessSavedUserName returns an attribute KeyValue conforming to the
-// "process.saved_user.name" semantic conventions. It represents the username
-// of the saved user.
-func ProcessSavedUserName(val string) attribute.KeyValue {
-	return ProcessSavedUserNameKey.String(val)
-}
-
-// ProcessSessionLeaderPID returns an attribute KeyValue conforming to the
-// "process.session_leader.pid" semantic conventions. It represents the PID of
-// the process's session leader. This is also the session ID (SID) of the
-// process.
-func ProcessSessionLeaderPID(val int) attribute.KeyValue {
-	return ProcessSessionLeaderPIDKey.Int(val)
-}
-
-// ProcessUserID returns an attribute KeyValue conforming to the
-// "process.user.id" semantic conventions. It represents the effective user ID
-// (EUID) of the process.
-func ProcessUserID(val int) attribute.KeyValue {
-	return ProcessUserIDKey.Int(val)
-}
-
-// ProcessUserName returns an attribute KeyValue conforming to the
-// "process.user.name" semantic conventions. It represents the username of the
-// effective user of the process.
-func ProcessUserName(val string) attribute.KeyValue {
-	return ProcessUserNameKey.String(val)
-}
-
-// ProcessVpid returns an attribute KeyValue conforming to the
-// "process.vpid" semantic conventions. It represents the virtual process
-// identifier.
-func ProcessVpid(val int) attribute.KeyValue {
-	return ProcessVpidKey.Int(val)
-}
-
-// Attributes for process CPU
-const (
-	// ProcessCPUStateKey is the attribute Key conforming to the
-	// "process.cpu.state" semantic conventions. It represents the CPU state of
-	// the process.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	ProcessCPUStateKey = attribute.Key("process.cpu.state")
-)
-
-var (
-	// system
-	ProcessCPUStateSystem = ProcessCPUStateKey.String("system")
-	// user
-	ProcessCPUStateUser = ProcessCPUStateKey.String("user")
-	// wait
-	ProcessCPUStateWait = ProcessCPUStateKey.String("wait")
-)
-
-// Attributes for remote procedure calls.
-const (
-	// RPCConnectRPCErrorCodeKey is the attribute Key conforming to the
-	// "rpc.connect_rpc.error_code" semantic conventions. It represents the
-	// [error codes](https://connect.build/docs/protocol/#error-codes) of the
-	// Connect request. Error codes are always string values.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	RPCConnectRPCErrorCodeKey = attribute.Key("rpc.connect_rpc.error_code")
-
-	// RPCGRPCStatusCodeKey is the attribute Key conforming to the
-	// "rpc.grpc.status_code" semantic conventions. It represents the [numeric
-	// status
-	// code](https://github.com/grpc/grpc/blob/v1.33.2/doc/statuscodes.md) of
-	// the gRPC request.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	RPCGRPCStatusCodeKey = attribute.Key("rpc.grpc.status_code")
-
-	// RPCJsonrpcErrorCodeKey is the attribute Key conforming to the
-	// "rpc.jsonrpc.error_code" semantic conventions. It represents the
-	// `error.code` property of response if it is an error response.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: -32700, 100
-	RPCJsonrpcErrorCodeKey = attribute.Key("rpc.jsonrpc.error_code")
-
-	// RPCJsonrpcErrorMessageKey is the attribute Key conforming to the
-	// "rpc.jsonrpc.error_message" semantic conventions. It represents the
-	// `error.message` property of response if it is an error response.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Parse error', 'User already exists'
-	RPCJsonrpcErrorMessageKey = attribute.Key("rpc.jsonrpc.error_message")
-
-	// RPCJsonrpcRequestIDKey is the attribute Key conforming to the
-	// "rpc.jsonrpc.request_id" semantic conventions. It represents the `id`
-	// property of request or response. Since protocol allows id to be int,
-	// string, `null` or missing (for notifications), value is expected to be
-	// cast to string for simplicity. Use empty string in case of `null` value.
-	// Omit entirely if this is a notification.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '10', 'request-7', ''
-	RPCJsonrpcRequestIDKey = attribute.Key("rpc.jsonrpc.request_id")
-
-	// RPCJsonrpcVersionKey is the attribute Key conforming to the
-	// "rpc.jsonrpc.version" semantic conventions. It represents the protocol
-	// version as in `jsonrpc` property of request/response. Since JSON-RPC 1.0
-	// doesn't specify this, the value can be omitted.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2.0', '1.0'
-	RPCJsonrpcVersionKey = attribute.Key("rpc.jsonrpc.version")
-
-	// RPCMessageCompressedSizeKey is the attribute Key conforming to the
-	// "rpc.message.compressed_size" semantic conventions. It represents the
-	// compressed size of the message in bytes.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	RPCMessageCompressedSizeKey = attribute.Key("rpc.message.compressed_size")
-
-	// RPCMessageIDKey is the attribute Key conforming to the "rpc.message.id"
-	// semantic conventions. It represents the mUST be calculated as two
-	// different counters starting from `1` one for sent messages and one for
-	// received message.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Note: This way we guarantee that the values will be consistent between
-	// different implementations.
-	RPCMessageIDKey = attribute.Key("rpc.message.id")
-
-	// RPCMessageTypeKey is the attribute Key conforming to the
-	// "rpc.message.type" semantic conventions. It represents the whether this
-	// is a received or sent message.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	RPCMessageTypeKey = attribute.Key("rpc.message.type")
-
-	// RPCMessageUncompressedSizeKey is the attribute Key conforming to the
-	// "rpc.message.uncompressed_size" semantic conventions. It represents the
-	// uncompressed size of the message in bytes.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	RPCMessageUncompressedSizeKey = attribute.Key("rpc.message.uncompressed_size")
-
-	// RPCMethodKey is the attribute Key conforming to the "rpc.method"
-	// semantic conventions. It represents the name of the (logical) method
-	// being called, must be equal to the $method part in the span name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'exampleMethod'
-	// Note: This is the logical name of the method from the RPC interface
-	// perspective, which can be different from the name of any implementing
-	// method/function. The `code.function` attribute may be used to store the
-	// latter (e.g., method actually executing the call on the server side, RPC
-	// client stub method on the client side).
-	RPCMethodKey = attribute.Key("rpc.method")
-
-	// RPCServiceKey is the attribute Key conforming to the "rpc.service"
-	// semantic conventions. It represents the full (logical) name of the
-	// service being called, including its package name, if applicable.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'myservice.EchoService'
-	// Note: This is the logical name of the service from the RPC interface
-	// perspective, which can be different from the name of any implementing
-	// class. The `code.namespace` attribute may be used to store the latter
-	// (despite the attribute name, it may include a class name; e.g., class
-	// with method actually executing the call on the server side, RPC client
-	// stub class on the client side).
-	RPCServiceKey = attribute.Key("rpc.service")
-
-	// RPCSystemKey is the attribute Key conforming to the "rpc.system"
-	// semantic conventions. It represents a string identifying the remoting
-	// system. See below for a list of well-known identifiers.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	RPCSystemKey = attribute.Key("rpc.system")
-)
-
-var (
-	// cancelled
-	RPCConnectRPCErrorCodeCancelled = RPCConnectRPCErrorCodeKey.String("cancelled")
-	// unknown
-	RPCConnectRPCErrorCodeUnknown = RPCConnectRPCErrorCodeKey.String("unknown")
-	// invalid_argument
-	RPCConnectRPCErrorCodeInvalidArgument = RPCConnectRPCErrorCodeKey.String("invalid_argument")
-	// deadline_exceeded
-	RPCConnectRPCErrorCodeDeadlineExceeded = RPCConnectRPCErrorCodeKey.String("deadline_exceeded")
-	// not_found
-	RPCConnectRPCErrorCodeNotFound = RPCConnectRPCErrorCodeKey.String("not_found")
-	// already_exists
-	RPCConnectRPCErrorCodeAlreadyExists = RPCConnectRPCErrorCodeKey.String("already_exists")
-	// permission_denied
-	RPCConnectRPCErrorCodePermissionDenied = RPCConnectRPCErrorCodeKey.String("permission_denied")
-	// resource_exhausted
-	RPCConnectRPCErrorCodeResourceExhausted = RPCConnectRPCErrorCodeKey.String("resource_exhausted")
-	// failed_precondition
-	RPCConnectRPCErrorCodeFailedPrecondition = RPCConnectRPCErrorCodeKey.String("failed_precondition")
-	// aborted
-	RPCConnectRPCErrorCodeAborted = RPCConnectRPCErrorCodeKey.String("aborted")
-	// out_of_range
-	RPCConnectRPCErrorCodeOutOfRange = RPCConnectRPCErrorCodeKey.String("out_of_range")
-	// unimplemented
-	RPCConnectRPCErrorCodeUnimplemented = RPCConnectRPCErrorCodeKey.String("unimplemented")
-	// internal
-	RPCConnectRPCErrorCodeInternal = RPCConnectRPCErrorCodeKey.String("internal")
-	// unavailable
-	RPCConnectRPCErrorCodeUnavailable = RPCConnectRPCErrorCodeKey.String("unavailable")
-	// data_loss
-	RPCConnectRPCErrorCodeDataLoss = RPCConnectRPCErrorCodeKey.String("data_loss")
-	// unauthenticated
-	RPCConnectRPCErrorCodeUnauthenticated = RPCConnectRPCErrorCodeKey.String("unauthenticated")
-)
-
-var (
-	// OK
-	RPCGRPCStatusCodeOk = RPCGRPCStatusCodeKey.Int(0)
-	// CANCELLED
-	RPCGRPCStatusCodeCancelled = RPCGRPCStatusCodeKey.Int(1)
-	// UNKNOWN
-	RPCGRPCStatusCodeUnknown = RPCGRPCStatusCodeKey.Int(2)
-	// INVALID_ARGUMENT
-	RPCGRPCStatusCodeInvalidArgument = RPCGRPCStatusCodeKey.Int(3)
-	// DEADLINE_EXCEEDED
-	RPCGRPCStatusCodeDeadlineExceeded = RPCGRPCStatusCodeKey.Int(4)
-	// NOT_FOUND
-	RPCGRPCStatusCodeNotFound = RPCGRPCStatusCodeKey.Int(5)
-	// ALREADY_EXISTS
-	RPCGRPCStatusCodeAlreadyExists = RPCGRPCStatusCodeKey.Int(6)
-	// PERMISSION_DENIED
-	RPCGRPCStatusCodePermissionDenied = RPCGRPCStatusCodeKey.Int(7)
-	// RESOURCE_EXHAUSTED
-	RPCGRPCStatusCodeResourceExhausted = RPCGRPCStatusCodeKey.Int(8)
-	// FAILED_PRECONDITION
-	RPCGRPCStatusCodeFailedPrecondition = RPCGRPCStatusCodeKey.Int(9)
-	// ABORTED
-	RPCGRPCStatusCodeAborted = RPCGRPCStatusCodeKey.Int(10)
-	// OUT_OF_RANGE
-	RPCGRPCStatusCodeOutOfRange = RPCGRPCStatusCodeKey.Int(11)
-	// UNIMPLEMENTED
-	RPCGRPCStatusCodeUnimplemented = RPCGRPCStatusCodeKey.Int(12)
-	// INTERNAL
-	RPCGRPCStatusCodeInternal = RPCGRPCStatusCodeKey.Int(13)
-	// UNAVAILABLE
-	RPCGRPCStatusCodeUnavailable = RPCGRPCStatusCodeKey.Int(14)
-	// DATA_LOSS
-	RPCGRPCStatusCodeDataLoss = RPCGRPCStatusCodeKey.Int(15)
-	// UNAUTHENTICATED
-	RPCGRPCStatusCodeUnauthenticated = RPCGRPCStatusCodeKey.Int(16)
-)
-
-var (
-	// sent
-	RPCMessageTypeSent = RPCMessageTypeKey.String("SENT")
-	// received
-	RPCMessageTypeReceived = RPCMessageTypeKey.String("RECEIVED")
-)
-
-var (
-	// gRPC
-	RPCSystemGRPC = RPCSystemKey.String("grpc")
-	// Java RMI
-	RPCSystemJavaRmi = RPCSystemKey.String("java_rmi")
-	// .NET WCF
-	RPCSystemDotnetWcf = RPCSystemKey.String("dotnet_wcf")
-	// Apache Dubbo
-	RPCSystemApacheDubbo = RPCSystemKey.String("apache_dubbo")
-	// Connect RPC
-	RPCSystemConnectRPC = RPCSystemKey.String("connect_rpc")
-)
-
-// RPCJsonrpcErrorCode returns an attribute KeyValue conforming to the
-// "rpc.jsonrpc.error_code" semantic conventions. It represents the
-// `error.code` property of response if it is an error response.
-func RPCJsonrpcErrorCode(val int) attribute.KeyValue {
-	return RPCJsonrpcErrorCodeKey.Int(val)
-}
-
-// RPCJsonrpcErrorMessage returns an attribute KeyValue conforming to the
-// "rpc.jsonrpc.error_message" semantic conventions. It represents the
-// `error.message` property of response if it is an error response.
-func RPCJsonrpcErrorMessage(val string) attribute.KeyValue {
-	return RPCJsonrpcErrorMessageKey.String(val)
-}
-
-// RPCJsonrpcRequestID returns an attribute KeyValue conforming to the
-// "rpc.jsonrpc.request_id" semantic conventions. It represents the `id`
-// property of request or response. Since protocol allows id to be int, string,
-// `null` or missing (for notifications), value is expected to be cast to
-// string for simplicity. Use empty string in case of `null` value. Omit
-// entirely if this is a notification.
-func RPCJsonrpcRequestID(val string) attribute.KeyValue {
-	return RPCJsonrpcRequestIDKey.String(val)
-}
-
-// RPCJsonrpcVersion returns an attribute KeyValue conforming to the
-// "rpc.jsonrpc.version" semantic conventions. It represents the protocol
-// version as in `jsonrpc` property of request/response. Since JSON-RPC 1.0
-// doesn't specify this, the value can be omitted.
-func RPCJsonrpcVersion(val string) attribute.KeyValue {
-	return RPCJsonrpcVersionKey.String(val)
-}
-
-// RPCMessageCompressedSize returns an attribute KeyValue conforming to the
-// "rpc.message.compressed_size" semantic conventions. It represents the
-// compressed size of the message in bytes.
-func RPCMessageCompressedSize(val int) attribute.KeyValue {
-	return RPCMessageCompressedSizeKey.Int(val)
-}
-
-// RPCMessageID returns an attribute KeyValue conforming to the
-// "rpc.message.id" semantic conventions. It represents the mUST be calculated
-// as two different counters starting from `1` one for sent messages and one
-// for received message.
-func RPCMessageID(val int) attribute.KeyValue {
-	return RPCMessageIDKey.Int(val)
-}
-
-// RPCMessageUncompressedSize returns an attribute KeyValue conforming to
-// the "rpc.message.uncompressed_size" semantic conventions. It represents the
-// uncompressed size of the message in bytes.
-func RPCMessageUncompressedSize(val int) attribute.KeyValue {
-	return RPCMessageUncompressedSizeKey.Int(val)
-}
-
-// RPCMethod returns an attribute KeyValue conforming to the "rpc.method"
-// semantic conventions. It represents the name of the (logical) method being
-// called, must be equal to the $method part in the span name.
-func RPCMethod(val string) attribute.KeyValue {
-	return RPCMethodKey.String(val)
-}
-
-// RPCService returns an attribute KeyValue conforming to the "rpc.service"
-// semantic conventions. It represents the full (logical) name of the service
-// being called, including its package name, if applicable.
-func RPCService(val string) attribute.KeyValue {
-	return RPCServiceKey.String(val)
-}
-
-// These attributes may be used to describe the server in a connection-based
-// network interaction where there is one side that initiates the connection
-// (the client is the side that initiates the connection). This covers all TCP
-// network interactions since TCP is connection-based and one side initiates
-// the connection (an exception is made for peer-to-peer communication over TCP
-// where the "user-facing" surface of the protocol / API doesn't expose a clear
-// notion of client and server). This also covers UDP network interactions
-// where one side initiates the interaction, e.g. QUIC (HTTP/3) and DNS.
-const (
-	// ServerAddressKey is the attribute Key conforming to the "server.address"
-	// semantic conventions. It represents the server domain name if available
-	// without reverse DNS lookup; otherwise, IP address or Unix domain socket
-	// name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'example.com', '10.1.2.80', '/tmp/my.sock'
-	// Note: When observed from the client side, and when communicating through
-	// an intermediary, `server.address` SHOULD represent the server address
-	// behind any intermediaries, for example proxies, if it's available.
-	ServerAddressKey = attribute.Key("server.address")
-
-	// ServerPortKey is the attribute Key conforming to the "server.port"
-	// semantic conventions. It represents the server port number.
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 80, 8080, 443
-	// Note: When observed from the client side, and when communicating through
-	// an intermediary, `server.port` SHOULD represent the server port behind
-	// any intermediaries, for example proxies, if it's available.
-	ServerPortKey = attribute.Key("server.port")
-)
-
-// ServerAddress returns an attribute KeyValue conforming to the
-// "server.address" semantic conventions. It represents the server domain name
-// if available without reverse DNS lookup; otherwise, IP address or Unix
-// domain socket name.
-func ServerAddress(val string) attribute.KeyValue {
-	return ServerAddressKey.String(val)
-}
-
-// ServerPort returns an attribute KeyValue conforming to the "server.port"
-// semantic conventions. It represents the server port number.
-func ServerPort(val int) attribute.KeyValue {
-	return ServerPortKey.Int(val)
-}
-
-// A service instance.
-const (
-	// ServiceInstanceIDKey is the attribute Key conforming to the
-	// "service.instance.id" semantic conventions. It represents the string ID
-	// of the service instance.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '627cc493-f310-47de-96bd-71410b7dec09'
-	// Note: MUST be unique for each instance of the same
-	// `service.namespace,service.name` pair (in other words
-	// `service.namespace,service.name,service.instance.id` triplet MUST be
-	// globally unique). The ID helps to
-	// distinguish instances of the same service that exist at the same time
-	// (e.g. instances of a horizontally scaled
-	// service).
-	//
-	// Implementations, such as SDKs, are recommended to generate a random
-	// Version 1 or Version 4 [RFC
-	// 4122](https://www.ietf.org/rfc/rfc4122.txt) UUID, but are free to use an
-	// inherent unique ID as the source of
-	// this value if stability is desirable. In that case, the ID SHOULD be
-	// used as source of a UUID Version 5 and
-	// SHOULD use the following UUID as the namespace:
-	// `4d63009a-8d0f-11ee-aad7-4c796ed8e320`.
-	//
-	// UUIDs are typically recommended, as only an opaque value for the
-	// purposes of identifying a service instance is
-	// needed. Similar to what can be seen in the man page for the
-	// [`/etc/machine-id`](https://www.freedesktop.org/software/systemd/man/machine-id.html)
-	// file, the underlying
-	// data, such as pod name and namespace should be treated as confidential,
-	// being the user's choice to expose it
-	// or not via another resource attribute.
-	//
-	// For applications running behind an application server (like unicorn), we
-	// do not recommend using one identifier
-	// for all processes participating in the application. Instead, it's
-	// recommended each division (e.g. a worker
-	// thread in unicorn) to have its own instance.id.
-	//
-	// It's not recommended for a Collector to set `service.instance.id` if it
-	// can't unambiguously determine the
-	// service instance that is generating that telemetry. For instance,
-	// creating an UUID based on `pod.name` will
-	// likely be wrong, as the Collector might not know from which container
-	// within that pod the telemetry originated.
-	// However, Collectors can set the `service.instance.id` if they can
-	// unambiguously determine the service instance
-	// for that telemetry. This is typically the case for scraping receivers,
-	// as they know the target address and
-	// port.
-	ServiceInstanceIDKey = attribute.Key("service.instance.id")
-
-	// ServiceNameKey is the attribute Key conforming to the "service.name"
-	// semantic conventions. It represents the logical name of the service.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'shoppingcart'
-	// Note: MUST be the same for all instances of horizontally scaled
-	// services. If the value was not specified, SDKs MUST fallback to
-	// `unknown_service:` concatenated with
-	// [`process.executable.name`](process.md), e.g. `unknown_service:bash`. If
-	// `process.executable.name` is not available, the value MUST be set to
-	// `unknown_service`.
-	ServiceNameKey = attribute.Key("service.name")
-
-	// ServiceNamespaceKey is the attribute Key conforming to the
-	// "service.namespace" semantic conventions. It represents a namespace for
-	// `service.name`.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Shop'
-	// Note: A string value having a meaning that helps to distinguish a group
-	// of services, for example the team name that owns a group of services.
-	// `service.name` is expected to be unique within the same namespace. If
-	// `service.namespace` is not specified in the Resource then `service.name`
-	// is expected to be unique for all services that have no explicit
-	// namespace defined (so the empty/unspecified namespace is simply one more
-	// valid namespace). Zero-length namespace string is assumed equal to
-	// unspecified namespace.
-	ServiceNamespaceKey = attribute.Key("service.namespace")
-
-	// ServiceVersionKey is the attribute Key conforming to the
-	// "service.version" semantic conventions. It represents the version string
-	// of the service API or implementation. The format is not defined by these
-	// conventions.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: '2.0.0', 'a01dbef8a'
-	ServiceVersionKey = attribute.Key("service.version")
-)
-
-// ServiceInstanceID returns an attribute KeyValue conforming to the
-// "service.instance.id" semantic conventions. It represents the string ID of
-// the service instance.
-func ServiceInstanceID(val string) attribute.KeyValue {
-	return ServiceInstanceIDKey.String(val)
-}
-
-// ServiceName returns an attribute KeyValue conforming to the
-// "service.name" semantic conventions. It represents the logical name of the
-// service.
-func ServiceName(val string) attribute.KeyValue {
-	return ServiceNameKey.String(val)
-}
-
-// ServiceNamespace returns an attribute KeyValue conforming to the
-// "service.namespace" semantic conventions. It represents a namespace for
-// `service.name`.
-func ServiceNamespace(val string) attribute.KeyValue {
-	return ServiceNamespaceKey.String(val)
-}
-
-// ServiceVersion returns an attribute KeyValue conforming to the
-// "service.version" semantic conventions. It represents the version string of
-// the service API or implementation. The format is not defined by these
-// conventions.
-func ServiceVersion(val string) attribute.KeyValue {
-	return ServiceVersionKey.String(val)
-}
-
-// Session is defined as the period of time encompassing all activities
-// performed by the application and the actions executed by the end user.
-// Consequently, a Session is represented as a collection of Logs, Events, and
-// Spans emitted by the Client Application throughout the Session's duration.
-// Each Session is assigned a unique identifier, which is included as an
-// attribute in the Logs, Events, and Spans generated during the Session's
-// lifecycle.
-// When a session reaches end of life, typically due to user inactivity or
-// session timeout, a new session identifier will be assigned. The previous
-// session identifier may be provided by the instrumentation so that telemetry
-// backends can link the two sessions.
-const (
-	// SessionIDKey is the attribute Key conforming to the "session.id"
-	// semantic conventions. It represents a unique id to identify a session.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '00112233-4455-6677-8899-aabbccddeeff'
-	SessionIDKey = attribute.Key("session.id")
-
-	// SessionPreviousIDKey is the attribute Key conforming to the
-	// "session.previous_id" semantic conventions. It represents the previous
-	// `session.id` for this user, when known.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '00112233-4455-6677-8899-aabbccddeeff'
-	SessionPreviousIDKey = attribute.Key("session.previous_id")
-)
-
-// SessionID returns an attribute KeyValue conforming to the "session.id"
-// semantic conventions. It represents a unique id to identify a session.
-func SessionID(val string) attribute.KeyValue {
-	return SessionIDKey.String(val)
-}
-
-// SessionPreviousID returns an attribute KeyValue conforming to the
-// "session.previous_id" semantic conventions. It represents the previous
-// `session.id` for this user, when known.
-func SessionPreviousID(val string) attribute.KeyValue {
-	return SessionPreviousIDKey.String(val)
-}
-
-// SignalR attributes
-const (
-	// SignalrConnectionStatusKey is the attribute Key conforming to the
-	// "signalr.connection.status" semantic conventions. It represents the
-	// signalR HTTP connection closure status.
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'app_shutdown', 'timeout'
-	SignalrConnectionStatusKey = attribute.Key("signalr.connection.status")
-
-	// SignalrTransportKey is the attribute Key conforming to the
-	// "signalr.transport" semantic conventions. It represents the [SignalR
-	// transport
-	// type](https://github.com/dotnet/aspnetcore/blob/main/src/SignalR/docs/specs/TransportProtocols.md)
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'web_sockets', 'long_polling'
-	SignalrTransportKey = attribute.Key("signalr.transport")
-)
-
-var (
-	// The connection was closed normally
-	SignalrConnectionStatusNormalClosure = SignalrConnectionStatusKey.String("normal_closure")
-	// The connection was closed due to a timeout
-	SignalrConnectionStatusTimeout = SignalrConnectionStatusKey.String("timeout")
-	// The connection was closed because the app is shutting down
-	SignalrConnectionStatusAppShutdown = SignalrConnectionStatusKey.String("app_shutdown")
-)
-
-var (
-	// ServerSentEvents protocol
-	SignalrTransportServerSentEvents = SignalrTransportKey.String("server_sent_events")
-	// LongPolling protocol
-	SignalrTransportLongPolling = SignalrTransportKey.String("long_polling")
-	// WebSockets protocol
-	SignalrTransportWebSockets = SignalrTransportKey.String("web_sockets")
-)
-
-// These attributes may be used to describe the sender of a network
-// exchange/packet. These should be used when there is no client/server
-// relationship between the two sides, or when that relationship is unknown.
-// This covers low-level network interactions (e.g. packet tracing) where you
-// don't know if there was a connection or which side initiated it. This also
-// covers unidirectional UDP flows and peer-to-peer communication where the
-// "user-facing" surface of the protocol / API doesn't expose a clear notion of
-// client and server.
-const (
-	// SourceAddressKey is the attribute Key conforming to the "source.address"
-	// semantic conventions. It represents the source address - domain name if
-	// available without reverse DNS lookup; otherwise, IP address or Unix
-	// domain socket name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'source.example.com', '10.1.2.80', '/tmp/my.sock'
-	// Note: When observed from the destination side, and when communicating
-	// through an intermediary, `source.address` SHOULD represent the source
-	// address behind any intermediaries, for example proxies, if it's
-	// available.
-	SourceAddressKey = attribute.Key("source.address")
-
-	// SourcePortKey is the attribute Key conforming to the "source.port"
-	// semantic conventions. It represents the source port number
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 3389, 2888
-	SourcePortKey = attribute.Key("source.port")
-)
-
-// SourceAddress returns an attribute KeyValue conforming to the
-// "source.address" semantic conventions. It represents the source address -
-// domain name if available without reverse DNS lookup; otherwise, IP address
-// or Unix domain socket name.
-func SourceAddress(val string) attribute.KeyValue {
-	return SourceAddressKey.String(val)
-}
-
-// SourcePort returns an attribute KeyValue conforming to the "source.port"
-// semantic conventions. It represents the source port number
-func SourcePort(val int) attribute.KeyValue {
-	return SourcePortKey.Int(val)
-}
-
-// Describes System attributes
-const (
-	// SystemDeviceKey is the attribute Key conforming to the "system.device"
-	// semantic conventions. It represents the device identifier
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '(identifier)'
-	SystemDeviceKey = attribute.Key("system.device")
-)
-
-// SystemDevice returns an attribute KeyValue conforming to the
-// "system.device" semantic conventions. It represents the device identifier
-func SystemDevice(val string) attribute.KeyValue {
-	return SystemDeviceKey.String(val)
-}
-
-// Describes System CPU attributes
-const (
-	// SystemCPULogicalNumberKey is the attribute Key conforming to the
-	// "system.cpu.logical_number" semantic conventions. It represents the
-	// logical CPU number [0..n-1]
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 1
-	SystemCPULogicalNumberKey = attribute.Key("system.cpu.logical_number")
-
-	// SystemCPUStateKey is the attribute Key conforming to the
-	// "system.cpu.state" semantic conventions. It represents the state of the
-	// CPU
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'idle', 'interrupt'
-	SystemCPUStateKey = attribute.Key("system.cpu.state")
-)
-
-var (
-	// user
-	SystemCPUStateUser = SystemCPUStateKey.String("user")
-	// system
-	SystemCPUStateSystem = SystemCPUStateKey.String("system")
-	// nice
-	SystemCPUStateNice = SystemCPUStateKey.String("nice")
-	// idle
-	SystemCPUStateIdle = SystemCPUStateKey.String("idle")
-	// iowait
-	SystemCPUStateIowait = SystemCPUStateKey.String("iowait")
-	// interrupt
-	SystemCPUStateInterrupt = SystemCPUStateKey.String("interrupt")
-	// steal
-	SystemCPUStateSteal = SystemCPUStateKey.String("steal")
-)
-
-// SystemCPULogicalNumber returns an attribute KeyValue conforming to the
-// "system.cpu.logical_number" semantic conventions. It represents the logical
-// CPU number [0..n-1]
-func SystemCPULogicalNumber(val int) attribute.KeyValue {
-	return SystemCPULogicalNumberKey.Int(val)
-}
-
-// Describes System Memory attributes
-const (
-	// SystemMemoryStateKey is the attribute Key conforming to the
-	// "system.memory.state" semantic conventions. It represents the memory
-	// state
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'free', 'cached'
-	SystemMemoryStateKey = attribute.Key("system.memory.state")
-)
-
-var (
-	// used
-	SystemMemoryStateUsed = SystemMemoryStateKey.String("used")
-	// free
-	SystemMemoryStateFree = SystemMemoryStateKey.String("free")
-	// shared
-	SystemMemoryStateShared = SystemMemoryStateKey.String("shared")
-	// buffers
-	SystemMemoryStateBuffers = SystemMemoryStateKey.String("buffers")
-	// cached
-	SystemMemoryStateCached = SystemMemoryStateKey.String("cached")
-)
-
-// Describes System Memory Paging attributes
-const (
-	// SystemPagingDirectionKey is the attribute Key conforming to the
-	// "system.paging.direction" semantic conventions. It represents the paging
-	// access direction
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'in'
-	SystemPagingDirectionKey = attribute.Key("system.paging.direction")
-
-	// SystemPagingStateKey is the attribute Key conforming to the
-	// "system.paging.state" semantic conventions. It represents the memory
-	// paging state
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'free'
-	SystemPagingStateKey = attribute.Key("system.paging.state")
-
-	// SystemPagingTypeKey is the attribute Key conforming to the
-	// "system.paging.type" semantic conventions. It represents the memory
-	// paging type
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'minor'
-	SystemPagingTypeKey = attribute.Key("system.paging.type")
-)
-
-var (
-	// in
-	SystemPagingDirectionIn = SystemPagingDirectionKey.String("in")
-	// out
-	SystemPagingDirectionOut = SystemPagingDirectionKey.String("out")
-)
-
-var (
-	// used
-	SystemPagingStateUsed = SystemPagingStateKey.String("used")
-	// free
-	SystemPagingStateFree = SystemPagingStateKey.String("free")
-)
-
-var (
-	// major
-	SystemPagingTypeMajor = SystemPagingTypeKey.String("major")
-	// minor
-	SystemPagingTypeMinor = SystemPagingTypeKey.String("minor")
-)
-
-// Describes Filesystem attributes
-const (
-	// SystemFilesystemModeKey is the attribute Key conforming to the
-	// "system.filesystem.mode" semantic conventions. It represents the
-	// filesystem mode
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'rw, ro'
-	SystemFilesystemModeKey = attribute.Key("system.filesystem.mode")
-
-	// SystemFilesystemMountpointKey is the attribute Key conforming to the
-	// "system.filesystem.mountpoint" semantic conventions. It represents the
-	// filesystem mount path
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/mnt/data'
-	SystemFilesystemMountpointKey = attribute.Key("system.filesystem.mountpoint")
-
-	// SystemFilesystemStateKey is the attribute Key conforming to the
-	// "system.filesystem.state" semantic conventions. It represents the
-	// filesystem state
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'used'
-	SystemFilesystemStateKey = attribute.Key("system.filesystem.state")
-
-	// SystemFilesystemTypeKey is the attribute Key conforming to the
-	// "system.filesystem.type" semantic conventions. It represents the
-	// filesystem type
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'ext4'
-	SystemFilesystemTypeKey = attribute.Key("system.filesystem.type")
-)
-
-var (
-	// used
-	SystemFilesystemStateUsed = SystemFilesystemStateKey.String("used")
-	// free
-	SystemFilesystemStateFree = SystemFilesystemStateKey.String("free")
-	// reserved
-	SystemFilesystemStateReserved = SystemFilesystemStateKey.String("reserved")
-)
-
-var (
-	// fat32
-	SystemFilesystemTypeFat32 = SystemFilesystemTypeKey.String("fat32")
-	// exfat
-	SystemFilesystemTypeExfat = SystemFilesystemTypeKey.String("exfat")
-	// ntfs
-	SystemFilesystemTypeNtfs = SystemFilesystemTypeKey.String("ntfs")
-	// refs
-	SystemFilesystemTypeRefs = SystemFilesystemTypeKey.String("refs")
-	// hfsplus
-	SystemFilesystemTypeHfsplus = SystemFilesystemTypeKey.String("hfsplus")
-	// ext4
-	SystemFilesystemTypeExt4 = SystemFilesystemTypeKey.String("ext4")
-)
-
-// SystemFilesystemMode returns an attribute KeyValue conforming to the
-// "system.filesystem.mode" semantic conventions. It represents the filesystem
-// mode
-func SystemFilesystemMode(val string) attribute.KeyValue {
-	return SystemFilesystemModeKey.String(val)
-}
-
-// SystemFilesystemMountpoint returns an attribute KeyValue conforming to
-// the "system.filesystem.mountpoint" semantic conventions. It represents the
-// filesystem mount path
-func SystemFilesystemMountpoint(val string) attribute.KeyValue {
-	return SystemFilesystemMountpointKey.String(val)
-}
-
-// Describes Network attributes
-const (
-	// SystemNetworkStateKey is the attribute Key conforming to the
-	// "system.network.state" semantic conventions. It represents a stateless
-	// protocol MUST NOT set this attribute
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'close_wait'
-	SystemNetworkStateKey = attribute.Key("system.network.state")
-)
-
-var (
-	// close
-	SystemNetworkStateClose = SystemNetworkStateKey.String("close")
-	// close_wait
-	SystemNetworkStateCloseWait = SystemNetworkStateKey.String("close_wait")
-	// closing
-	SystemNetworkStateClosing = SystemNetworkStateKey.String("closing")
-	// delete
-	SystemNetworkStateDelete = SystemNetworkStateKey.String("delete")
-	// established
-	SystemNetworkStateEstablished = SystemNetworkStateKey.String("established")
-	// fin_wait_1
-	SystemNetworkStateFinWait1 = SystemNetworkStateKey.String("fin_wait_1")
-	// fin_wait_2
-	SystemNetworkStateFinWait2 = SystemNetworkStateKey.String("fin_wait_2")
-	// last_ack
-	SystemNetworkStateLastAck = SystemNetworkStateKey.String("last_ack")
-	// listen
-	SystemNetworkStateListen = SystemNetworkStateKey.String("listen")
-	// syn_recv
-	SystemNetworkStateSynRecv = SystemNetworkStateKey.String("syn_recv")
-	// syn_sent
-	SystemNetworkStateSynSent = SystemNetworkStateKey.String("syn_sent")
-	// time_wait
-	SystemNetworkStateTimeWait = SystemNetworkStateKey.String("time_wait")
-)
-
-// Describes System Process attributes
-const (
-	// SystemProcessStatusKey is the attribute Key conforming to the
-	// "system.process.status" semantic conventions. It represents the process
-	// state, e.g., [Linux Process State
-	// Codes](https://man7.org/linux/man-pages/man1/ps.1.html#PROCESS_STATE_CODES)
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'running'
-	SystemProcessStatusKey = attribute.Key("system.process.status")
-)
-
-var (
-	// running
-	SystemProcessStatusRunning = SystemProcessStatusKey.String("running")
-	// sleeping
-	SystemProcessStatusSleeping = SystemProcessStatusKey.String("sleeping")
-	// stopped
-	SystemProcessStatusStopped = SystemProcessStatusKey.String("stopped")
-	// defunct
-	SystemProcessStatusDefunct = SystemProcessStatusKey.String("defunct")
-)
-
-// Attributes for telemetry SDK.
-const (
-	// TelemetrySDKLanguageKey is the attribute Key conforming to the
-	// "telemetry.sdk.language" semantic conventions. It represents the
-	// language of the telemetry SDK.
-	//
-	// Type: Enum
-	// RequirementLevel: Required
-	// Stability: stable
-	TelemetrySDKLanguageKey = attribute.Key("telemetry.sdk.language")
-
-	// TelemetrySDKNameKey is the attribute Key conforming to the
-	// "telemetry.sdk.name" semantic conventions. It represents the name of the
-	// telemetry SDK as defined above.
-	//
-	// Type: string
-	// RequirementLevel: Required
-	// Stability: stable
-	// Examples: 'opentelemetry'
-	// Note: The OpenTelemetry SDK MUST set the `telemetry.sdk.name` attribute
-	// to `opentelemetry`.
-	// If another SDK, like a fork or a vendor-provided implementation, is
-	// used, this SDK MUST set the
-	// `telemetry.sdk.name` attribute to the fully-qualified class or module
-	// name of this SDK's main entry point
-	// or another suitable identifier depending on the language.
-	// The identifier `opentelemetry` is reserved and MUST NOT be used in this
-	// case.
-	// All custom identifiers SHOULD be stable across different versions of an
-	// implementation.
-	TelemetrySDKNameKey = attribute.Key("telemetry.sdk.name")
-
-	// TelemetrySDKVersionKey is the attribute Key conforming to the
-	// "telemetry.sdk.version" semantic conventions. It represents the version
-	// string of the telemetry SDK.
-	//
-	// Type: string
-	// RequirementLevel: Required
-	// Stability: stable
-	// Examples: '1.2.3'
-	TelemetrySDKVersionKey = attribute.Key("telemetry.sdk.version")
-
-	// TelemetryDistroNameKey is the attribute Key conforming to the
-	// "telemetry.distro.name" semantic conventions. It represents the name of
-	// the auto instrumentation agent or distribution, if used.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'parts-unlimited-java'
-	// Note: Official auto instrumentation agents and distributions SHOULD set
-	// the `telemetry.distro.name` attribute to
-	// a string starting with `opentelemetry-`, e.g.
-	// `opentelemetry-java-instrumentation`.
-	TelemetryDistroNameKey = attribute.Key("telemetry.distro.name")
-
-	// TelemetryDistroVersionKey is the attribute Key conforming to the
-	// "telemetry.distro.version" semantic conventions. It represents the
-	// version string of the auto instrumentation agent or distribution, if
-	// used.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '1.2.3'
-	TelemetryDistroVersionKey = attribute.Key("telemetry.distro.version")
-)
-
-var (
-	// cpp
-	TelemetrySDKLanguageCPP = TelemetrySDKLanguageKey.String("cpp")
-	// dotnet
-	TelemetrySDKLanguageDotnet = TelemetrySDKLanguageKey.String("dotnet")
-	// erlang
-	TelemetrySDKLanguageErlang = TelemetrySDKLanguageKey.String("erlang")
-	// go
-	TelemetrySDKLanguageGo = TelemetrySDKLanguageKey.String("go")
-	// java
-	TelemetrySDKLanguageJava = TelemetrySDKLanguageKey.String("java")
-	// nodejs
-	TelemetrySDKLanguageNodejs = TelemetrySDKLanguageKey.String("nodejs")
-	// php
-	TelemetrySDKLanguagePHP = TelemetrySDKLanguageKey.String("php")
-	// python
-	TelemetrySDKLanguagePython = TelemetrySDKLanguageKey.String("python")
-	// ruby
-	TelemetrySDKLanguageRuby = TelemetrySDKLanguageKey.String("ruby")
-	// rust
-	TelemetrySDKLanguageRust = TelemetrySDKLanguageKey.String("rust")
-	// swift
-	TelemetrySDKLanguageSwift = TelemetrySDKLanguageKey.String("swift")
-	// webjs
-	TelemetrySDKLanguageWebjs = TelemetrySDKLanguageKey.String("webjs")
-)
-
-// TelemetrySDKName returns an attribute KeyValue conforming to the
-// "telemetry.sdk.name" semantic conventions. It represents the name of the
-// telemetry SDK as defined above.
-func TelemetrySDKName(val string) attribute.KeyValue {
-	return TelemetrySDKNameKey.String(val)
-}
-
-// TelemetrySDKVersion returns an attribute KeyValue conforming to the
-// "telemetry.sdk.version" semantic conventions. It represents the version
-// string of the telemetry SDK.
-func TelemetrySDKVersion(val string) attribute.KeyValue {
-	return TelemetrySDKVersionKey.String(val)
-}
-
-// TelemetryDistroName returns an attribute KeyValue conforming to the
-// "telemetry.distro.name" semantic conventions. It represents the name of the
-// auto instrumentation agent or distribution, if used.
-func TelemetryDistroName(val string) attribute.KeyValue {
-	return TelemetryDistroNameKey.String(val)
-}
-
-// TelemetryDistroVersion returns an attribute KeyValue conforming to the
-// "telemetry.distro.version" semantic conventions. It represents the version
-// string of the auto instrumentation agent or distribution, if used.
-func TelemetryDistroVersion(val string) attribute.KeyValue {
-	return TelemetryDistroVersionKey.String(val)
-}
-
-// These attributes may be used for any operation to store information about a
-// thread that started a span.
-const (
-	// ThreadIDKey is the attribute Key conforming to the "thread.id" semantic
-	// conventions. It represents the current "managed" thread ID (as opposed
-	// to OS thread ID).
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 42
-	ThreadIDKey = attribute.Key("thread.id")
-
-	// ThreadNameKey is the attribute Key conforming to the "thread.name"
-	// semantic conventions. It represents the current thread name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'main'
-	ThreadNameKey = attribute.Key("thread.name")
-)
-
-// ThreadID returns an attribute KeyValue conforming to the "thread.id"
-// semantic conventions. It represents the current "managed" thread ID (as
-// opposed to OS thread ID).
-func ThreadID(val int) attribute.KeyValue {
-	return ThreadIDKey.Int(val)
-}
-
-// ThreadName returns an attribute KeyValue conforming to the "thread.name"
-// semantic conventions. It represents the current thread name.
-func ThreadName(val string) attribute.KeyValue {
-	return ThreadNameKey.String(val)
-}
-
-// Semantic convention attributes in the TLS namespace.
-const (
-	// TLSCipherKey is the attribute Key conforming to the "tls.cipher"
-	// semantic conventions. It represents the string indicating the
-	// [cipher](https://datatracker.ietf.org/doc/html/rfc5246#appendix-A.5)
-	// used during the current connection.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
-	// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256'
-	// Note: The values allowed for `tls.cipher` MUST be one of the
-	// `Descriptions` of the [registered TLS Cipher
-	// Suits](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#table-tls-parameters-4).
-	TLSCipherKey = attribute.Key("tls.cipher")
-
-	// TLSClientCertificateKey is the attribute Key conforming to the
-	// "tls.client.certificate" semantic conventions. It represents the
-	// pEM-encoded stand-alone certificate offered by the client. This is
-	// usually mutually-exclusive of `client.certificate_chain` since this
-	// value also exists in that list.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'MII...'
-	TLSClientCertificateKey = attribute.Key("tls.client.certificate")
-
-	// TLSClientCertificateChainKey is the attribute Key conforming to the
-	// "tls.client.certificate_chain" semantic conventions. It represents the
-	// array of PEM-encoded certificates that make up the certificate chain
-	// offered by the client. This is usually mutually-exclusive of
-	// `client.certificate` since that value should be the first certificate in
-	// the chain.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'MII...', 'MI...'
-	TLSClientCertificateChainKey = attribute.Key("tls.client.certificate_chain")
-
-	// TLSClientHashMd5Key is the attribute Key conforming to the
-	// "tls.client.hash.md5" semantic conventions. It represents the
-	// certificate fingerprint using the MD5 digest of DER-encoded version of
-	// certificate offered by the client. For consistency with other hash
-	// values, this value should be formatted as an uppercase hash.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC'
-	TLSClientHashMd5Key = attribute.Key("tls.client.hash.md5")
-
-	// TLSClientHashSha1Key is the attribute Key conforming to the
-	// "tls.client.hash.sha1" semantic conventions. It represents the
-	// certificate fingerprint using the SHA1 digest of DER-encoded version of
-	// certificate offered by the client. For consistency with other hash
-	// values, this value should be formatted as an uppercase hash.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '9E393D93138888D288266C2D915214D1D1CCEB2A'
-	TLSClientHashSha1Key = attribute.Key("tls.client.hash.sha1")
-
-	// TLSClientHashSha256Key is the attribute Key conforming to the
-	// "tls.client.hash.sha256" semantic conventions. It represents the
-	// certificate fingerprint using the SHA256 digest of DER-encoded version
-	// of certificate offered by the client. For consistency with other hash
-	// values, this value should be formatted as an uppercase hash.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0'
-	TLSClientHashSha256Key = attribute.Key("tls.client.hash.sha256")
-
-	// TLSClientIssuerKey is the attribute Key conforming to the
-	// "tls.client.issuer" semantic conventions. It represents the
-	// distinguished name of
-	// [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6)
-	// of the issuer of the x.509 certificate presented by the client.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'CN=Example Root CA, OU=Infrastructure Team, DC=example,
-	// DC=com'
-	TLSClientIssuerKey = attribute.Key("tls.client.issuer")
-
-	// TLSClientJa3Key is the attribute Key conforming to the "tls.client.ja3"
-	// semantic conventions. It represents a hash that identifies clients based
-	// on how they perform an SSL/TLS handshake.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'd4e5b18d6b55c71272893221c96ba240'
-	TLSClientJa3Key = attribute.Key("tls.client.ja3")
-
-	// TLSClientNotAfterKey is the attribute Key conforming to the
-	// "tls.client.not_after" semantic conventions. It represents the date/Time
-	// indicating when client certificate is no longer considered valid.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2021-01-01T00:00:00.000Z'
-	TLSClientNotAfterKey = attribute.Key("tls.client.not_after")
-
-	// TLSClientNotBeforeKey is the attribute Key conforming to the
-	// "tls.client.not_before" semantic conventions. It represents the
-	// date/Time indicating when client certificate is first considered valid.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '1970-01-01T00:00:00.000Z'
-	TLSClientNotBeforeKey = attribute.Key("tls.client.not_before")
-
-	// TLSClientServerNameKey is the attribute Key conforming to the
-	// "tls.client.server_name" semantic conventions. It represents the also
-	// called an SNI, this tells the server which hostname to which the client
-	// is attempting to connect to.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'opentelemetry.io'
-	TLSClientServerNameKey = attribute.Key("tls.client.server_name")
-
-	// TLSClientSubjectKey is the attribute Key conforming to the
-	// "tls.client.subject" semantic conventions. It represents the
-	// distinguished name of subject of the x.509 certificate presented by the
-	// client.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'CN=myclient, OU=Documentation Team, DC=example, DC=com'
-	TLSClientSubjectKey = attribute.Key("tls.client.subject")
-
-	// TLSClientSupportedCiphersKey is the attribute Key conforming to the
-	// "tls.client.supported_ciphers" semantic conventions. It represents the
-	// array of ciphers offered by the client during the client hello.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-	// "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."'
-	TLSClientSupportedCiphersKey = attribute.Key("tls.client.supported_ciphers")
-
-	// TLSCurveKey is the attribute Key conforming to the "tls.curve" semantic
-	// conventions. It represents the string indicating the curve used for the
-	// given cipher, when applicable
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'secp256r1'
-	TLSCurveKey = attribute.Key("tls.curve")
-
-	// TLSEstablishedKey is the attribute Key conforming to the
-	// "tls.established" semantic conventions. It represents the boolean flag
-	// indicating if the TLS negotiation was successful and transitioned to an
-	// encrypted tunnel.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: True
-	TLSEstablishedKey = attribute.Key("tls.established")
-
-	// TLSNextProtocolKey is the attribute Key conforming to the
-	// "tls.next_protocol" semantic conventions. It represents the string
-	// indicating the protocol being tunneled. Per the values in the [IANA
-	// registry](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
-	// this string should be lower case.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'http/1.1'
-	TLSNextProtocolKey = attribute.Key("tls.next_protocol")
-
-	// TLSProtocolNameKey is the attribute Key conforming to the
-	// "tls.protocol.name" semantic conventions. It represents the normalized
-	// lowercase protocol name parsed from original string of the negotiated
-	// [SSL/TLS protocol
-	// version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES)
-	//
-	// Type: Enum
-	// RequirementLevel: Optional
-	// Stability: experimental
-	TLSProtocolNameKey = attribute.Key("tls.protocol.name")
-
-	// TLSProtocolVersionKey is the attribute Key conforming to the
-	// "tls.protocol.version" semantic conventions. It represents the numeric
-	// part of the version parsed from the original string of the negotiated
-	// [SSL/TLS protocol
-	// version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES)
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '1.2', '3'
-	TLSProtocolVersionKey = attribute.Key("tls.protocol.version")
-
-	// TLSResumedKey is the attribute Key conforming to the "tls.resumed"
-	// semantic conventions. It represents the boolean flag indicating if this
-	// TLS connection was resumed from an existing TLS negotiation.
-	//
-	// Type: boolean
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: True
-	TLSResumedKey = attribute.Key("tls.resumed")
-
-	// TLSServerCertificateKey is the attribute Key conforming to the
-	// "tls.server.certificate" semantic conventions. It represents the
-	// pEM-encoded stand-alone certificate offered by the server. This is
-	// usually mutually-exclusive of `server.certificate_chain` since this
-	// value also exists in that list.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'MII...'
-	TLSServerCertificateKey = attribute.Key("tls.server.certificate")
-
-	// TLSServerCertificateChainKey is the attribute Key conforming to the
-	// "tls.server.certificate_chain" semantic conventions. It represents the
-	// array of PEM-encoded certificates that make up the certificate chain
-	// offered by the server. This is usually mutually-exclusive of
-	// `server.certificate` since that value should be the first certificate in
-	// the chain.
-	//
-	// Type: string[]
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'MII...', 'MI...'
-	TLSServerCertificateChainKey = attribute.Key("tls.server.certificate_chain")
-
-	// TLSServerHashMd5Key is the attribute Key conforming to the
-	// "tls.server.hash.md5" semantic conventions. It represents the
-	// certificate fingerprint using the MD5 digest of DER-encoded version of
-	// certificate offered by the server. For consistency with other hash
-	// values, this value should be formatted as an uppercase hash.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC'
-	TLSServerHashMd5Key = attribute.Key("tls.server.hash.md5")
-
-	// TLSServerHashSha1Key is the attribute Key conforming to the
-	// "tls.server.hash.sha1" semantic conventions. It represents the
-	// certificate fingerprint using the SHA1 digest of DER-encoded version of
-	// certificate offered by the server. For consistency with other hash
-	// values, this value should be formatted as an uppercase hash.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '9E393D93138888D288266C2D915214D1D1CCEB2A'
-	TLSServerHashSha1Key = attribute.Key("tls.server.hash.sha1")
-
-	// TLSServerHashSha256Key is the attribute Key conforming to the
-	// "tls.server.hash.sha256" semantic conventions. It represents the
-	// certificate fingerprint using the SHA256 digest of DER-encoded version
-	// of certificate offered by the server. For consistency with other hash
-	// values, this value should be formatted as an uppercase hash.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples:
-	// '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0'
-	TLSServerHashSha256Key = attribute.Key("tls.server.hash.sha256")
-
-	// TLSServerIssuerKey is the attribute Key conforming to the
-	// "tls.server.issuer" semantic conventions. It represents the
-	// distinguished name of
-	// [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6)
-	// of the issuer of the x.509 certificate presented by the client.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'CN=Example Root CA, OU=Infrastructure Team, DC=example,
-	// DC=com'
-	TLSServerIssuerKey = attribute.Key("tls.server.issuer")
-
-	// TLSServerJa3sKey is the attribute Key conforming to the
-	// "tls.server.ja3s" semantic conventions. It represents a hash that
-	// identifies servers based on how they perform an SSL/TLS handshake.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'd4e5b18d6b55c71272893221c96ba240'
-	TLSServerJa3sKey = attribute.Key("tls.server.ja3s")
-
-	// TLSServerNotAfterKey is the attribute Key conforming to the
-	// "tls.server.not_after" semantic conventions. It represents the date/Time
-	// indicating when server certificate is no longer considered valid.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '2021-01-01T00:00:00.000Z'
-	TLSServerNotAfterKey = attribute.Key("tls.server.not_after")
-
-	// TLSServerNotBeforeKey is the attribute Key conforming to the
-	// "tls.server.not_before" semantic conventions. It represents the
-	// date/Time indicating when server certificate is first considered valid.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '1970-01-01T00:00:00.000Z'
-	TLSServerNotBeforeKey = attribute.Key("tls.server.not_before")
-
-	// TLSServerSubjectKey is the attribute Key conforming to the
-	// "tls.server.subject" semantic conventions. It represents the
-	// distinguished name of subject of the x.509 certificate presented by the
-	// server.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'CN=myserver, OU=Documentation Team, DC=example, DC=com'
-	TLSServerSubjectKey = attribute.Key("tls.server.subject")
-)
-
-var (
-	// ssl
-	TLSProtocolNameSsl = TLSProtocolNameKey.String("ssl")
-	// tls
-	TLSProtocolNameTLS = TLSProtocolNameKey.String("tls")
-)
-
-// TLSCipher returns an attribute KeyValue conforming to the "tls.cipher"
-// semantic conventions. It represents the string indicating the
-// [cipher](https://datatracker.ietf.org/doc/html/rfc5246#appendix-A.5) used
-// during the current connection.
-func TLSCipher(val string) attribute.KeyValue {
-	return TLSCipherKey.String(val)
-}
-
-// TLSClientCertificate returns an attribute KeyValue conforming to the
-// "tls.client.certificate" semantic conventions. It represents the pEM-encoded
-// stand-alone certificate offered by the client. This is usually
-// mutually-exclusive of `client.certificate_chain` since this value also
-// exists in that list.
-func TLSClientCertificate(val string) attribute.KeyValue {
-	return TLSClientCertificateKey.String(val)
-}
-
-// TLSClientCertificateChain returns an attribute KeyValue conforming to the
-// "tls.client.certificate_chain" semantic conventions. It represents the array
-// of PEM-encoded certificates that make up the certificate chain offered by
-// the client. This is usually mutually-exclusive of `client.certificate` since
-// that value should be the first certificate in the chain.
-func TLSClientCertificateChain(val ...string) attribute.KeyValue {
-	return TLSClientCertificateChainKey.StringSlice(val)
-}
-
-// TLSClientHashMd5 returns an attribute KeyValue conforming to the
-// "tls.client.hash.md5" semantic conventions. It represents the certificate
-// fingerprint using the MD5 digest of DER-encoded version of certificate
-// offered by the client. For consistency with other hash values, this value
-// should be formatted as an uppercase hash.
-func TLSClientHashMd5(val string) attribute.KeyValue {
-	return TLSClientHashMd5Key.String(val)
-}
-
-// TLSClientHashSha1 returns an attribute KeyValue conforming to the
-// "tls.client.hash.sha1" semantic conventions. It represents the certificate
-// fingerprint using the SHA1 digest of DER-encoded version of certificate
-// offered by the client. For consistency with other hash values, this value
-// should be formatted as an uppercase hash.
-func TLSClientHashSha1(val string) attribute.KeyValue {
-	return TLSClientHashSha1Key.String(val)
-}
-
-// TLSClientHashSha256 returns an attribute KeyValue conforming to the
-// "tls.client.hash.sha256" semantic conventions. It represents the certificate
-// fingerprint using the SHA256 digest of DER-encoded version of certificate
-// offered by the client. For consistency with other hash values, this value
-// should be formatted as an uppercase hash.
-func TLSClientHashSha256(val string) attribute.KeyValue {
-	return TLSClientHashSha256Key.String(val)
-}
-
-// TLSClientIssuer returns an attribute KeyValue conforming to the
-// "tls.client.issuer" semantic conventions. It represents the distinguished
-// name of
-// [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of
-// the issuer of the x.509 certificate presented by the client.
-func TLSClientIssuer(val string) attribute.KeyValue {
-	return TLSClientIssuerKey.String(val)
-}
-
-// TLSClientJa3 returns an attribute KeyValue conforming to the
-// "tls.client.ja3" semantic conventions. It represents a hash that identifies
-// clients based on how they perform an SSL/TLS handshake.
-func TLSClientJa3(val string) attribute.KeyValue {
-	return TLSClientJa3Key.String(val)
-}
-
-// TLSClientNotAfter returns an attribute KeyValue conforming to the
-// "tls.client.not_after" semantic conventions. It represents the date/Time
-// indicating when client certificate is no longer considered valid.
-func TLSClientNotAfter(val string) attribute.KeyValue {
-	return TLSClientNotAfterKey.String(val)
-}
-
-// TLSClientNotBefore returns an attribute KeyValue conforming to the
-// "tls.client.not_before" semantic conventions. It represents the date/Time
-// indicating when client certificate is first considered valid.
-func TLSClientNotBefore(val string) attribute.KeyValue {
-	return TLSClientNotBeforeKey.String(val)
-}
-
-// TLSClientServerName returns an attribute KeyValue conforming to the
-// "tls.client.server_name" semantic conventions. It represents the also called
-// an SNI, this tells the server which hostname to which the client is
-// attempting to connect to.
-func TLSClientServerName(val string) attribute.KeyValue {
-	return TLSClientServerNameKey.String(val)
-}
-
-// TLSClientSubject returns an attribute KeyValue conforming to the
-// "tls.client.subject" semantic conventions. It represents the distinguished
-// name of subject of the x.509 certificate presented by the client.
-func TLSClientSubject(val string) attribute.KeyValue {
-	return TLSClientSubjectKey.String(val)
-}
-
-// TLSClientSupportedCiphers returns an attribute KeyValue conforming to the
-// "tls.client.supported_ciphers" semantic conventions. It represents the array
-// of ciphers offered by the client during the client hello.
-func TLSClientSupportedCiphers(val ...string) attribute.KeyValue {
-	return TLSClientSupportedCiphersKey.StringSlice(val)
-}
-
-// TLSCurve returns an attribute KeyValue conforming to the "tls.curve"
-// semantic conventions. It represents the string indicating the curve used for
-// the given cipher, when applicable
-func TLSCurve(val string) attribute.KeyValue {
-	return TLSCurveKey.String(val)
-}
-
-// TLSEstablished returns an attribute KeyValue conforming to the
-// "tls.established" semantic conventions. It represents the boolean flag
-// indicating if the TLS negotiation was successful and transitioned to an
-// encrypted tunnel.
-func TLSEstablished(val bool) attribute.KeyValue {
-	return TLSEstablishedKey.Bool(val)
-}
-
-// TLSNextProtocol returns an attribute KeyValue conforming to the
-// "tls.next_protocol" semantic conventions. It represents the string
-// indicating the protocol being tunneled. Per the values in the [IANA
-// registry](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
-// this string should be lower case.
-func TLSNextProtocol(val string) attribute.KeyValue {
-	return TLSNextProtocolKey.String(val)
-}
-
-// TLSProtocolVersion returns an attribute KeyValue conforming to the
-// "tls.protocol.version" semantic conventions. It represents the numeric part
-// of the version parsed from the original string of the negotiated [SSL/TLS
-// protocol
-// version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES)
-func TLSProtocolVersion(val string) attribute.KeyValue {
-	return TLSProtocolVersionKey.String(val)
-}
-
-// TLSResumed returns an attribute KeyValue conforming to the "tls.resumed"
-// semantic conventions. It represents the boolean flag indicating if this TLS
-// connection was resumed from an existing TLS negotiation.
-func TLSResumed(val bool) attribute.KeyValue {
-	return TLSResumedKey.Bool(val)
-}
-
-// TLSServerCertificate returns an attribute KeyValue conforming to the
-// "tls.server.certificate" semantic conventions. It represents the pEM-encoded
-// stand-alone certificate offered by the server. This is usually
-// mutually-exclusive of `server.certificate_chain` since this value also
-// exists in that list.
-func TLSServerCertificate(val string) attribute.KeyValue {
-	return TLSServerCertificateKey.String(val)
-}
-
-// TLSServerCertificateChain returns an attribute KeyValue conforming to the
-// "tls.server.certificate_chain" semantic conventions. It represents the array
-// of PEM-encoded certificates that make up the certificate chain offered by
-// the server. This is usually mutually-exclusive of `server.certificate` since
-// that value should be the first certificate in the chain.
-func TLSServerCertificateChain(val ...string) attribute.KeyValue {
-	return TLSServerCertificateChainKey.StringSlice(val)
-}
-
-// TLSServerHashMd5 returns an attribute KeyValue conforming to the
-// "tls.server.hash.md5" semantic conventions. It represents the certificate
-// fingerprint using the MD5 digest of DER-encoded version of certificate
-// offered by the server. For consistency with other hash values, this value
-// should be formatted as an uppercase hash.
-func TLSServerHashMd5(val string) attribute.KeyValue {
-	return TLSServerHashMd5Key.String(val)
-}
-
-// TLSServerHashSha1 returns an attribute KeyValue conforming to the
-// "tls.server.hash.sha1" semantic conventions. It represents the certificate
-// fingerprint using the SHA1 digest of DER-encoded version of certificate
-// offered by the server. For consistency with other hash values, this value
-// should be formatted as an uppercase hash.
-func TLSServerHashSha1(val string) attribute.KeyValue {
-	return TLSServerHashSha1Key.String(val)
-}
-
-// TLSServerHashSha256 returns an attribute KeyValue conforming to the
-// "tls.server.hash.sha256" semantic conventions. It represents the certificate
-// fingerprint using the SHA256 digest of DER-encoded version of certificate
-// offered by the server. For consistency with other hash values, this value
-// should be formatted as an uppercase hash.
-func TLSServerHashSha256(val string) attribute.KeyValue {
-	return TLSServerHashSha256Key.String(val)
-}
-
-// TLSServerIssuer returns an attribute KeyValue conforming to the
-// "tls.server.issuer" semantic conventions. It represents the distinguished
-// name of
-// [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of
-// the issuer of the x.509 certificate presented by the client.
-func TLSServerIssuer(val string) attribute.KeyValue {
-	return TLSServerIssuerKey.String(val)
-}
-
-// TLSServerJa3s returns an attribute KeyValue conforming to the
-// "tls.server.ja3s" semantic conventions. It represents a hash that identifies
-// servers based on how they perform an SSL/TLS handshake.
-func TLSServerJa3s(val string) attribute.KeyValue {
-	return TLSServerJa3sKey.String(val)
-}
-
-// TLSServerNotAfter returns an attribute KeyValue conforming to the
-// "tls.server.not_after" semantic conventions. It represents the date/Time
-// indicating when server certificate is no longer considered valid.
-func TLSServerNotAfter(val string) attribute.KeyValue {
-	return TLSServerNotAfterKey.String(val)
-}
-
-// TLSServerNotBefore returns an attribute KeyValue conforming to the
-// "tls.server.not_before" semantic conventions. It represents the date/Time
-// indicating when server certificate is first considered valid.
-func TLSServerNotBefore(val string) attribute.KeyValue {
-	return TLSServerNotBeforeKey.String(val)
-}
-
-// TLSServerSubject returns an attribute KeyValue conforming to the
-// "tls.server.subject" semantic conventions. It represents the distinguished
-// name of subject of the x.509 certificate presented by the server.
-func TLSServerSubject(val string) attribute.KeyValue {
-	return TLSServerSubjectKey.String(val)
-}
-
-// Attributes describing URL.
-const (
-	// URLDomainKey is the attribute Key conforming to the "url.domain"
-	// semantic conventions. It represents the domain extracted from the
-	// `url.full`, such as "opentelemetry.io".
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'www.foo.bar', 'opentelemetry.io', '3.12.167.2',
-	// '[1080:0:0:0:8:800:200C:417A]'
-	// Note: In some cases a URL may refer to an IP and/or port directly,
-	// without a domain name. In this case, the IP address would go to the
-	// domain field. If the URL contains a [literal IPv6
-	// address](https://www.rfc-editor.org/rfc/rfc2732#section-2) enclosed by
-	// `[` and `]`, the `[` and `]` characters should also be captured in the
-	// domain field.
-	URLDomainKey = attribute.Key("url.domain")
-
-	// URLExtensionKey is the attribute Key conforming to the "url.extension"
-	// semantic conventions. It represents the file extension extracted from
-	// the `url.full`, excluding the leading dot.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'png', 'gz'
-	// Note: The file extension is only set if it exists, as not every url has
-	// a file extension. When the file name has multiple extensions
-	// `example.tar.gz`, only the last one should be captured `gz`, not
-	// `tar.gz`.
-	URLExtensionKey = attribute.Key("url.extension")
-
-	// URLFragmentKey is the attribute Key conforming to the "url.fragment"
-	// semantic conventions. It represents the [URI
-	// fragment](https://www.rfc-editor.org/rfc/rfc3986#section-3.5) component
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'SemConv'
-	URLFragmentKey = attribute.Key("url.fragment")
-
-	// URLFullKey is the attribute Key conforming to the "url.full" semantic
-	// conventions. It represents the absolute URL describing a network
-	// resource according to [RFC3986](https://www.rfc-editor.org/rfc/rfc3986)
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'https://www.foo.bar/search?q=OpenTelemetry#SemConv',
-	// '//localhost'
-	// Note: For network calls, URL usually has
-	// `scheme://host[:port][path][?query][#fragment]` format, where the
-	// fragment is not transmitted over HTTP, but if it is known, it SHOULD be
-	// included nevertheless.
-	// `url.full` MUST NOT contain credentials passed via URL in form of
-	// `https://username:password@www.example.com/`. In such case username and
-	// password SHOULD be redacted and attribute's value SHOULD be
-	// `https://REDACTED:REDACTED@www.example.com/`.
-	// `url.full` SHOULD capture the absolute URL when it is available (or can
-	// be reconstructed). Sensitive content provided in `url.full` SHOULD be
-	// scrubbed when instrumentations can identify it.
-	URLFullKey = attribute.Key("url.full")
-
-	// URLOriginalKey is the attribute Key conforming to the "url.original"
-	// semantic conventions. It represents the unmodified original URL as seen
-	// in the event source.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'https://www.foo.bar/search?q=OpenTelemetry#SemConv',
-	// 'search?q=OpenTelemetry'
-	// Note: In network monitoring, the observed URL may be a full URL, whereas
-	// in access logs, the URL is often just represented as a path. This field
-	// is meant to represent the URL as it was observed, complete or not.
-	// `url.original` might contain credentials passed via URL in form of
-	// `https://username:password@www.example.com/`. In such case password and
-	// username SHOULD NOT be redacted and attribute's value SHOULD remain the
-	// same.
-	URLOriginalKey = attribute.Key("url.original")
-
-	// URLPathKey is the attribute Key conforming to the "url.path" semantic
-	// conventions. It represents the [URI
-	// path](https://www.rfc-editor.org/rfc/rfc3986#section-3.3) component
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: '/search'
-	// Note: Sensitive content provided in `url.path` SHOULD be scrubbed when
-	// instrumentations can identify it.
-	URLPathKey = attribute.Key("url.path")
-
-	// URLPortKey is the attribute Key conforming to the "url.port" semantic
-	// conventions. It represents the port extracted from the `url.full`
-	//
-	// Type: int
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 443
-	URLPortKey = attribute.Key("url.port")
-
-	// URLQueryKey is the attribute Key conforming to the "url.query" semantic
-	// conventions. It represents the [URI
-	// query](https://www.rfc-editor.org/rfc/rfc3986#section-3.4) component
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'q=OpenTelemetry'
-	// Note: Sensitive content provided in `url.query` SHOULD be scrubbed when
-	// instrumentations can identify it.
-	URLQueryKey = attribute.Key("url.query")
-
-	// URLRegisteredDomainKey is the attribute Key conforming to the
-	// "url.registered_domain" semantic conventions. It represents the highest
-	// registered url domain, stripped of the subdomain.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'example.com', 'foo.co.uk'
-	// Note: This value can be determined precisely with the [public suffix
-	// list](http://publicsuffix.org). For example, the registered domain for
-	// `foo.example.com` is `example.com`. Trying to approximate this by simply
-	// taking the last two labels will not work well for TLDs such as `co.uk`.
-	URLRegisteredDomainKey = attribute.Key("url.registered_domain")
-
-	// URLSchemeKey is the attribute Key conforming to the "url.scheme"
-	// semantic conventions. It represents the [URI
-	// scheme](https://www.rfc-editor.org/rfc/rfc3986#section-3.1) component
-	// identifying the used protocol.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'https', 'ftp', 'telnet'
-	URLSchemeKey = attribute.Key("url.scheme")
-
-	// URLSubdomainKey is the attribute Key conforming to the "url.subdomain"
-	// semantic conventions. It represents the subdomain portion of a fully
-	// qualified domain name includes all of the names except the host name
-	// under the registered_domain. In a partially qualified domain, or if the
-	// qualification level of the full name cannot be determined, subdomain
-	// contains all of the names below the registered domain.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'east', 'sub2.sub1'
-	// Note: The subdomain portion of `www.east.mydomain.co.uk` is `east`. If
-	// the domain has multiple levels of subdomain, such as
-	// `sub2.sub1.example.com`, the subdomain field should contain `sub2.sub1`,
-	// with no trailing period.
-	URLSubdomainKey = attribute.Key("url.subdomain")
-
-	// URLTemplateKey is the attribute Key conforming to the "url.template"
-	// semantic conventions. It represents the low-cardinality template of an
-	// [absolute path
-	// reference](https://www.rfc-editor.org/rfc/rfc3986#section-4.2).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '/users/{id}', '/users/:id', '/users?id={id}'
-	URLTemplateKey = attribute.Key("url.template")
-
-	// URLTopLevelDomainKey is the attribute Key conforming to the
-	// "url.top_level_domain" semantic conventions. It represents the effective
-	// top level domain (eTLD), also known as the domain suffix, is the last
-	// part of the domain name. For example, the top level domain for
-	// example.com is `com`.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'com', 'co.uk'
-	// Note: This value can be determined precisely with the [public suffix
-	// list](http://publicsuffix.org).
-	URLTopLevelDomainKey = attribute.Key("url.top_level_domain")
-)
-
-// URLDomain returns an attribute KeyValue conforming to the "url.domain"
-// semantic conventions. It represents the domain extracted from the
-// `url.full`, such as "opentelemetry.io".
-func URLDomain(val string) attribute.KeyValue {
-	return URLDomainKey.String(val)
-}
-
-// URLExtension returns an attribute KeyValue conforming to the
-// "url.extension" semantic conventions. It represents the file extension
-// extracted from the `url.full`, excluding the leading dot.
-func URLExtension(val string) attribute.KeyValue {
-	return URLExtensionKey.String(val)
-}
-
-// URLFragment returns an attribute KeyValue conforming to the
-// "url.fragment" semantic conventions. It represents the [URI
-// fragment](https://www.rfc-editor.org/rfc/rfc3986#section-3.5) component
-func URLFragment(val string) attribute.KeyValue {
-	return URLFragmentKey.String(val)
-}
-
-// URLFull returns an attribute KeyValue conforming to the "url.full"
-// semantic conventions. It represents the absolute URL describing a network
-// resource according to [RFC3986](https://www.rfc-editor.org/rfc/rfc3986)
-func URLFull(val string) attribute.KeyValue {
-	return URLFullKey.String(val)
-}
-
-// URLOriginal returns an attribute KeyValue conforming to the
-// "url.original" semantic conventions. It represents the unmodified original
-// URL as seen in the event source.
-func URLOriginal(val string) attribute.KeyValue {
-	return URLOriginalKey.String(val)
-}
-
-// URLPath returns an attribute KeyValue conforming to the "url.path"
-// semantic conventions. It represents the [URI
-// path](https://www.rfc-editor.org/rfc/rfc3986#section-3.3) component
-func URLPath(val string) attribute.KeyValue {
-	return URLPathKey.String(val)
-}
-
-// URLPort returns an attribute KeyValue conforming to the "url.port"
-// semantic conventions. It represents the port extracted from the `url.full`
-func URLPort(val int) attribute.KeyValue {
-	return URLPortKey.Int(val)
-}
-
-// URLQuery returns an attribute KeyValue conforming to the "url.query"
-// semantic conventions. It represents the [URI
-// query](https://www.rfc-editor.org/rfc/rfc3986#section-3.4) component
-func URLQuery(val string) attribute.KeyValue {
-	return URLQueryKey.String(val)
-}
-
-// URLRegisteredDomain returns an attribute KeyValue conforming to the
-// "url.registered_domain" semantic conventions. It represents the highest
-// registered url domain, stripped of the subdomain.
-func URLRegisteredDomain(val string) attribute.KeyValue {
-	return URLRegisteredDomainKey.String(val)
-}
-
-// URLScheme returns an attribute KeyValue conforming to the "url.scheme"
-// semantic conventions. It represents the [URI
-// scheme](https://www.rfc-editor.org/rfc/rfc3986#section-3.1) component
-// identifying the used protocol.
-func URLScheme(val string) attribute.KeyValue {
-	return URLSchemeKey.String(val)
-}
-
-// URLSubdomain returns an attribute KeyValue conforming to the
-// "url.subdomain" semantic conventions. It represents the subdomain portion of
-// a fully qualified domain name includes all of the names except the host name
-// under the registered_domain. In a partially qualified domain, or if the
-// qualification level of the full name cannot be determined, subdomain
-// contains all of the names below the registered domain.
-func URLSubdomain(val string) attribute.KeyValue {
-	return URLSubdomainKey.String(val)
-}
-
-// URLTemplate returns an attribute KeyValue conforming to the
-// "url.template" semantic conventions. It represents the low-cardinality
-// template of an [absolute path
-// reference](https://www.rfc-editor.org/rfc/rfc3986#section-4.2).
-func URLTemplate(val string) attribute.KeyValue {
-	return URLTemplateKey.String(val)
-}
-
-// URLTopLevelDomain returns an attribute KeyValue conforming to the
-// "url.top_level_domain" semantic conventions. It represents the effective top
-// level domain (eTLD), also known as the domain suffix, is the last part of
-// the domain name. For example, the top level domain for example.com is `com`.
-func URLTopLevelDomain(val string) attribute.KeyValue {
-	return URLTopLevelDomainKey.String(val)
-}
-
-// Describes user-agent attributes.
-const (
-	// UserAgentNameKey is the attribute Key conforming to the
-	// "user_agent.name" semantic conventions. It represents the name of the
-	// user-agent extracted from original. Usually refers to the browser's
-	// name.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'Safari', 'YourApp'
-	// Note: [Example](https://www.whatsmyua.info) of extracting browser's name
-	// from original string. In the case of using a user-agent for non-browser
-	// products, such as microservices with multiple names/versions inside the
-	// `user_agent.original`, the most significant name SHOULD be selected. In
-	// such a scenario it should align with `user_agent.version`
-	UserAgentNameKey = attribute.Key("user_agent.name")
-
-	// UserAgentOriginalKey is the attribute Key conforming to the
-	// "user_agent.original" semantic conventions. It represents the value of
-	// the [HTTP
-	// User-Agent](https://www.rfc-editor.org/rfc/rfc9110.html#field.user-agent)
-	// header sent by the client.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: stable
-	// Examples: 'CERN-LineMode/2.15 libwww/2.17b3', 'Mozilla/5.0 (iPhone; CPU
-	// iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
-	// Version/14.1.2 Mobile/15E148 Safari/604.1', 'YourApp/1.0.0
-	// grpc-java-okhttp/1.27.2'
-	UserAgentOriginalKey = attribute.Key("user_agent.original")
-
-	// UserAgentVersionKey is the attribute Key conforming to the
-	// "user_agent.version" semantic conventions. It represents the version of
-	// the user-agent extracted from original. Usually refers to the browser's
-	// version
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '14.1.2', '1.0.0'
-	// Note: [Example](https://www.whatsmyua.info) of extracting browser's
-	// version from original string. In the case of using a user-agent for
-	// non-browser products, such as microservices with multiple names/versions
-	// inside the `user_agent.original`, the most significant version SHOULD be
-	// selected. In such a scenario it should align with `user_agent.name`
-	UserAgentVersionKey = attribute.Key("user_agent.version")
-)
-
-// UserAgentName returns an attribute KeyValue conforming to the
-// "user_agent.name" semantic conventions. It represents the name of the
-// user-agent extracted from original. Usually refers to the browser's name.
-func UserAgentName(val string) attribute.KeyValue {
-	return UserAgentNameKey.String(val)
-}
-
-// UserAgentOriginal returns an attribute KeyValue conforming to the
-// "user_agent.original" semantic conventions. It represents the value of the
-// [HTTP
-// User-Agent](https://www.rfc-editor.org/rfc/rfc9110.html#field.user-agent)
-// header sent by the client.
-func UserAgentOriginal(val string) attribute.KeyValue {
-	return UserAgentOriginalKey.String(val)
-}
-
-// UserAgentVersion returns an attribute KeyValue conforming to the
-// "user_agent.version" semantic conventions. It represents the version of the
-// user-agent extracted from original. Usually refers to the browser's version
-func UserAgentVersion(val string) attribute.KeyValue {
-	return UserAgentVersionKey.String(val)
-}
-
-// The attributes used to describe the packaged software running the
-// application code.
-const (
-	// WebEngineDescriptionKey is the attribute Key conforming to the
-	// "webengine.description" semantic conventions. It represents the
-	// additional description of the web engine (e.g. detailed version and
-	// edition information).
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'WildFly Full 21.0.0.Final (WildFly Core 13.0.1.Final) -
-	// 2.2.2.Final'
-	WebEngineDescriptionKey = attribute.Key("webengine.description")
-
-	// WebEngineNameKey is the attribute Key conforming to the "webengine.name"
-	// semantic conventions. It represents the name of the web engine.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: 'WildFly'
-	WebEngineNameKey = attribute.Key("webengine.name")
-
-	// WebEngineVersionKey is the attribute Key conforming to the
-	// "webengine.version" semantic conventions. It represents the version of
-	// the web engine.
-	//
-	// Type: string
-	// RequirementLevel: Optional
-	// Stability: experimental
-	// Examples: '21.0.0'
-	WebEngineVersionKey = attribute.Key("webengine.version")
-)
-
-// WebEngineDescription returns an attribute KeyValue conforming to the
-// "webengine.description" semantic conventions. It represents the additional
-// description of the web engine (e.g. detailed version and edition
-// information).
-func WebEngineDescription(val string) attribute.KeyValue {
-	return WebEngineDescriptionKey.String(val)
-}
-
-// WebEngineName returns an attribute KeyValue conforming to the
-// "webengine.name" semantic conventions. It represents the name of the web
-// engine.
-func WebEngineName(val string) attribute.KeyValue {
-	return WebEngineNameKey.String(val)
-}
-
-// WebEngineVersion returns an attribute KeyValue conforming to the
-// "webengine.version" semantic conventions. It represents the version of the
-// web engine.
-func WebEngineVersion(val string) attribute.KeyValue {
-	return WebEngineVersionKey.String(val)
-}
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/doc.go b/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/doc.go
deleted file mode 100644
index d031bbea78..0000000000
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/doc.go
+++ /dev/null
@@ -1,9 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-// Package semconv implements OpenTelemetry semantic conventions.
-//
-// OpenTelemetry semantic conventions are agreed standardized naming
-// patterns for OpenTelemetry things. This package represents the v1.26.0
-// version of the OpenTelemetry semantic conventions.
-package semconv // import "go.opentelemetry.io/otel/semconv/v1.26.0"
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/exception.go b/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/exception.go
deleted file mode 100644
index bfaee0d56e..0000000000
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/exception.go
+++ /dev/null
@@ -1,9 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package semconv // import "go.opentelemetry.io/otel/semconv/v1.26.0"
-
-const (
-	// ExceptionEventName is the name of the Span event representing an exception.
-	ExceptionEventName = "exception"
-)
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/metric.go b/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/metric.go
deleted file mode 100644
index fcdb9f4859..0000000000
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/metric.go
+++ /dev/null
@@ -1,1307 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated from semantic convention specification. DO NOT EDIT.
-
-package semconv // import "go.opentelemetry.io/otel/semconv/v1.26.0"
-
-const (
-
-	// ContainerCPUTime is the metric conforming to the "container.cpu.time"
-	// semantic conventions. It represents the total CPU time consumed.
-	// Instrument: counter
-	// Unit: s
-	// Stability: Experimental
-	ContainerCPUTimeName        = "container.cpu.time"
-	ContainerCPUTimeUnit        = "s"
-	ContainerCPUTimeDescription = "Total CPU time consumed"
-
-	// ContainerMemoryUsage is the metric conforming to the
-	// "container.memory.usage" semantic conventions. It represents the memory
-	// usage of the container.
-	// Instrument: counter
-	// Unit: By
-	// Stability: Experimental
-	ContainerMemoryUsageName        = "container.memory.usage"
-	ContainerMemoryUsageUnit        = "By"
-	ContainerMemoryUsageDescription = "Memory usage of the container."
-
-	// ContainerDiskIo is the metric conforming to the "container.disk.io" semantic
-	// conventions. It represents the disk bytes for the container.
-	// Instrument: counter
-	// Unit: By
-	// Stability: Experimental
-	ContainerDiskIoName        = "container.disk.io"
-	ContainerDiskIoUnit        = "By"
-	ContainerDiskIoDescription = "Disk bytes for the container."
-
-	// ContainerNetworkIo is the metric conforming to the "container.network.io"
-	// semantic conventions. It represents the network bytes for the container.
-	// Instrument: counter
-	// Unit: By
-	// Stability: Experimental
-	ContainerNetworkIoName        = "container.network.io"
-	ContainerNetworkIoUnit        = "By"
-	ContainerNetworkIoDescription = "Network bytes for the container."
-
-	// DBClientOperationDuration is the metric conforming to the
-	// "db.client.operation.duration" semantic conventions. It represents the
-	// duration of database client operations.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	DBClientOperationDurationName        = "db.client.operation.duration"
-	DBClientOperationDurationUnit        = "s"
-	DBClientOperationDurationDescription = "Duration of database client operations."
-
-	// DBClientConnectionCount is the metric conforming to the
-	// "db.client.connection.count" semantic conventions. It represents the number
-	// of connections that are currently in state described by the `state`
-	// attribute.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	DBClientConnectionCountName        = "db.client.connection.count"
-	DBClientConnectionCountUnit        = "{connection}"
-	DBClientConnectionCountDescription = "The number of connections that are currently in state described by the `state` attribute"
-
-	// DBClientConnectionIdleMax is the metric conforming to the
-	// "db.client.connection.idle.max" semantic conventions. It represents the
-	// maximum number of idle open connections allowed.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	DBClientConnectionIdleMaxName        = "db.client.connection.idle.max"
-	DBClientConnectionIdleMaxUnit        = "{connection}"
-	DBClientConnectionIdleMaxDescription = "The maximum number of idle open connections allowed"
-
-	// DBClientConnectionIdleMin is the metric conforming to the
-	// "db.client.connection.idle.min" semantic conventions. It represents the
-	// minimum number of idle open connections allowed.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	DBClientConnectionIdleMinName        = "db.client.connection.idle.min"
-	DBClientConnectionIdleMinUnit        = "{connection}"
-	DBClientConnectionIdleMinDescription = "The minimum number of idle open connections allowed"
-
-	// DBClientConnectionMax is the metric conforming to the
-	// "db.client.connection.max" semantic conventions. It represents the maximum
-	// number of open connections allowed.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	DBClientConnectionMaxName        = "db.client.connection.max"
-	DBClientConnectionMaxUnit        = "{connection}"
-	DBClientConnectionMaxDescription = "The maximum number of open connections allowed"
-
-	// DBClientConnectionPendingRequests is the metric conforming to the
-	// "db.client.connection.pending_requests" semantic conventions. It represents
-	// the number of pending requests for an open connection, cumulative for the
-	// entire pool.
-	// Instrument: updowncounter
-	// Unit: {request}
-	// Stability: Experimental
-	DBClientConnectionPendingRequestsName        = "db.client.connection.pending_requests"
-	DBClientConnectionPendingRequestsUnit        = "{request}"
-	DBClientConnectionPendingRequestsDescription = "The number of pending requests for an open connection, cumulative for the entire pool"
-
-	// DBClientConnectionTimeouts is the metric conforming to the
-	// "db.client.connection.timeouts" semantic conventions. It represents the
-	// number of connection timeouts that have occurred trying to obtain a
-	// connection from the pool.
-	// Instrument: counter
-	// Unit: {timeout}
-	// Stability: Experimental
-	DBClientConnectionTimeoutsName        = "db.client.connection.timeouts"
-	DBClientConnectionTimeoutsUnit        = "{timeout}"
-	DBClientConnectionTimeoutsDescription = "The number of connection timeouts that have occurred trying to obtain a connection from the pool"
-
-	// DBClientConnectionCreateTime is the metric conforming to the
-	// "db.client.connection.create_time" semantic conventions. It represents the
-	// time it took to create a new connection.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	DBClientConnectionCreateTimeName        = "db.client.connection.create_time"
-	DBClientConnectionCreateTimeUnit        = "s"
-	DBClientConnectionCreateTimeDescription = "The time it took to create a new connection"
-
-	// DBClientConnectionWaitTime is the metric conforming to the
-	// "db.client.connection.wait_time" semantic conventions. It represents the
-	// time it took to obtain an open connection from the pool.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	DBClientConnectionWaitTimeName        = "db.client.connection.wait_time"
-	DBClientConnectionWaitTimeUnit        = "s"
-	DBClientConnectionWaitTimeDescription = "The time it took to obtain an open connection from the pool"
-
-	// DBClientConnectionUseTime is the metric conforming to the
-	// "db.client.connection.use_time" semantic conventions. It represents the time
-	// between borrowing a connection and returning it to the pool.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	DBClientConnectionUseTimeName        = "db.client.connection.use_time"
-	DBClientConnectionUseTimeUnit        = "s"
-	DBClientConnectionUseTimeDescription = "The time between borrowing a connection and returning it to the pool"
-
-	// DBClientConnectionsUsage is the metric conforming to the
-	// "db.client.connections.usage" semantic conventions. It represents the
-	// deprecated, use `db.client.connection.count` instead.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	DBClientConnectionsUsageName        = "db.client.connections.usage"
-	DBClientConnectionsUsageUnit        = "{connection}"
-	DBClientConnectionsUsageDescription = "Deprecated, use `db.client.connection.count` instead."
-
-	// DBClientConnectionsIdleMax is the metric conforming to the
-	// "db.client.connections.idle.max" semantic conventions. It represents the
-	// deprecated, use `db.client.connection.idle.max` instead.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	DBClientConnectionsIdleMaxName        = "db.client.connections.idle.max"
-	DBClientConnectionsIdleMaxUnit        = "{connection}"
-	DBClientConnectionsIdleMaxDescription = "Deprecated, use `db.client.connection.idle.max` instead."
-
-	// DBClientConnectionsIdleMin is the metric conforming to the
-	// "db.client.connections.idle.min" semantic conventions. It represents the
-	// deprecated, use `db.client.connection.idle.min` instead.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	DBClientConnectionsIdleMinName        = "db.client.connections.idle.min"
-	DBClientConnectionsIdleMinUnit        = "{connection}"
-	DBClientConnectionsIdleMinDescription = "Deprecated, use `db.client.connection.idle.min` instead."
-
-	// DBClientConnectionsMax is the metric conforming to the
-	// "db.client.connections.max" semantic conventions. It represents the
-	// deprecated, use `db.client.connection.max` instead.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	DBClientConnectionsMaxName        = "db.client.connections.max"
-	DBClientConnectionsMaxUnit        = "{connection}"
-	DBClientConnectionsMaxDescription = "Deprecated, use `db.client.connection.max` instead."
-
-	// DBClientConnectionsPendingRequests is the metric conforming to the
-	// "db.client.connections.pending_requests" semantic conventions. It represents
-	// the deprecated, use `db.client.connection.pending_requests` instead.
-	// Instrument: updowncounter
-	// Unit: {request}
-	// Stability: Experimental
-	DBClientConnectionsPendingRequestsName        = "db.client.connections.pending_requests"
-	DBClientConnectionsPendingRequestsUnit        = "{request}"
-	DBClientConnectionsPendingRequestsDescription = "Deprecated, use `db.client.connection.pending_requests` instead."
-
-	// DBClientConnectionsTimeouts is the metric conforming to the
-	// "db.client.connections.timeouts" semantic conventions. It represents the
-	// deprecated, use `db.client.connection.timeouts` instead.
-	// Instrument: counter
-	// Unit: {timeout}
-	// Stability: Experimental
-	DBClientConnectionsTimeoutsName        = "db.client.connections.timeouts"
-	DBClientConnectionsTimeoutsUnit        = "{timeout}"
-	DBClientConnectionsTimeoutsDescription = "Deprecated, use `db.client.connection.timeouts` instead."
-
-	// DBClientConnectionsCreateTime is the metric conforming to the
-	// "db.client.connections.create_time" semantic conventions. It represents the
-	// deprecated, use `db.client.connection.create_time` instead. Note: the unit
-	// also changed from `ms` to `s`.
-	// Instrument: histogram
-	// Unit: ms
-	// Stability: Experimental
-	DBClientConnectionsCreateTimeName        = "db.client.connections.create_time"
-	DBClientConnectionsCreateTimeUnit        = "ms"
-	DBClientConnectionsCreateTimeDescription = "Deprecated, use `db.client.connection.create_time` instead. Note: the unit also changed from `ms` to `s`."
-
-	// DBClientConnectionsWaitTime is the metric conforming to the
-	// "db.client.connections.wait_time" semantic conventions. It represents the
-	// deprecated, use `db.client.connection.wait_time` instead. Note: the unit
-	// also changed from `ms` to `s`.
-	// Instrument: histogram
-	// Unit: ms
-	// Stability: Experimental
-	DBClientConnectionsWaitTimeName        = "db.client.connections.wait_time"
-	DBClientConnectionsWaitTimeUnit        = "ms"
-	DBClientConnectionsWaitTimeDescription = "Deprecated, use `db.client.connection.wait_time` instead. Note: the unit also changed from `ms` to `s`."
-
-	// DBClientConnectionsUseTime is the metric conforming to the
-	// "db.client.connections.use_time" semantic conventions. It represents the
-	// deprecated, use `db.client.connection.use_time` instead. Note: the unit also
-	// changed from `ms` to `s`.
-	// Instrument: histogram
-	// Unit: ms
-	// Stability: Experimental
-	DBClientConnectionsUseTimeName        = "db.client.connections.use_time"
-	DBClientConnectionsUseTimeUnit        = "ms"
-	DBClientConnectionsUseTimeDescription = "Deprecated, use `db.client.connection.use_time` instead. Note: the unit also changed from `ms` to `s`."
-
-	// DNSLookupDuration is the metric conforming to the "dns.lookup.duration"
-	// semantic conventions. It represents the measures the time taken to perform a
-	// DNS lookup.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	DNSLookupDurationName        = "dns.lookup.duration"
-	DNSLookupDurationUnit        = "s"
-	DNSLookupDurationDescription = "Measures the time taken to perform a DNS lookup."
-
-	// AspnetcoreRoutingMatchAttempts is the metric conforming to the
-	// "aspnetcore.routing.match_attempts" semantic conventions. It represents the
-	// number of requests that were attempted to be matched to an endpoint.
-	// Instrument: counter
-	// Unit: {match_attempt}
-	// Stability: Stable
-	AspnetcoreRoutingMatchAttemptsName        = "aspnetcore.routing.match_attempts"
-	AspnetcoreRoutingMatchAttemptsUnit        = "{match_attempt}"
-	AspnetcoreRoutingMatchAttemptsDescription = "Number of requests that were attempted to be matched to an endpoint."
-
-	// AspnetcoreDiagnosticsExceptions is the metric conforming to the
-	// "aspnetcore.diagnostics.exceptions" semantic conventions. It represents the
-	// number of exceptions caught by exception handling middleware.
-	// Instrument: counter
-	// Unit: {exception}
-	// Stability: Stable
-	AspnetcoreDiagnosticsExceptionsName        = "aspnetcore.diagnostics.exceptions"
-	AspnetcoreDiagnosticsExceptionsUnit        = "{exception}"
-	AspnetcoreDiagnosticsExceptionsDescription = "Number of exceptions caught by exception handling middleware."
-
-	// AspnetcoreRateLimitingActiveRequestLeases is the metric conforming to the
-	// "aspnetcore.rate_limiting.active_request_leases" semantic conventions. It
-	// represents the number of requests that are currently active on the server
-	// that hold a rate limiting lease.
-	// Instrument: updowncounter
-	// Unit: {request}
-	// Stability: Stable
-	AspnetcoreRateLimitingActiveRequestLeasesName        = "aspnetcore.rate_limiting.active_request_leases"
-	AspnetcoreRateLimitingActiveRequestLeasesUnit        = "{request}"
-	AspnetcoreRateLimitingActiveRequestLeasesDescription = "Number of requests that are currently active on the server that hold a rate limiting lease."
-
-	// AspnetcoreRateLimitingRequestLeaseDuration is the metric conforming to the
-	// "aspnetcore.rate_limiting.request_lease.duration" semantic conventions. It
-	// represents the duration of rate limiting lease held by requests on the
-	// server.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Stable
-	AspnetcoreRateLimitingRequestLeaseDurationName        = "aspnetcore.rate_limiting.request_lease.duration"
-	AspnetcoreRateLimitingRequestLeaseDurationUnit        = "s"
-	AspnetcoreRateLimitingRequestLeaseDurationDescription = "The duration of rate limiting lease held by requests on the server."
-
-	// AspnetcoreRateLimitingRequestTimeInQueue is the metric conforming to the
-	// "aspnetcore.rate_limiting.request.time_in_queue" semantic conventions. It
-	// represents the time the request spent in a queue waiting to acquire a rate
-	// limiting lease.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Stable
-	AspnetcoreRateLimitingRequestTimeInQueueName        = "aspnetcore.rate_limiting.request.time_in_queue"
-	AspnetcoreRateLimitingRequestTimeInQueueUnit        = "s"
-	AspnetcoreRateLimitingRequestTimeInQueueDescription = "The time the request spent in a queue waiting to acquire a rate limiting lease."
-
-	// AspnetcoreRateLimitingQueuedRequests is the metric conforming to the
-	// "aspnetcore.rate_limiting.queued_requests" semantic conventions. It
-	// represents the number of requests that are currently queued, waiting to
-	// acquire a rate limiting lease.
-	// Instrument: updowncounter
-	// Unit: {request}
-	// Stability: Stable
-	AspnetcoreRateLimitingQueuedRequestsName        = "aspnetcore.rate_limiting.queued_requests"
-	AspnetcoreRateLimitingQueuedRequestsUnit        = "{request}"
-	AspnetcoreRateLimitingQueuedRequestsDescription = "Number of requests that are currently queued, waiting to acquire a rate limiting lease."
-
-	// AspnetcoreRateLimitingRequests is the metric conforming to the
-	// "aspnetcore.rate_limiting.requests" semantic conventions. It represents the
-	// number of requests that tried to acquire a rate limiting lease.
-	// Instrument: counter
-	// Unit: {request}
-	// Stability: Stable
-	AspnetcoreRateLimitingRequestsName        = "aspnetcore.rate_limiting.requests"
-	AspnetcoreRateLimitingRequestsUnit        = "{request}"
-	AspnetcoreRateLimitingRequestsDescription = "Number of requests that tried to acquire a rate limiting lease."
-
-	// KestrelActiveConnections is the metric conforming to the
-	// "kestrel.active_connections" semantic conventions. It represents the number
-	// of connections that are currently active on the server.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Stable
-	KestrelActiveConnectionsName        = "kestrel.active_connections"
-	KestrelActiveConnectionsUnit        = "{connection}"
-	KestrelActiveConnectionsDescription = "Number of connections that are currently active on the server."
-
-	// KestrelConnectionDuration is the metric conforming to the
-	// "kestrel.connection.duration" semantic conventions. It represents the
-	// duration of connections on the server.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Stable
-	KestrelConnectionDurationName        = "kestrel.connection.duration"
-	KestrelConnectionDurationUnit        = "s"
-	KestrelConnectionDurationDescription = "The duration of connections on the server."
-
-	// KestrelRejectedConnections is the metric conforming to the
-	// "kestrel.rejected_connections" semantic conventions. It represents the
-	// number of connections rejected by the server.
-	// Instrument: counter
-	// Unit: {connection}
-	// Stability: Stable
-	KestrelRejectedConnectionsName        = "kestrel.rejected_connections"
-	KestrelRejectedConnectionsUnit        = "{connection}"
-	KestrelRejectedConnectionsDescription = "Number of connections rejected by the server."
-
-	// KestrelQueuedConnections is the metric conforming to the
-	// "kestrel.queued_connections" semantic conventions. It represents the number
-	// of connections that are currently queued and are waiting to start.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Stable
-	KestrelQueuedConnectionsName        = "kestrel.queued_connections"
-	KestrelQueuedConnectionsUnit        = "{connection}"
-	KestrelQueuedConnectionsDescription = "Number of connections that are currently queued and are waiting to start."
-
-	// KestrelQueuedRequests is the metric conforming to the
-	// "kestrel.queued_requests" semantic conventions. It represents the number of
-	// HTTP requests on multiplexed connections (HTTP/2 and HTTP/3) that are
-	// currently queued and are waiting to start.
-	// Instrument: updowncounter
-	// Unit: {request}
-	// Stability: Stable
-	KestrelQueuedRequestsName        = "kestrel.queued_requests"
-	KestrelQueuedRequestsUnit        = "{request}"
-	KestrelQueuedRequestsDescription = "Number of HTTP requests on multiplexed connections (HTTP/2 and HTTP/3) that are currently queued and are waiting to start."
-
-	// KestrelUpgradedConnections is the metric conforming to the
-	// "kestrel.upgraded_connections" semantic conventions. It represents the
-	// number of connections that are currently upgraded (WebSockets). .
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Stable
-	KestrelUpgradedConnectionsName        = "kestrel.upgraded_connections"
-	KestrelUpgradedConnectionsUnit        = "{connection}"
-	KestrelUpgradedConnectionsDescription = "Number of connections that are currently upgraded (WebSockets). ."
-
-	// KestrelTLSHandshakeDuration is the metric conforming to the
-	// "kestrel.tls_handshake.duration" semantic conventions. It represents the
-	// duration of TLS handshakes on the server.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Stable
-	KestrelTLSHandshakeDurationName        = "kestrel.tls_handshake.duration"
-	KestrelTLSHandshakeDurationUnit        = "s"
-	KestrelTLSHandshakeDurationDescription = "The duration of TLS handshakes on the server."
-
-	// KestrelActiveTLSHandshakes is the metric conforming to the
-	// "kestrel.active_tls_handshakes" semantic conventions. It represents the
-	// number of TLS handshakes that are currently in progress on the server.
-	// Instrument: updowncounter
-	// Unit: {handshake}
-	// Stability: Stable
-	KestrelActiveTLSHandshakesName        = "kestrel.active_tls_handshakes"
-	KestrelActiveTLSHandshakesUnit        = "{handshake}"
-	KestrelActiveTLSHandshakesDescription = "Number of TLS handshakes that are currently in progress on the server."
-
-	// SignalrServerConnectionDuration is the metric conforming to the
-	// "signalr.server.connection.duration" semantic conventions. It represents the
-	// duration of connections on the server.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Stable
-	SignalrServerConnectionDurationName        = "signalr.server.connection.duration"
-	SignalrServerConnectionDurationUnit        = "s"
-	SignalrServerConnectionDurationDescription = "The duration of connections on the server."
-
-	// SignalrServerActiveConnections is the metric conforming to the
-	// "signalr.server.active_connections" semantic conventions. It represents the
-	// number of connections that are currently active on the server.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Stable
-	SignalrServerActiveConnectionsName        = "signalr.server.active_connections"
-	SignalrServerActiveConnectionsUnit        = "{connection}"
-	SignalrServerActiveConnectionsDescription = "Number of connections that are currently active on the server."
-
-	// FaaSInvokeDuration is the metric conforming to the "faas.invoke_duration"
-	// semantic conventions. It represents the measures the duration of the
-	// function's logic execution.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	FaaSInvokeDurationName        = "faas.invoke_duration"
-	FaaSInvokeDurationUnit        = "s"
-	FaaSInvokeDurationDescription = "Measures the duration of the function's logic execution"
-
-	// FaaSInitDuration is the metric conforming to the "faas.init_duration"
-	// semantic conventions. It represents the measures the duration of the
-	// function's initialization, such as a cold start.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	FaaSInitDurationName        = "faas.init_duration"
-	FaaSInitDurationUnit        = "s"
-	FaaSInitDurationDescription = "Measures the duration of the function's initialization, such as a cold start"
-
-	// FaaSColdstarts is the metric conforming to the "faas.coldstarts" semantic
-	// conventions. It represents the number of invocation cold starts.
-	// Instrument: counter
-	// Unit: {coldstart}
-	// Stability: Experimental
-	FaaSColdstartsName        = "faas.coldstarts"
-	FaaSColdstartsUnit        = "{coldstart}"
-	FaaSColdstartsDescription = "Number of invocation cold starts"
-
-	// FaaSErrors is the metric conforming to the "faas.errors" semantic
-	// conventions. It represents the number of invocation errors.
-	// Instrument: counter
-	// Unit: {error}
-	// Stability: Experimental
-	FaaSErrorsName        = "faas.errors"
-	FaaSErrorsUnit        = "{error}"
-	FaaSErrorsDescription = "Number of invocation errors"
-
-	// FaaSInvocations is the metric conforming to the "faas.invocations" semantic
-	// conventions. It represents the number of successful invocations.
-	// Instrument: counter
-	// Unit: {invocation}
-	// Stability: Experimental
-	FaaSInvocationsName        = "faas.invocations"
-	FaaSInvocationsUnit        = "{invocation}"
-	FaaSInvocationsDescription = "Number of successful invocations"
-
-	// FaaSTimeouts is the metric conforming to the "faas.timeouts" semantic
-	// conventions. It represents the number of invocation timeouts.
-	// Instrument: counter
-	// Unit: {timeout}
-	// Stability: Experimental
-	FaaSTimeoutsName        = "faas.timeouts"
-	FaaSTimeoutsUnit        = "{timeout}"
-	FaaSTimeoutsDescription = "Number of invocation timeouts"
-
-	// FaaSMemUsage is the metric conforming to the "faas.mem_usage" semantic
-	// conventions. It represents the distribution of max memory usage per
-	// invocation.
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	FaaSMemUsageName        = "faas.mem_usage"
-	FaaSMemUsageUnit        = "By"
-	FaaSMemUsageDescription = "Distribution of max memory usage per invocation"
-
-	// FaaSCPUUsage is the metric conforming to the "faas.cpu_usage" semantic
-	// conventions. It represents the distribution of CPU usage per invocation.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	FaaSCPUUsageName        = "faas.cpu_usage"
-	FaaSCPUUsageUnit        = "s"
-	FaaSCPUUsageDescription = "Distribution of CPU usage per invocation"
-
-	// FaaSNetIo is the metric conforming to the "faas.net_io" semantic
-	// conventions. It represents the distribution of net I/O usage per invocation.
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	FaaSNetIoName        = "faas.net_io"
-	FaaSNetIoUnit        = "By"
-	FaaSNetIoDescription = "Distribution of net I/O usage per invocation"
-
-	// HTTPServerRequestDuration is the metric conforming to the
-	// "http.server.request.duration" semantic conventions. It represents the
-	// duration of HTTP server requests.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Stable
-	HTTPServerRequestDurationName        = "http.server.request.duration"
-	HTTPServerRequestDurationUnit        = "s"
-	HTTPServerRequestDurationDescription = "Duration of HTTP server requests."
-
-	// HTTPServerActiveRequests is the metric conforming to the
-	// "http.server.active_requests" semantic conventions. It represents the number
-	// of active HTTP server requests.
-	// Instrument: updowncounter
-	// Unit: {request}
-	// Stability: Experimental
-	HTTPServerActiveRequestsName        = "http.server.active_requests"
-	HTTPServerActiveRequestsUnit        = "{request}"
-	HTTPServerActiveRequestsDescription = "Number of active HTTP server requests."
-
-	// HTTPServerRequestBodySize is the metric conforming to the
-	// "http.server.request.body.size" semantic conventions. It represents the size
-	// of HTTP server request bodies.
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	HTTPServerRequestBodySizeName        = "http.server.request.body.size"
-	HTTPServerRequestBodySizeUnit        = "By"
-	HTTPServerRequestBodySizeDescription = "Size of HTTP server request bodies."
-
-	// HTTPServerResponseBodySize is the metric conforming to the
-	// "http.server.response.body.size" semantic conventions. It represents the
-	// size of HTTP server response bodies.
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	HTTPServerResponseBodySizeName        = "http.server.response.body.size"
-	HTTPServerResponseBodySizeUnit        = "By"
-	HTTPServerResponseBodySizeDescription = "Size of HTTP server response bodies."
-
-	// HTTPClientRequestDuration is the metric conforming to the
-	// "http.client.request.duration" semantic conventions. It represents the
-	// duration of HTTP client requests.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Stable
-	HTTPClientRequestDurationName        = "http.client.request.duration"
-	HTTPClientRequestDurationUnit        = "s"
-	HTTPClientRequestDurationDescription = "Duration of HTTP client requests."
-
-	// HTTPClientRequestBodySize is the metric conforming to the
-	// "http.client.request.body.size" semantic conventions. It represents the size
-	// of HTTP client request bodies.
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	HTTPClientRequestBodySizeName        = "http.client.request.body.size"
-	HTTPClientRequestBodySizeUnit        = "By"
-	HTTPClientRequestBodySizeDescription = "Size of HTTP client request bodies."
-
-	// HTTPClientResponseBodySize is the metric conforming to the
-	// "http.client.response.body.size" semantic conventions. It represents the
-	// size of HTTP client response bodies.
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	HTTPClientResponseBodySizeName        = "http.client.response.body.size"
-	HTTPClientResponseBodySizeUnit        = "By"
-	HTTPClientResponseBodySizeDescription = "Size of HTTP client response bodies."
-
-	// HTTPClientOpenConnections is the metric conforming to the
-	// "http.client.open_connections" semantic conventions. It represents the
-	// number of outbound HTTP connections that are currently active or idle on the
-	// client.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	HTTPClientOpenConnectionsName        = "http.client.open_connections"
-	HTTPClientOpenConnectionsUnit        = "{connection}"
-	HTTPClientOpenConnectionsDescription = "Number of outbound HTTP connections that are currently active or idle on the client."
-
-	// HTTPClientConnectionDuration is the metric conforming to the
-	// "http.client.connection.duration" semantic conventions. It represents the
-	// duration of the successfully established outbound HTTP connections.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	HTTPClientConnectionDurationName        = "http.client.connection.duration"
-	HTTPClientConnectionDurationUnit        = "s"
-	HTTPClientConnectionDurationDescription = "The duration of the successfully established outbound HTTP connections."
-
-	// HTTPClientActiveRequests is the metric conforming to the
-	// "http.client.active_requests" semantic conventions. It represents the number
-	// of active HTTP requests.
-	// Instrument: updowncounter
-	// Unit: {request}
-	// Stability: Experimental
-	HTTPClientActiveRequestsName        = "http.client.active_requests"
-	HTTPClientActiveRequestsUnit        = "{request}"
-	HTTPClientActiveRequestsDescription = "Number of active HTTP requests."
-
-	// JvmMemoryInit is the metric conforming to the "jvm.memory.init" semantic
-	// conventions. It represents the measure of initial memory requested.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	JvmMemoryInitName        = "jvm.memory.init"
-	JvmMemoryInitUnit        = "By"
-	JvmMemoryInitDescription = "Measure of initial memory requested."
-
-	// JvmSystemCPUUtilization is the metric conforming to the
-	// "jvm.system.cpu.utilization" semantic conventions. It represents the recent
-	// CPU utilization for the whole system as reported by the JVM.
-	// Instrument: gauge
-	// Unit: 1
-	// Stability: Experimental
-	JvmSystemCPUUtilizationName        = "jvm.system.cpu.utilization"
-	JvmSystemCPUUtilizationUnit        = "1"
-	JvmSystemCPUUtilizationDescription = "Recent CPU utilization for the whole system as reported by the JVM."
-
-	// JvmSystemCPULoad1m is the metric conforming to the "jvm.system.cpu.load_1m"
-	// semantic conventions. It represents the average CPU load of the whole system
-	// for the last minute as reported by the JVM.
-	// Instrument: gauge
-	// Unit: {run_queue_item}
-	// Stability: Experimental
-	JvmSystemCPULoad1mName        = "jvm.system.cpu.load_1m"
-	JvmSystemCPULoad1mUnit        = "{run_queue_item}"
-	JvmSystemCPULoad1mDescription = "Average CPU load of the whole system for the last minute as reported by the JVM."
-
-	// JvmBufferMemoryUsage is the metric conforming to the
-	// "jvm.buffer.memory.usage" semantic conventions. It represents the measure of
-	// memory used by buffers.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	JvmBufferMemoryUsageName        = "jvm.buffer.memory.usage"
-	JvmBufferMemoryUsageUnit        = "By"
-	JvmBufferMemoryUsageDescription = "Measure of memory used by buffers."
-
-	// JvmBufferMemoryLimit is the metric conforming to the
-	// "jvm.buffer.memory.limit" semantic conventions. It represents the measure of
-	// total memory capacity of buffers.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	JvmBufferMemoryLimitName        = "jvm.buffer.memory.limit"
-	JvmBufferMemoryLimitUnit        = "By"
-	JvmBufferMemoryLimitDescription = "Measure of total memory capacity of buffers."
-
-	// JvmBufferCount is the metric conforming to the "jvm.buffer.count" semantic
-	// conventions. It represents the number of buffers in the pool.
-	// Instrument: updowncounter
-	// Unit: {buffer}
-	// Stability: Experimental
-	JvmBufferCountName        = "jvm.buffer.count"
-	JvmBufferCountUnit        = "{buffer}"
-	JvmBufferCountDescription = "Number of buffers in the pool."
-
-	// JvmMemoryUsed is the metric conforming to the "jvm.memory.used" semantic
-	// conventions. It represents the measure of memory used.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Stable
-	JvmMemoryUsedName        = "jvm.memory.used"
-	JvmMemoryUsedUnit        = "By"
-	JvmMemoryUsedDescription = "Measure of memory used."
-
-	// JvmMemoryCommitted is the metric conforming to the "jvm.memory.committed"
-	// semantic conventions. It represents the measure of memory committed.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Stable
-	JvmMemoryCommittedName        = "jvm.memory.committed"
-	JvmMemoryCommittedUnit        = "By"
-	JvmMemoryCommittedDescription = "Measure of memory committed."
-
-	// JvmMemoryLimit is the metric conforming to the "jvm.memory.limit" semantic
-	// conventions. It represents the measure of max obtainable memory.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Stable
-	JvmMemoryLimitName        = "jvm.memory.limit"
-	JvmMemoryLimitUnit        = "By"
-	JvmMemoryLimitDescription = "Measure of max obtainable memory."
-
-	// JvmMemoryUsedAfterLastGc is the metric conforming to the
-	// "jvm.memory.used_after_last_gc" semantic conventions. It represents the
-	// measure of memory used, as measured after the most recent garbage collection
-	// event on this pool.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Stable
-	JvmMemoryUsedAfterLastGcName        = "jvm.memory.used_after_last_gc"
-	JvmMemoryUsedAfterLastGcUnit        = "By"
-	JvmMemoryUsedAfterLastGcDescription = "Measure of memory used, as measured after the most recent garbage collection event on this pool."
-
-	// JvmGcDuration is the metric conforming to the "jvm.gc.duration" semantic
-	// conventions. It represents the duration of JVM garbage collection actions.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Stable
-	JvmGcDurationName        = "jvm.gc.duration"
-	JvmGcDurationUnit        = "s"
-	JvmGcDurationDescription = "Duration of JVM garbage collection actions."
-
-	// JvmThreadCount is the metric conforming to the "jvm.thread.count" semantic
-	// conventions. It represents the number of executing platform threads.
-	// Instrument: updowncounter
-	// Unit: {thread}
-	// Stability: Stable
-	JvmThreadCountName        = "jvm.thread.count"
-	JvmThreadCountUnit        = "{thread}"
-	JvmThreadCountDescription = "Number of executing platform threads."
-
-	// JvmClassLoaded is the metric conforming to the "jvm.class.loaded" semantic
-	// conventions. It represents the number of classes loaded since JVM start.
-	// Instrument: counter
-	// Unit: {class}
-	// Stability: Stable
-	JvmClassLoadedName        = "jvm.class.loaded"
-	JvmClassLoadedUnit        = "{class}"
-	JvmClassLoadedDescription = "Number of classes loaded since JVM start."
-
-	// JvmClassUnloaded is the metric conforming to the "jvm.class.unloaded"
-	// semantic conventions. It represents the number of classes unloaded since JVM
-	// start.
-	// Instrument: counter
-	// Unit: {class}
-	// Stability: Stable
-	JvmClassUnloadedName        = "jvm.class.unloaded"
-	JvmClassUnloadedUnit        = "{class}"
-	JvmClassUnloadedDescription = "Number of classes unloaded since JVM start."
-
-	// JvmClassCount is the metric conforming to the "jvm.class.count" semantic
-	// conventions. It represents the number of classes currently loaded.
-	// Instrument: updowncounter
-	// Unit: {class}
-	// Stability: Stable
-	JvmClassCountName        = "jvm.class.count"
-	JvmClassCountUnit        = "{class}"
-	JvmClassCountDescription = "Number of classes currently loaded."
-
-	// JvmCPUCount is the metric conforming to the "jvm.cpu.count" semantic
-	// conventions. It represents the number of processors available to the Java
-	// virtual machine.
-	// Instrument: updowncounter
-	// Unit: {cpu}
-	// Stability: Stable
-	JvmCPUCountName        = "jvm.cpu.count"
-	JvmCPUCountUnit        = "{cpu}"
-	JvmCPUCountDescription = "Number of processors available to the Java virtual machine."
-
-	// JvmCPUTime is the metric conforming to the "jvm.cpu.time" semantic
-	// conventions. It represents the cPU time used by the process as reported by
-	// the JVM.
-	// Instrument: counter
-	// Unit: s
-	// Stability: Stable
-	JvmCPUTimeName        = "jvm.cpu.time"
-	JvmCPUTimeUnit        = "s"
-	JvmCPUTimeDescription = "CPU time used by the process as reported by the JVM."
-
-	// JvmCPURecentUtilization is the metric conforming to the
-	// "jvm.cpu.recent_utilization" semantic conventions. It represents the recent
-	// CPU utilization for the process as reported by the JVM.
-	// Instrument: gauge
-	// Unit: 1
-	// Stability: Stable
-	JvmCPURecentUtilizationName        = "jvm.cpu.recent_utilization"
-	JvmCPURecentUtilizationUnit        = "1"
-	JvmCPURecentUtilizationDescription = "Recent CPU utilization for the process as reported by the JVM."
-
-	// MessagingPublishDuration is the metric conforming to the
-	// "messaging.publish.duration" semantic conventions. It represents the
-	// measures the duration of publish operation.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	MessagingPublishDurationName        = "messaging.publish.duration"
-	MessagingPublishDurationUnit        = "s"
-	MessagingPublishDurationDescription = "Measures the duration of publish operation."
-
-	// MessagingReceiveDuration is the metric conforming to the
-	// "messaging.receive.duration" semantic conventions. It represents the
-	// measures the duration of receive operation.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	MessagingReceiveDurationName        = "messaging.receive.duration"
-	MessagingReceiveDurationUnit        = "s"
-	MessagingReceiveDurationDescription = "Measures the duration of receive operation."
-
-	// MessagingProcessDuration is the metric conforming to the
-	// "messaging.process.duration" semantic conventions. It represents the
-	// measures the duration of process operation.
-	// Instrument: histogram
-	// Unit: s
-	// Stability: Experimental
-	MessagingProcessDurationName        = "messaging.process.duration"
-	MessagingProcessDurationUnit        = "s"
-	MessagingProcessDurationDescription = "Measures the duration of process operation."
-
-	// MessagingPublishMessages is the metric conforming to the
-	// "messaging.publish.messages" semantic conventions. It represents the
-	// measures the number of published messages.
-	// Instrument: counter
-	// Unit: {message}
-	// Stability: Experimental
-	MessagingPublishMessagesName        = "messaging.publish.messages"
-	MessagingPublishMessagesUnit        = "{message}"
-	MessagingPublishMessagesDescription = "Measures the number of published messages."
-
-	// MessagingReceiveMessages is the metric conforming to the
-	// "messaging.receive.messages" semantic conventions. It represents the
-	// measures the number of received messages.
-	// Instrument: counter
-	// Unit: {message}
-	// Stability: Experimental
-	MessagingReceiveMessagesName        = "messaging.receive.messages"
-	MessagingReceiveMessagesUnit        = "{message}"
-	MessagingReceiveMessagesDescription = "Measures the number of received messages."
-
-	// MessagingProcessMessages is the metric conforming to the
-	// "messaging.process.messages" semantic conventions. It represents the
-	// measures the number of processed messages.
-	// Instrument: counter
-	// Unit: {message}
-	// Stability: Experimental
-	MessagingProcessMessagesName        = "messaging.process.messages"
-	MessagingProcessMessagesUnit        = "{message}"
-	MessagingProcessMessagesDescription = "Measures the number of processed messages."
-
-	// ProcessCPUTime is the metric conforming to the "process.cpu.time" semantic
-	// conventions. It represents the total CPU seconds broken down by different
-	// states.
-	// Instrument: counter
-	// Unit: s
-	// Stability: Experimental
-	ProcessCPUTimeName        = "process.cpu.time"
-	ProcessCPUTimeUnit        = "s"
-	ProcessCPUTimeDescription = "Total CPU seconds broken down by different states."
-
-	// ProcessCPUUtilization is the metric conforming to the
-	// "process.cpu.utilization" semantic conventions. It represents the difference
-	// in process.cpu.time since the last measurement, divided by the elapsed time
-	// and number of CPUs available to the process.
-	// Instrument: gauge
-	// Unit: 1
-	// Stability: Experimental
-	ProcessCPUUtilizationName        = "process.cpu.utilization"
-	ProcessCPUUtilizationUnit        = "1"
-	ProcessCPUUtilizationDescription = "Difference in process.cpu.time since the last measurement, divided by the elapsed time and number of CPUs available to the process."
-
-	// ProcessMemoryUsage is the metric conforming to the "process.memory.usage"
-	// semantic conventions. It represents the amount of physical memory in use.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	ProcessMemoryUsageName        = "process.memory.usage"
-	ProcessMemoryUsageUnit        = "By"
-	ProcessMemoryUsageDescription = "The amount of physical memory in use."
-
-	// ProcessMemoryVirtual is the metric conforming to the
-	// "process.memory.virtual" semantic conventions. It represents the amount of
-	// committed virtual memory.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	ProcessMemoryVirtualName        = "process.memory.virtual"
-	ProcessMemoryVirtualUnit        = "By"
-	ProcessMemoryVirtualDescription = "The amount of committed virtual memory."
-
-	// ProcessDiskIo is the metric conforming to the "process.disk.io" semantic
-	// conventions. It represents the disk bytes transferred.
-	// Instrument: counter
-	// Unit: By
-	// Stability: Experimental
-	ProcessDiskIoName        = "process.disk.io"
-	ProcessDiskIoUnit        = "By"
-	ProcessDiskIoDescription = "Disk bytes transferred."
-
-	// ProcessNetworkIo is the metric conforming to the "process.network.io"
-	// semantic conventions. It represents the network bytes transferred.
-	// Instrument: counter
-	// Unit: By
-	// Stability: Experimental
-	ProcessNetworkIoName        = "process.network.io"
-	ProcessNetworkIoUnit        = "By"
-	ProcessNetworkIoDescription = "Network bytes transferred."
-
-	// ProcessThreadCount is the metric conforming to the "process.thread.count"
-	// semantic conventions. It represents the process threads count.
-	// Instrument: updowncounter
-	// Unit: {thread}
-	// Stability: Experimental
-	ProcessThreadCountName        = "process.thread.count"
-	ProcessThreadCountUnit        = "{thread}"
-	ProcessThreadCountDescription = "Process threads count."
-
-	// ProcessOpenFileDescriptorCount is the metric conforming to the
-	// "process.open_file_descriptor.count" semantic conventions. It represents the
-	// number of file descriptors in use by the process.
-	// Instrument: updowncounter
-	// Unit: {count}
-	// Stability: Experimental
-	ProcessOpenFileDescriptorCountName        = "process.open_file_descriptor.count"
-	ProcessOpenFileDescriptorCountUnit        = "{count}"
-	ProcessOpenFileDescriptorCountDescription = "Number of file descriptors in use by the process."
-
-	// ProcessContextSwitches is the metric conforming to the
-	// "process.context_switches" semantic conventions. It represents the number of
-	// times the process has been context switched.
-	// Instrument: counter
-	// Unit: {count}
-	// Stability: Experimental
-	ProcessContextSwitchesName        = "process.context_switches"
-	ProcessContextSwitchesUnit        = "{count}"
-	ProcessContextSwitchesDescription = "Number of times the process has been context switched."
-
-	// ProcessPagingFaults is the metric conforming to the "process.paging.faults"
-	// semantic conventions. It represents the number of page faults the process
-	// has made.
-	// Instrument: counter
-	// Unit: {fault}
-	// Stability: Experimental
-	ProcessPagingFaultsName        = "process.paging.faults"
-	ProcessPagingFaultsUnit        = "{fault}"
-	ProcessPagingFaultsDescription = "Number of page faults the process has made."
-
-	// RPCServerDuration is the metric conforming to the "rpc.server.duration"
-	// semantic conventions. It represents the measures the duration of inbound
-	// RPC.
-	// Instrument: histogram
-	// Unit: ms
-	// Stability: Experimental
-	RPCServerDurationName        = "rpc.server.duration"
-	RPCServerDurationUnit        = "ms"
-	RPCServerDurationDescription = "Measures the duration of inbound RPC."
-
-	// RPCServerRequestSize is the metric conforming to the
-	// "rpc.server.request.size" semantic conventions. It represents the measures
-	// the size of RPC request messages (uncompressed).
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	RPCServerRequestSizeName        = "rpc.server.request.size"
-	RPCServerRequestSizeUnit        = "By"
-	RPCServerRequestSizeDescription = "Measures the size of RPC request messages (uncompressed)."
-
-	// RPCServerResponseSize is the metric conforming to the
-	// "rpc.server.response.size" semantic conventions. It represents the measures
-	// the size of RPC response messages (uncompressed).
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	RPCServerResponseSizeName        = "rpc.server.response.size"
-	RPCServerResponseSizeUnit        = "By"
-	RPCServerResponseSizeDescription = "Measures the size of RPC response messages (uncompressed)."
-
-	// RPCServerRequestsPerRPC is the metric conforming to the
-	// "rpc.server.requests_per_rpc" semantic conventions. It represents the
-	// measures the number of messages received per RPC.
-	// Instrument: histogram
-	// Unit: {count}
-	// Stability: Experimental
-	RPCServerRequestsPerRPCName        = "rpc.server.requests_per_rpc"
-	RPCServerRequestsPerRPCUnit        = "{count}"
-	RPCServerRequestsPerRPCDescription = "Measures the number of messages received per RPC."
-
-	// RPCServerResponsesPerRPC is the metric conforming to the
-	// "rpc.server.responses_per_rpc" semantic conventions. It represents the
-	// measures the number of messages sent per RPC.
-	// Instrument: histogram
-	// Unit: {count}
-	// Stability: Experimental
-	RPCServerResponsesPerRPCName        = "rpc.server.responses_per_rpc"
-	RPCServerResponsesPerRPCUnit        = "{count}"
-	RPCServerResponsesPerRPCDescription = "Measures the number of messages sent per RPC."
-
-	// RPCClientDuration is the metric conforming to the "rpc.client.duration"
-	// semantic conventions. It represents the measures the duration of outbound
-	// RPC.
-	// Instrument: histogram
-	// Unit: ms
-	// Stability: Experimental
-	RPCClientDurationName        = "rpc.client.duration"
-	RPCClientDurationUnit        = "ms"
-	RPCClientDurationDescription = "Measures the duration of outbound RPC."
-
-	// RPCClientRequestSize is the metric conforming to the
-	// "rpc.client.request.size" semantic conventions. It represents the measures
-	// the size of RPC request messages (uncompressed).
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	RPCClientRequestSizeName        = "rpc.client.request.size"
-	RPCClientRequestSizeUnit        = "By"
-	RPCClientRequestSizeDescription = "Measures the size of RPC request messages (uncompressed)."
-
-	// RPCClientResponseSize is the metric conforming to the
-	// "rpc.client.response.size" semantic conventions. It represents the measures
-	// the size of RPC response messages (uncompressed).
-	// Instrument: histogram
-	// Unit: By
-	// Stability: Experimental
-	RPCClientResponseSizeName        = "rpc.client.response.size"
-	RPCClientResponseSizeUnit        = "By"
-	RPCClientResponseSizeDescription = "Measures the size of RPC response messages (uncompressed)."
-
-	// RPCClientRequestsPerRPC is the metric conforming to the
-	// "rpc.client.requests_per_rpc" semantic conventions. It represents the
-	// measures the number of messages received per RPC.
-	// Instrument: histogram
-	// Unit: {count}
-	// Stability: Experimental
-	RPCClientRequestsPerRPCName        = "rpc.client.requests_per_rpc"
-	RPCClientRequestsPerRPCUnit        = "{count}"
-	RPCClientRequestsPerRPCDescription = "Measures the number of messages received per RPC."
-
-	// RPCClientResponsesPerRPC is the metric conforming to the
-	// "rpc.client.responses_per_rpc" semantic conventions. It represents the
-	// measures the number of messages sent per RPC.
-	// Instrument: histogram
-	// Unit: {count}
-	// Stability: Experimental
-	RPCClientResponsesPerRPCName        = "rpc.client.responses_per_rpc"
-	RPCClientResponsesPerRPCUnit        = "{count}"
-	RPCClientResponsesPerRPCDescription = "Measures the number of messages sent per RPC."
-
-	// SystemCPUTime is the metric conforming to the "system.cpu.time" semantic
-	// conventions. It represents the seconds each logical CPU spent on each mode.
-	// Instrument: counter
-	// Unit: s
-	// Stability: Experimental
-	SystemCPUTimeName        = "system.cpu.time"
-	SystemCPUTimeUnit        = "s"
-	SystemCPUTimeDescription = "Seconds each logical CPU spent on each mode"
-
-	// SystemCPUUtilization is the metric conforming to the
-	// "system.cpu.utilization" semantic conventions. It represents the difference
-	// in system.cpu.time since the last measurement, divided by the elapsed time
-	// and number of logical CPUs.
-	// Instrument: gauge
-	// Unit: 1
-	// Stability: Experimental
-	SystemCPUUtilizationName        = "system.cpu.utilization"
-	SystemCPUUtilizationUnit        = "1"
-	SystemCPUUtilizationDescription = "Difference in system.cpu.time since the last measurement, divided by the elapsed time and number of logical CPUs"
-
-	// SystemCPUFrequency is the metric conforming to the "system.cpu.frequency"
-	// semantic conventions. It represents the reports the current frequency of the
-	// CPU in Hz.
-	// Instrument: gauge
-	// Unit: {Hz}
-	// Stability: Experimental
-	SystemCPUFrequencyName        = "system.cpu.frequency"
-	SystemCPUFrequencyUnit        = "{Hz}"
-	SystemCPUFrequencyDescription = "Reports the current frequency of the CPU in Hz"
-
-	// SystemCPUPhysicalCount is the metric conforming to the
-	// "system.cpu.physical.count" semantic conventions. It represents the reports
-	// the number of actual physical processor cores on the hardware.
-	// Instrument: updowncounter
-	// Unit: {cpu}
-	// Stability: Experimental
-	SystemCPUPhysicalCountName        = "system.cpu.physical.count"
-	SystemCPUPhysicalCountUnit        = "{cpu}"
-	SystemCPUPhysicalCountDescription = "Reports the number of actual physical processor cores on the hardware"
-
-	// SystemCPULogicalCount is the metric conforming to the
-	// "system.cpu.logical.count" semantic conventions. It represents the reports
-	// the number of logical (virtual) processor cores created by the operating
-	// system to manage multitasking.
-	// Instrument: updowncounter
-	// Unit: {cpu}
-	// Stability: Experimental
-	SystemCPULogicalCountName        = "system.cpu.logical.count"
-	SystemCPULogicalCountUnit        = "{cpu}"
-	SystemCPULogicalCountDescription = "Reports the number of logical (virtual) processor cores created by the operating system to manage multitasking"
-
-	// SystemMemoryUsage is the metric conforming to the "system.memory.usage"
-	// semantic conventions. It represents the reports memory in use by state.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	SystemMemoryUsageName        = "system.memory.usage"
-	SystemMemoryUsageUnit        = "By"
-	SystemMemoryUsageDescription = "Reports memory in use by state."
-
-	// SystemMemoryLimit is the metric conforming to the "system.memory.limit"
-	// semantic conventions. It represents the total memory available in the
-	// system.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	SystemMemoryLimitName        = "system.memory.limit"
-	SystemMemoryLimitUnit        = "By"
-	SystemMemoryLimitDescription = "Total memory available in the system."
-
-	// SystemMemoryShared is the metric conforming to the "system.memory.shared"
-	// semantic conventions. It represents the shared memory used (mostly by
-	// tmpfs).
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	SystemMemorySharedName        = "system.memory.shared"
-	SystemMemorySharedUnit        = "By"
-	SystemMemorySharedDescription = "Shared memory used (mostly by tmpfs)."
-
-	// SystemMemoryUtilization is the metric conforming to the
-	// "system.memory.utilization" semantic conventions.
-	// Instrument: gauge
-	// Unit: 1
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemMemoryUtilizationName = "system.memory.utilization"
-	SystemMemoryUtilizationUnit = "1"
-
-	// SystemPagingUsage is the metric conforming to the "system.paging.usage"
-	// semantic conventions. It represents the unix swap or windows pagefile usage.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	SystemPagingUsageName        = "system.paging.usage"
-	SystemPagingUsageUnit        = "By"
-	SystemPagingUsageDescription = "Unix swap or windows pagefile usage"
-
-	// SystemPagingUtilization is the metric conforming to the
-	// "system.paging.utilization" semantic conventions.
-	// Instrument: gauge
-	// Unit: 1
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemPagingUtilizationName = "system.paging.utilization"
-	SystemPagingUtilizationUnit = "1"
-
-	// SystemPagingFaults is the metric conforming to the "system.paging.faults"
-	// semantic conventions.
-	// Instrument: counter
-	// Unit: {fault}
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemPagingFaultsName = "system.paging.faults"
-	SystemPagingFaultsUnit = "{fault}"
-
-	// SystemPagingOperations is the metric conforming to the
-	// "system.paging.operations" semantic conventions.
-	// Instrument: counter
-	// Unit: {operation}
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemPagingOperationsName = "system.paging.operations"
-	SystemPagingOperationsUnit = "{operation}"
-
-	// SystemDiskIo is the metric conforming to the "system.disk.io" semantic
-	// conventions.
-	// Instrument: counter
-	// Unit: By
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemDiskIoName = "system.disk.io"
-	SystemDiskIoUnit = "By"
-
-	// SystemDiskOperations is the metric conforming to the
-	// "system.disk.operations" semantic conventions.
-	// Instrument: counter
-	// Unit: {operation}
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemDiskOperationsName = "system.disk.operations"
-	SystemDiskOperationsUnit = "{operation}"
-
-	// SystemDiskIoTime is the metric conforming to the "system.disk.io_time"
-	// semantic conventions. It represents the time disk spent activated.
-	// Instrument: counter
-	// Unit: s
-	// Stability: Experimental
-	SystemDiskIoTimeName        = "system.disk.io_time"
-	SystemDiskIoTimeUnit        = "s"
-	SystemDiskIoTimeDescription = "Time disk spent activated"
-
-	// SystemDiskOperationTime is the metric conforming to the
-	// "system.disk.operation_time" semantic conventions. It represents the sum of
-	// the time each operation took to complete.
-	// Instrument: counter
-	// Unit: s
-	// Stability: Experimental
-	SystemDiskOperationTimeName        = "system.disk.operation_time"
-	SystemDiskOperationTimeUnit        = "s"
-	SystemDiskOperationTimeDescription = "Sum of the time each operation took to complete"
-
-	// SystemDiskMerged is the metric conforming to the "system.disk.merged"
-	// semantic conventions.
-	// Instrument: counter
-	// Unit: {operation}
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemDiskMergedName = "system.disk.merged"
-	SystemDiskMergedUnit = "{operation}"
-
-	// SystemFilesystemUsage is the metric conforming to the
-	// "system.filesystem.usage" semantic conventions.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemFilesystemUsageName = "system.filesystem.usage"
-	SystemFilesystemUsageUnit = "By"
-
-	// SystemFilesystemUtilization is the metric conforming to the
-	// "system.filesystem.utilization" semantic conventions.
-	// Instrument: gauge
-	// Unit: 1
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemFilesystemUtilizationName = "system.filesystem.utilization"
-	SystemFilesystemUtilizationUnit = "1"
-
-	// SystemNetworkDropped is the metric conforming to the
-	// "system.network.dropped" semantic conventions. It represents the count of
-	// packets that are dropped or discarded even though there was no error.
-	// Instrument: counter
-	// Unit: {packet}
-	// Stability: Experimental
-	SystemNetworkDroppedName        = "system.network.dropped"
-	SystemNetworkDroppedUnit        = "{packet}"
-	SystemNetworkDroppedDescription = "Count of packets that are dropped or discarded even though there was no error"
-
-	// SystemNetworkPackets is the metric conforming to the
-	// "system.network.packets" semantic conventions.
-	// Instrument: counter
-	// Unit: {packet}
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemNetworkPacketsName = "system.network.packets"
-	SystemNetworkPacketsUnit = "{packet}"
-
-	// SystemNetworkErrors is the metric conforming to the "system.network.errors"
-	// semantic conventions. It represents the count of network errors detected.
-	// Instrument: counter
-	// Unit: {error}
-	// Stability: Experimental
-	SystemNetworkErrorsName        = "system.network.errors"
-	SystemNetworkErrorsUnit        = "{error}"
-	SystemNetworkErrorsDescription = "Count of network errors detected"
-
-	// SystemNetworkIo is the metric conforming to the "system.network.io" semantic
-	// conventions.
-	// Instrument: counter
-	// Unit: By
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemNetworkIoName = "system.network.io"
-	SystemNetworkIoUnit = "By"
-
-	// SystemNetworkConnections is the metric conforming to the
-	// "system.network.connections" semantic conventions.
-	// Instrument: updowncounter
-	// Unit: {connection}
-	// Stability: Experimental
-	// NOTE: The description (brief) for this metric is not defined in the semantic-conventions repository.
-	SystemNetworkConnectionsName = "system.network.connections"
-	SystemNetworkConnectionsUnit = "{connection}"
-
-	// SystemProcessCount is the metric conforming to the "system.process.count"
-	// semantic conventions. It represents the total number of processes in each
-	// state.
-	// Instrument: updowncounter
-	// Unit: {process}
-	// Stability: Experimental
-	SystemProcessCountName        = "system.process.count"
-	SystemProcessCountUnit        = "{process}"
-	SystemProcessCountDescription = "Total number of processes in each state"
-
-	// SystemProcessCreated is the metric conforming to the
-	// "system.process.created" semantic conventions. It represents the total
-	// number of processes created over uptime of the host.
-	// Instrument: counter
-	// Unit: {process}
-	// Stability: Experimental
-	SystemProcessCreatedName        = "system.process.created"
-	SystemProcessCreatedUnit        = "{process}"
-	SystemProcessCreatedDescription = "Total number of processes created over uptime of the host"
-
-	// SystemLinuxMemoryAvailable is the metric conforming to the
-	// "system.linux.memory.available" semantic conventions. It represents an
-	// estimate of how much memory is available for starting new applications,
-	// without causing swapping.
-	// Instrument: updowncounter
-	// Unit: By
-	// Stability: Experimental
-	SystemLinuxMemoryAvailableName        = "system.linux.memory.available"
-	SystemLinuxMemoryAvailableUnit        = "By"
-	SystemLinuxMemoryAvailableDescription = "An estimate of how much memory is available for starting new applications, without causing swapping"
-)
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/schema.go b/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/schema.go
deleted file mode 100644
index 4c87c7adcc..0000000000
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.26.0/schema.go
+++ /dev/null
@@ -1,9 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package semconv // import "go.opentelemetry.io/otel/semconv/v1.26.0"
-
-// SchemaURL is the schema URL that matches the version of the semantic conventions
-// that this package defines. Semconv packages starting from v1.4.0 must declare
-// non-empty schema URL in the form https://opentelemetry.io/schemas/
-const SchemaURL = "https://opentelemetry.io/schemas/1.26.0"
diff --git a/vendor/go.uber.org/automaxprocs/.codecov.yml b/vendor/go.uber.org/automaxprocs/.codecov.yml
deleted file mode 100644
index 9a2ed4a996..0000000000
--- a/vendor/go.uber.org/automaxprocs/.codecov.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-coverage:
-  range: 80..100
-  round: down
-  precision: 2
-
-  status:
-    project:                   # measuring the overall project coverage
-      default:                 # context, you can create multiple ones with custom titles
-        enabled: yes           # must be yes|true to enable this status
-        target: 90%            # specify the target coverage for each commit status
-                               #   option: "auto" (must increase from parent commit or pull request base)
-                               #   option: "X%" a static target percentage to hit
-        if_not_found: success  # if parent is not found report status as success, error, or failure
-        if_ci_failed: error    # if ci fails report status as success, error, or failure
diff --git a/vendor/go.uber.org/automaxprocs/.gitignore b/vendor/go.uber.org/automaxprocs/.gitignore
deleted file mode 100644
index dd7bcf5130..0000000000
--- a/vendor/go.uber.org/automaxprocs/.gitignore
+++ /dev/null
@@ -1,33 +0,0 @@
-# Compiled Object files, Static and Dynamic libs (Shared Objects)
-*.o
-*.a
-*.so
-
-# Folders
-_obj
-_test
-vendor
-
-# Architecture specific extensions/prefixes
-*.[568vq]
-[568vq].out
-
-*.cgo1.go
-*.cgo2.c
-_cgo_defun.c
-_cgo_gotypes.go
-_cgo_export.*
-
-_testmain.go
-
-*.exe
-*.test
-*.prof
-*.pprof
-*.out
-*.log
-coverage.txt
-
-/bin
-cover.out
-cover.html
diff --git a/vendor/go.uber.org/automaxprocs/CHANGELOG.md b/vendor/go.uber.org/automaxprocs/CHANGELOG.md
deleted file mode 100644
index f421056ae8..0000000000
--- a/vendor/go.uber.org/automaxprocs/CHANGELOG.md
+++ /dev/null
@@ -1,52 +0,0 @@
-# Changelog
-
-## v1.6.0 (2024-07-24)
-
-- Add RoundQuotaFunc option that allows configuration of rounding
-  behavior for floating point CPU quota.
-
-## v1.5.3 (2023-07-19)
-
-- Fix mountinfo parsing when super options have fields with spaces.
-- Fix division by zero while parsing cgroups.
-
-## v1.5.2 (2023-03-16)
-
-- Support child control cgroups
-- Fix file descriptor leak
-- Update dependencies
-
-## v1.5.1 (2022-04-06)
-
-- Fix cgroups v2 mountpoint detection.
-
-## v1.5.0 (2022-04-05)
-
-- Add support for cgroups v2.
-
-Thanks to @emadolsky for their contribution to this release.
-
-## v1.4.0 (2021-02-01)
-
-- Support colons in cgroup names.
-- Remove linters from runtime dependencies.
-
-## v1.3.0 (2020-01-23)
-
-- Migrate to Go modules.
-
-## v1.2.0 (2018-02-22)
-
-- Fixed quota clamping to always round down rather than up; Rather than
-  guaranteeing constant throttling at saturation, instead assume that the
-  fractional CPU was added as a hedge for factors outside of Go's scheduler.
-
-## v1.1.0 (2017-11-10)
-
-- Log the new value of `GOMAXPROCS` rather than the current value.
-- Make logs more explicit about whether `GOMAXPROCS` was modified or not.
-- Allow customization of the minimum `GOMAXPROCS`, and modify default from 2 to 1.
-
-## v1.0.0 (2017-08-09)
-
-- Initial release.
diff --git a/vendor/go.uber.org/automaxprocs/CODE_OF_CONDUCT.md b/vendor/go.uber.org/automaxprocs/CODE_OF_CONDUCT.md
deleted file mode 100644
index e327d9aa5c..0000000000
--- a/vendor/go.uber.org/automaxprocs/CODE_OF_CONDUCT.md
+++ /dev/null
@@ -1,75 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age,
-body size, disability, ethnicity, gender identity and expression, level of
-experience, nationality, personal appearance, race, religion, or sexual
-identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment
-include:
-
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery and unwelcome sexual attention or
-  advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an
-appointed representative at an online or offline event. Representation of a
-project may be further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at oss-conduct@uber.com. The project
-team will review and investigate all complaints, and will respond in a way
-that it deems appropriate to the circumstances. The project team is obligated
-to maintain confidentiality with regard to the reporter of an incident.
-Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 1.4, available at
-[http://contributor-covenant.org/version/1/4][version].
-
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
diff --git a/vendor/go.uber.org/automaxprocs/CONTRIBUTING.md b/vendor/go.uber.org/automaxprocs/CONTRIBUTING.md
deleted file mode 100644
index 2b6a6040d7..0000000000
--- a/vendor/go.uber.org/automaxprocs/CONTRIBUTING.md
+++ /dev/null
@@ -1,81 +0,0 @@
-# Contributing
-
-We'd love your help improving this package!
-
-If you'd like to add new exported APIs, please [open an issue][open-issue]
-describing your proposal — discussing API changes ahead of time makes
-pull request review much smoother. In your issue, pull request, and any other
-communications, please remember to treat your fellow contributors with
-respect! We take our [code of conduct](CODE_OF_CONDUCT.md) seriously.
-
-Note that you'll need to sign [Uber's Contributor License Agreement][cla]
-before we can accept any of your contributions. If necessary, a bot will remind
-you to accept the CLA when you open your pull request.
-
-## Setup
-
-[Fork][fork], then clone the repository:
-
-```
-mkdir -p $GOPATH/src/go.uber.org
-cd $GOPATH/src/go.uber.org
-git clone git@github.com:your_github_username/automaxprocs.git
-cd automaxprocs
-git remote add upstream https://github.com/uber-go/automaxprocs.git
-git fetch upstream
-```
-
-Install the test dependencies:
-
-```
-make dependencies
-```
-
-Make sure that the tests and the linters pass:
-
-```
-make test
-make lint
-```
-
-If you're not using the minor version of Go specified in the Makefile's
-`LINTABLE_MINOR_VERSIONS` variable, `make lint` doesn't do anything. This is
-fine, but it means that you'll only discover lint failures after you open your
-pull request.
-
-## Making Changes
-
-Start by creating a new branch for your changes:
-
-```
-cd $GOPATH/src/go.uber.org/automaxprocs
-git checkout master
-git fetch upstream
-git rebase upstream/master
-git checkout -b cool_new_feature
-```
-
-Make your changes, then ensure that `make lint` and `make test` still pass. If
-you're satisfied with your changes, push them to your fork.
-
-```
-git push origin cool_new_feature
-```
-
-Then use the GitHub UI to open a pull request.
-
-At this point, you're waiting on us to review your changes. We *try* to respond
-to issues and pull requests within a few business days, and we may suggest some
-improvements or alternatives. Once your changes are approved, one of the
-project maintainers will merge them.
-
-We're much more likely to approve your changes if you:
-
-* Add tests for new functionality.
-* Write a [good commit message][commit-message].
-* Maintain backward compatibility.
-
-[fork]: https://github.com/uber-go/automaxprocs/fork
-[open-issue]: https://github.com/uber-go/automaxprocs/issues/new
-[cla]: https://cla-assistant.io/uber-go/automaxprocs
-[commit-message]: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
diff --git a/vendor/go.uber.org/automaxprocs/LICENSE b/vendor/go.uber.org/automaxprocs/LICENSE
deleted file mode 100644
index 20dcf51d96..0000000000
--- a/vendor/go.uber.org/automaxprocs/LICENSE
+++ /dev/null
@@ -1,19 +0,0 @@
-Copyright (c) 2017 Uber Technologies, Inc.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
\ No newline at end of file
diff --git a/vendor/go.uber.org/automaxprocs/Makefile b/vendor/go.uber.org/automaxprocs/Makefile
deleted file mode 100644
index 1642b71480..0000000000
--- a/vendor/go.uber.org/automaxprocs/Makefile
+++ /dev/null
@@ -1,46 +0,0 @@
-export GOBIN ?= $(shell pwd)/bin
-
-GO_FILES := $(shell \
-	find . '(' -path '*/.*' -o -path './vendor' ')' -prune \
-	-o -name '*.go' -print | cut -b3-)
-
-GOLINT = $(GOBIN)/golint
-STATICCHECK = $(GOBIN)/staticcheck
-
-.PHONY: build
-build:
-	go build ./...
-
-.PHONY: install
-install:
-	go mod download
-
-.PHONY: test
-test:
-	go test -race ./...
-
-.PHONY: cover
-cover:
-	go test -coverprofile=cover.out -covermode=atomic -coverpkg=./... ./...
-	go tool cover -html=cover.out -o cover.html
-
-$(GOLINT): tools/go.mod
-	cd tools && go install golang.org/x/lint/golint
-
-$(STATICCHECK): tools/go.mod
-	cd tools && go install honnef.co/go/tools/cmd/staticcheck@2023.1.2
-
-.PHONY: lint
-lint: $(GOLINT) $(STATICCHECK)
-	@rm -rf lint.log
-	@echo "Checking gofmt"
-	@gofmt -d -s $(GO_FILES) 2>&1 | tee lint.log
-	@echo "Checking go vet"
-	@go vet ./... 2>&1 | tee -a lint.log
-	@echo "Checking golint"
-	@$(GOLINT) ./... | tee -a lint.log
-	@echo "Checking staticcheck"
-	@$(STATICCHECK) ./... 2>&1 |  tee -a lint.log
-	@echo "Checking for license headers..."
-	@./.build/check_license.sh | tee -a lint.log
-	@[ ! -s lint.log ]
diff --git a/vendor/go.uber.org/automaxprocs/README.md b/vendor/go.uber.org/automaxprocs/README.md
deleted file mode 100644
index bfed32adae..0000000000
--- a/vendor/go.uber.org/automaxprocs/README.md
+++ /dev/null
@@ -1,71 +0,0 @@
-# automaxprocs [![GoDoc][doc-img]][doc] [![Build Status][ci-img]][ci] [![Coverage Status][cov-img]][cov]
-
-Automatically set `GOMAXPROCS` to match Linux container CPU quota.
-
-## Installation
-
-`go get -u go.uber.org/automaxprocs`
-
-## Quick Start
-
-```go
-import _ "go.uber.org/automaxprocs"
-
-func main() {
-  // Your application logic here.
-}
-```
-
-# Performance
-Data measured from Uber's internal load balancer. We ran the load balancer with 200% CPU quota (i.e., 2 cores):
-
-| GOMAXPROCS         |  RPS      | P50 (ms) | P99.9 (ms) |
-| ------------------ | --------- | -------- | ---------- |
-| 1                  | 28,893.18 | 1.46     | 19.70      |
-| 2 (equal to quota) | 44,715.07 | 0.84     | 26.38      |
-| 3                  | 44,212.93 | 0.66     | 30.07      |
-| 4                  | 41,071.15 | 0.57     | 42.94      |
-| 8                  | 33,111.69 | 0.43     | 64.32      |
-| Default (24)       | 22,191.40 | 0.45     | 76.19      |
-
-When `GOMAXPROCS` is increased above the CPU quota, we see P50 decrease slightly, but see significant increases to P99. We also see that the total RPS handled also decreases.
-
-When `GOMAXPROCS` is higher than the CPU quota allocated, we also saw significant throttling:
-
-```
-$ cat /sys/fs/cgroup/cpu,cpuacct/system.slice/[...]/cpu.stat
-nr_periods 42227334
-nr_throttled 131923
-throttled_time 88613212216618
-```
-
-Once `GOMAXPROCS` was reduced to match the CPU quota, we saw no CPU throttling.
-
-## Development Status: Stable
-
-All APIs are finalized, and no breaking changes will be made in the 1.x series
-of releases. Users of semver-aware dependency management systems should pin
-automaxprocs to `^1`.
-
-## Contributing
-
-We encourage and support an active, healthy community of contributors —
-including you! Details are in the [contribution guide](CONTRIBUTING.md) and
-the [code of conduct](CODE_OF_CONDUCT.md). The automaxprocs maintainers keep
-an eye on issues and pull requests, but you can also report any negative
-conduct to oss-conduct@uber.com. That email list is a private, safe space;
-even the automaxprocs maintainers don't have access, so don't hesitate to hold
-us to a high standard.
-
-

-
-Released under the [MIT License](LICENSE).
-
-[doc-img]: https://godoc.org/go.uber.org/automaxprocs?status.svg
-[doc]: https://godoc.org/go.uber.org/automaxprocs
-[ci-img]: https://github.com/uber-go/automaxprocs/actions/workflows/go.yml/badge.svg
-[ci]: https://github.com/uber-go/automaxprocs/actions/workflows/go.yml
-[cov-img]: https://codecov.io/gh/uber-go/automaxprocs/branch/master/graph/badge.svg
-[cov]: https://codecov.io/gh/uber-go/automaxprocs
-
-
diff --git a/vendor/go.uber.org/automaxprocs/automaxprocs.go b/vendor/go.uber.org/automaxprocs/automaxprocs.go
deleted file mode 100644
index 69946a3e1f..0000000000
--- a/vendor/go.uber.org/automaxprocs/automaxprocs.go
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright (c) 2017 Uber Technologies, Inc.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-// Package automaxprocs automatically sets GOMAXPROCS to match the Linux
-// container CPU quota, if any.
-package automaxprocs // import "go.uber.org/automaxprocs"
-
-import (
-	"log"
-
-	"go.uber.org/automaxprocs/maxprocs"
-)
-
-func init() {
-	maxprocs.Set(maxprocs.Logger(log.Printf))
-}
diff --git a/vendor/go.uber.org/automaxprocs/internal/cgroups/doc.go b/vendor/go.uber.org/automaxprocs/internal/cgroups/doc.go
deleted file mode 100644
index 113555f63d..0000000000
--- a/vendor/go.uber.org/automaxprocs/internal/cgroups/doc.go
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright (c) 2017 Uber Technologies, Inc.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-// Package cgroups provides utilities to access Linux control group (CGroups)
-// parameters (CPU quota, for example) for a given process.
-package cgroups
diff --git a/vendor/go.uber.org/automaxprocs/maxprocs/maxprocs.go b/vendor/go.uber.org/automaxprocs/maxprocs/maxprocs.go
deleted file mode 100644
index e561fe60b2..0000000000
--- a/vendor/go.uber.org/automaxprocs/maxprocs/maxprocs.go
+++ /dev/null
@@ -1,139 +0,0 @@
-// Copyright (c) 2017 Uber Technologies, Inc.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-// Package maxprocs lets Go programs easily configure runtime.GOMAXPROCS to
-// match the configured Linux CPU quota. Unlike the top-level automaxprocs
-// package, it lets the caller configure logging and handle errors.
-package maxprocs // import "go.uber.org/automaxprocs/maxprocs"
-
-import (
-	"os"
-	"runtime"
-
-	iruntime "go.uber.org/automaxprocs/internal/runtime"
-)
-
-const _maxProcsKey = "GOMAXPROCS"
-
-func currentMaxProcs() int {
-	return runtime.GOMAXPROCS(0)
-}
-
-type config struct {
-	printf         func(string, ...interface{})
-	procs          func(int, func(v float64) int) (int, iruntime.CPUQuotaStatus, error)
-	minGOMAXPROCS  int
-	roundQuotaFunc func(v float64) int
-}
-
-func (c *config) log(fmt string, args ...interface{}) {
-	if c.printf != nil {
-		c.printf(fmt, args...)
-	}
-}
-
-// An Option alters the behavior of Set.
-type Option interface {
-	apply(*config)
-}
-
-// Logger uses the supplied printf implementation for log output. By default,
-// Set doesn't log anything.
-func Logger(printf func(string, ...interface{})) Option {
-	return optionFunc(func(cfg *config) {
-		cfg.printf = printf
-	})
-}
-
-// Min sets the minimum GOMAXPROCS value that will be used.
-// Any value below 1 is ignored.
-func Min(n int) Option {
-	return optionFunc(func(cfg *config) {
-		if n >= 1 {
-			cfg.minGOMAXPROCS = n
-		}
-	})
-}
-
-// RoundQuotaFunc sets the function that will be used to covert the CPU quota from float to int.
-func RoundQuotaFunc(rf func(v float64) int) Option {
-	return optionFunc(func(cfg *config) {
-		cfg.roundQuotaFunc = rf
-	})
-}
-
-type optionFunc func(*config)
-
-func (of optionFunc) apply(cfg *config) { of(cfg) }
-
-// Set GOMAXPROCS to match the Linux container CPU quota (if any), returning
-// any error encountered and an undo function.
-//
-// Set is a no-op on non-Linux systems and in Linux environments without a
-// configured CPU quota.
-func Set(opts ...Option) (func(), error) {
-	cfg := &config{
-		procs:          iruntime.CPUQuotaToGOMAXPROCS,
-		roundQuotaFunc: iruntime.DefaultRoundFunc,
-		minGOMAXPROCS:  1,
-	}
-	for _, o := range opts {
-		o.apply(cfg)
-	}
-
-	undoNoop := func() {
-		cfg.log("maxprocs: No GOMAXPROCS change to reset")
-	}
-
-	// Honor the GOMAXPROCS environment variable if present. Otherwise, amend
-	// `runtime.GOMAXPROCS()` with the current process' CPU quota if the OS is
-	// Linux, and guarantee a minimum value of 1. The minimum guaranteed value
-	// can be overridden using `maxprocs.Min()`.
-	if max, exists := os.LookupEnv(_maxProcsKey); exists {
-		cfg.log("maxprocs: Honoring GOMAXPROCS=%q as set in environment", max)
-		return undoNoop, nil
-	}
-
-	maxProcs, status, err := cfg.procs(cfg.minGOMAXPROCS, cfg.roundQuotaFunc)
-	if err != nil {
-		return undoNoop, err
-	}
-
-	if status == iruntime.CPUQuotaUndefined {
-		cfg.log("maxprocs: Leaving GOMAXPROCS=%v: CPU quota undefined", currentMaxProcs())
-		return undoNoop, nil
-	}
-
-	prev := currentMaxProcs()
-	undo := func() {
-		cfg.log("maxprocs: Resetting GOMAXPROCS to %v", prev)
-		runtime.GOMAXPROCS(prev)
-	}
-
-	switch status {
-	case iruntime.CPUQuotaMinUsed:
-		cfg.log("maxprocs: Updating GOMAXPROCS=%v: using minimum allowed GOMAXPROCS", maxProcs)
-	case iruntime.CPUQuotaUsed:
-		cfg.log("maxprocs: Updating GOMAXPROCS=%v: determined from CPU quota", maxProcs)
-	}
-
-	runtime.GOMAXPROCS(maxProcs)
-	return undo, nil
-}
diff --git a/vendor/go.uber.org/automaxprocs/maxprocs/version.go b/vendor/go.uber.org/automaxprocs/maxprocs/version.go
deleted file mode 100644
index cc7fc5aee1..0000000000
--- a/vendor/go.uber.org/automaxprocs/maxprocs/version.go
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright (c) 2017 Uber Technologies, Inc.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-package maxprocs
-
-// Version is the current package version.
-const Version = "1.6.0"
diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s b/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s
index 7dd2638e88..769af387e2 100644
--- a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s
+++ b/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s
@@ -29,7 +29,7 @@ loop:
 	MOVD	$NUM_ROUNDS, R21
 	VLD1	(R11), [V30.S4, V31.S4]
 
-	// load contants
+	// load constants
 	// VLD4R (R10), [V0.S4, V1.S4, V2.S4, V3.S4]
 	WORD	$0x4D60E940
 
diff --git a/vendor/golang.org/x/crypto/curve25519/curve25519.go b/vendor/golang.org/x/crypto/curve25519/curve25519.go
index 8ff087df4c..048faef3a5 100644
--- a/vendor/golang.org/x/crypto/curve25519/curve25519.go
+++ b/vendor/golang.org/x/crypto/curve25519/curve25519.go
@@ -3,11 +3,14 @@
 // license that can be found in the LICENSE file.
 
 // Package curve25519 provides an implementation of the X25519 function, which
-// performs scalar multiplication on the elliptic curve known as Curve25519.
-// See RFC 7748.
+// performs scalar multiplication on the elliptic curve known as Curve25519
+// according to [RFC 7748].
 //
-// This package is a wrapper for the X25519 implementation
-// in the crypto/ecdh package.
+// The curve25519 package is a wrapper for the X25519 implementation in the
+// crypto/ecdh package. It is [frozen] and is not accepting new features.
+//
+// [RFC 7748]: https://datatracker.ietf.org/doc/html/rfc7748
+// [frozen]: https://go.dev/wiki/Frozen
 package curve25519
 
 import "crypto/ecdh"
diff --git a/vendor/golang.org/x/crypto/pkcs12/pkcs12.go b/vendor/golang.org/x/crypto/pkcs12/pkcs12.go
index 3a89bdb3e3..374d9facf8 100644
--- a/vendor/golang.org/x/crypto/pkcs12/pkcs12.go
+++ b/vendor/golang.org/x/crypto/pkcs12/pkcs12.go
@@ -4,12 +4,16 @@
 
 // Package pkcs12 implements some of PKCS#12.
 //
-// This implementation is distilled from https://tools.ietf.org/html/rfc7292
-// and referenced documents. It is intended for decoding P12/PFX-stored
-// certificates and keys for use with the crypto/tls package.
+// This implementation is distilled from [RFC 7292] and referenced documents.
+// It is intended for decoding P12/PFX-stored certificates and keys for use
+// with the crypto/tls package.
 //
-// This package is frozen. If it's missing functionality you need, consider
-// an alternative like software.sslmate.com/src/go-pkcs12.
+// The pkcs12 package is [frozen] and is not accepting new features.
+// If it's missing functionality you need, consider an alternative like
+// software.sslmate.com/src/go-pkcs12.
+//
+// [RFC 7292]: https://datatracker.ietf.org/doc/html/rfc7292
+// [frozen]: https://go.dev/wiki/Frozen
 package pkcs12
 
 import (
diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
index 6a5b582aa9..7554ed57a9 100644
--- a/vendor/golang.org/x/crypto/ssh/cipher.go
+++ b/vendor/golang.org/x/crypto/ssh/cipher.go
@@ -8,6 +8,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des"
+	"crypto/fips140"
 	"crypto/rc4"
 	"crypto/subtle"
 	"encoding/binary"
@@ -15,6 +16,7 @@ import (
 	"fmt"
 	"hash"
 	"io"
+	"slices"
 
 	"golang.org/x/crypto/chacha20"
 	"golang.org/x/crypto/internal/poly1305"
@@ -93,41 +95,41 @@ func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream,
 }
 
 // cipherModes documents properties of supported ciphers. Ciphers not included
-// are not supported and will not be negotiated, even if explicitly requested in
-// ClientConfig.Crypto.Ciphers.
-var cipherModes = map[string]*cipherMode{
-	// Ciphers from RFC 4344, which introduced many CTR-based ciphers. Algorithms
-	// are defined in the order specified in the RFC.
-	CipherAES128CTR: {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	CipherAES192CTR: {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	CipherAES256CTR: {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-
-	// Ciphers from RFC 4345, which introduces security-improved arcfour ciphers.
-	// They are defined in the order specified in the RFC.
-	InsecureCipherRC4128: {16, 0, streamCipherMode(1536, newRC4)},
-	InsecureCipherRC4256: {32, 0, streamCipherMode(1536, newRC4)},
-
-	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
-	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
-	// RC4) has problems with weak keys, and should be used with caution."
-	// RFC 4345 introduces improved versions of Arcfour.
-	InsecureCipherRC4: {16, 0, streamCipherMode(0, newRC4)},
-
-	// AEAD ciphers
-	CipherAES128GCM:        {16, 12, newGCMCipher},
-	CipherAES256GCM:        {32, 12, newGCMCipher},
-	CipherChaCha20Poly1305: {64, 0, newChaCha20Cipher},
-
+// are not supported and will not be negotiated, even if explicitly configured.
+// When FIPS mode is enabled, only FIPS-approved algorithms are included.
+var cipherModes = map[string]*cipherMode{}
+
+func init() {
+	cipherModes[CipherAES128CTR] = &cipherMode{16, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	cipherModes[CipherAES192CTR] = &cipherMode{24, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	cipherModes[CipherAES256CTR] = &cipherMode{32, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	//  Use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode,
+	// we'll wire it up to NewGCMForSSH in Go 1.26.
+	//
+	// For now it means we'll work with fips140=on but not fips140=only.
+	cipherModes[CipherAES128GCM] = &cipherMode{16, 12, newGCMCipher}
+	cipherModes[CipherAES256GCM] = &cipherMode{32, 12, newGCMCipher}
+
+	if fips140.Enabled() {
+		defaultCiphers = slices.DeleteFunc(defaultCiphers, func(algo string) bool {
+			_, ok := cipherModes[algo]
+			return !ok
+		})
+		return
+	}
+
+	cipherModes[CipherChaCha20Poly1305] = &cipherMode{64, 0, newChaCha20Cipher}
+	// Insecure ciphers not included in the default configuration.
+	cipherModes[InsecureCipherRC4128] = &cipherMode{16, 0, streamCipherMode(1536, newRC4)}
+	cipherModes[InsecureCipherRC4256] = &cipherMode{32, 0, streamCipherMode(1536, newRC4)}
+	cipherModes[InsecureCipherRC4] = &cipherMode{16, 0, streamCipherMode(0, newRC4)}
 	// CBC mode is insecure and so is not included in the default config.
 	// (See https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf). If absolutely
 	// needed, it's possible to specify a custom Config to enable it.
 	// You should expect that an active attacker can recover plaintext if
 	// you do.
-	InsecureCipherAES128CBC: {16, aes.BlockSize, newAESCBCCipher},
-
-	// 3des-cbc is insecure and is not included in the default
-	// config.
-	InsecureCipherTripleDESCBC: {24, des.BlockSize, newTripleDESCBCCipher},
+	cipherModes[InsecureCipherAES128CBC] = &cipherMode{16, aes.BlockSize, newAESCBCCipher}
+	cipherModes[InsecureCipherTripleDESCBC] = &cipherMode{24, des.BlockSize, newTripleDESCBCCipher}
 }
 
 // prefixLen is the length of the packet prefix that contains the packet length
diff --git a/vendor/golang.org/x/crypto/ssh/client_auth.go b/vendor/golang.org/x/crypto/ssh/client_auth.go
index c12818fdc5..3127e49903 100644
--- a/vendor/golang.org/x/crypto/ssh/client_auth.go
+++ b/vendor/golang.org/x/crypto/ssh/client_auth.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"slices"
 	"strings"
 )
 
@@ -83,7 +84,7 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 			// success
 			return nil
 		} else if ok == authFailure {
-			if m := auth.method(); !contains(tried, m) {
+			if m := auth.method(); !slices.Contains(tried, m) {
 				tried = append(tried, m)
 			}
 		}
@@ -97,7 +98,7 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	findNext:
 		for _, a := range config.Auth {
 			candidateMethod := a.method()
-			if contains(tried, candidateMethod) {
+			if slices.Contains(tried, candidateMethod) {
 				continue
 			}
 			for _, meth := range methods {
@@ -117,15 +118,6 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", tried)
 }
 
-func contains(list []string, e string) bool {
-	for _, s := range list {
-		if s == e {
-			return true
-		}
-	}
-	return false
-}
-
 // An AuthMethod represents an instance of an RFC 4252 authentication method.
 type AuthMethod interface {
 	// auth authenticates user over transport t.
@@ -255,7 +247,7 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA
 		// Fallback to use if there is no "server-sig-algs" extension or a
 		// common algorithm cannot be found. We use the public key format if the
 		// MultiAlgorithmSigner supports it, otherwise we return an error.
-		if !contains(as.Algorithms(), underlyingAlgo(keyFormat)) {
+		if !slices.Contains(as.Algorithms(), underlyingAlgo(keyFormat)) {
 			return "", fmt.Errorf("ssh: no common public key signature algorithm, server only supports %q for key type %q, signer only supports %v",
 				underlyingAlgo(keyFormat), keyFormat, as.Algorithms())
 		}
@@ -284,7 +276,7 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA
 	// Filter algorithms based on those supported by MultiAlgorithmSigner.
 	var keyAlgos []string
 	for _, algo := range algorithmsForKeyFormat(keyFormat) {
-		if contains(as.Algorithms(), underlyingAlgo(algo)) {
+		if slices.Contains(as.Algorithms(), underlyingAlgo(algo)) {
 			keyAlgos = append(keyAlgos, algo)
 		}
 	}
@@ -334,7 +326,7 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 		// the key try to use the obtained algorithm as if "server-sig-algs" had
 		// not been implemented if supported from the algorithm signer.
 		if !ok && idx < origSignersLen && isRSACert(algo) && algo != CertAlgoRSAv01 {
-			if contains(as.Algorithms(), KeyAlgoRSA) {
+			if slices.Contains(as.Algorithms(), KeyAlgoRSA) {
 				// We retry using the compat algorithm after all signers have
 				// been tried normally.
 				signers = append(signers, &multiAlgorithmSigner{
@@ -385,7 +377,7 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 		// contain the "publickey" method, do not attempt to authenticate with any
 		// other keys.  According to RFC 4252 Section 7, the latter can occur when
 		// additional authentication methods are required.
-		if success == authSuccess || !contains(methods, cb.method()) {
+		if success == authSuccess || !slices.Contains(methods, cb.method()) {
 			return success, methods, err
 		}
 	}
@@ -434,7 +426,7 @@ func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
 			// servers send the key type instead. OpenSSH allows any algorithm
 			// that matches the public key, so we do the same.
 			// https://github.com/openssh/openssh-portable/blob/86bdd385/sshconnect2.c#L709
-			if !contains(algorithmsForKeyFormat(key.Type()), msg.Algo) {
+			if !slices.Contains(algorithmsForKeyFormat(key.Type()), msg.Algo) {
 				return false, nil
 			}
 			if !bytes.Equal(msg.PubKey, pubKey) {
diff --git a/vendor/golang.org/x/crypto/ssh/common.go b/vendor/golang.org/x/crypto/ssh/common.go
index 8bfad16c41..2e44e9c9ec 100644
--- a/vendor/golang.org/x/crypto/ssh/common.go
+++ b/vendor/golang.org/x/crypto/ssh/common.go
@@ -6,6 +6,7 @@ package ssh
 
 import (
 	"crypto"
+	"crypto/fips140"
 	"crypto/rand"
 	"fmt"
 	"io"
@@ -256,6 +257,40 @@ type Algorithms struct {
 	PublicKeyAuths []string
 }
 
+func init() {
+	if fips140.Enabled() {
+		defaultHostKeyAlgos = slices.DeleteFunc(defaultHostKeyAlgos, func(algo string) bool {
+			_, err := hashFunc(underlyingAlgo(algo))
+			return err != nil
+		})
+		defaultPubKeyAuthAlgos = slices.DeleteFunc(defaultPubKeyAuthAlgos, func(algo string) bool {
+			_, err := hashFunc(underlyingAlgo(algo))
+			return err != nil
+		})
+	}
+}
+
+func hashFunc(format string) (crypto.Hash, error) {
+	switch format {
+	case KeyAlgoRSASHA256, KeyAlgoECDSA256, KeyAlgoSKED25519, KeyAlgoSKECDSA256:
+		return crypto.SHA256, nil
+	case KeyAlgoECDSA384:
+		return crypto.SHA384, nil
+	case KeyAlgoRSASHA512, KeyAlgoECDSA521:
+		return crypto.SHA512, nil
+	case KeyAlgoED25519:
+		// KeyAlgoED25519 doesn't pre-hash.
+		return 0, nil
+	case KeyAlgoRSA, InsecureKeyAlgoDSA:
+		if fips140.Enabled() {
+			return 0, fmt.Errorf("ssh: hash algorithm for format %q not allowed in FIPS 140 mode", format)
+		}
+		return crypto.SHA1, nil
+	default:
+		return 0, fmt.Errorf("ssh: hash algorithm for format %q not mapped", format)
+	}
+}
+
 // SupportedAlgorithms returns algorithms currently implemented by this package,
 // excluding those with security issues, which are returned by
 // InsecureAlgorithms. The algorithms listed here are in preference order.
@@ -283,21 +318,6 @@ func InsecureAlgorithms() Algorithms {
 
 var supportedCompressions = []string{compressionNone}
 
-// hashFuncs keeps the mapping of supported signature algorithms to their
-// respective hashes needed for signing and verification.
-var hashFuncs = map[string]crypto.Hash{
-	KeyAlgoRSA:         crypto.SHA1,
-	KeyAlgoRSASHA256:   crypto.SHA256,
-	KeyAlgoRSASHA512:   crypto.SHA512,
-	InsecureKeyAlgoDSA: crypto.SHA1,
-	KeyAlgoECDSA256:    crypto.SHA256,
-	KeyAlgoECDSA384:    crypto.SHA384,
-	KeyAlgoECDSA521:    crypto.SHA512,
-	// KeyAlgoED25519 doesn't pre-hash.
-	KeyAlgoSKECDSA256: crypto.SHA256,
-	KeyAlgoSKED25519:  crypto.SHA256,
-}
-
 // algorithmsForKeyFormat returns the supported signature algorithms for a given
 // public key format (PublicKey.Type), in order of preference. See RFC 8332,
 // Section 2. See also the note in sendKexInit on backwards compatibility.
@@ -312,11 +332,40 @@ func algorithmsForKeyFormat(keyFormat string) []string {
 	}
 }
 
+// keyFormatForAlgorithm returns the key format corresponding to the given
+// signature algorithm. It returns an empty string if the signature algorithm is
+// invalid or unsupported.
+func keyFormatForAlgorithm(sigAlgo string) string {
+	switch sigAlgo {
+	case KeyAlgoRSA, KeyAlgoRSASHA256, KeyAlgoRSASHA512:
+		return KeyAlgoRSA
+	case CertAlgoRSAv01, CertAlgoRSASHA256v01, CertAlgoRSASHA512v01:
+		return CertAlgoRSAv01
+	case KeyAlgoED25519,
+		KeyAlgoSKED25519,
+		KeyAlgoSKECDSA256,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		InsecureKeyAlgoDSA,
+		InsecureCertAlgoDSAv01,
+		CertAlgoECDSA256v01,
+		CertAlgoECDSA384v01,
+		CertAlgoECDSA521v01,
+		CertAlgoSKECDSA256v01,
+		CertAlgoED25519v01,
+		CertAlgoSKED25519v01:
+		return sigAlgo
+	default:
+		return ""
+	}
+}
+
 // isRSA returns whether algo is a supported RSA algorithm, including certificate
 // algorithms.
 func isRSA(algo string) bool {
 	algos := algorithmsForKeyFormat(KeyAlgoRSA)
-	return contains(algos, underlyingAlgo(algo))
+	return slices.Contains(algos, underlyingAlgo(algo))
 }
 
 func isRSACert(algo string) bool {
@@ -515,7 +564,7 @@ func (c *Config) SetDefaults() {
 		if kexAlgoMap[k] != nil {
 			// Ignore the KEX if we have no kexAlgoMap definition.
 			kexs = append(kexs, k)
-			if k == KeyExchangeCurve25519 && !contains(c.KeyExchanges, keyExchangeCurve25519LibSSH) {
+			if k == KeyExchangeCurve25519 && !slices.Contains(c.KeyExchanges, keyExchangeCurve25519LibSSH) {
 				kexs = append(kexs, keyExchangeCurve25519LibSSH)
 			}
 		}
diff --git a/vendor/golang.org/x/crypto/ssh/doc.go b/vendor/golang.org/x/crypto/ssh/doc.go
index 04ccce3461..5b4de9effc 100644
--- a/vendor/golang.org/x/crypto/ssh/doc.go
+++ b/vendor/golang.org/x/crypto/ssh/doc.go
@@ -17,8 +17,18 @@ References:
 	[PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
 	[SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
 	[SSH-CERTS]:	https://datatracker.ietf.org/doc/html/draft-miller-ssh-cert-01
+	[FIPS 140-3 mode]: https://go.dev/doc/security/fips140
 
 This package does not fall under the stability promise of the Go language itself,
 so its API may be changed when pressing needs arise.
+
+# FIPS 140-3 mode
+
+When the program is in [FIPS 140-3 mode], this package behaves as if only SP
+800-140C and SP 800-140D approved cipher suites, signature algorithms,
+certificate public key types and sizes, and key exchange and derivation
+algorithms were implemented. Others are silently ignored and not negotiated, or
+rejected. This set may depend on the algorithms supported by the FIPS 140-3 Go
+Cryptographic Module selected with GOFIPS140, and may change across Go versions.
 */
 package ssh
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
index a90bfe331c..4be3cbb6de 100644
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@@ -10,6 +10,7 @@ import (
 	"io"
 	"log"
 	"net"
+	"slices"
 	"strings"
 	"sync"
 )
@@ -527,7 +528,7 @@ func (t *handshakeTransport) sendKexInit() error {
 			switch s := k.(type) {
 			case MultiAlgorithmSigner:
 				for _, algo := range algorithmsForKeyFormat(keyFormat) {
-					if contains(s.Algorithms(), underlyingAlgo(algo)) {
+					if slices.Contains(s.Algorithms(), underlyingAlgo(algo)) {
 						msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algo)
 					}
 				}
@@ -679,7 +680,7 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 		return err
 	}
 
-	if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) {
+	if t.sessionID == nil && ((isClient && slices.Contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && slices.Contains(clientInit.KexAlgos, kexStrictClient))) {
 		t.strictMode = true
 		if err := t.conn.setStrictMode(); err != nil {
 			return err
@@ -736,7 +737,7 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 	// On the server side, after the first SSH_MSG_NEWKEYS, send a SSH_MSG_EXT_INFO
 	// message with the server-sig-algs extension if the client supports it. See
 	// RFC 8308, Sections 2.4 and 3.1, and [PROTOCOL], Section 1.9.
-	if !isClient && firstKeyExchange && contains(clientInit.KexAlgos, "ext-info-c") {
+	if !isClient && firstKeyExchange && slices.Contains(clientInit.KexAlgos, "ext-info-c") {
 		supportedPubKeyAuthAlgosList := strings.Join(t.publicKeyAuthAlgorithms, ",")
 		extInfo := &extInfoMsg{
 			NumExtensions: 2,
@@ -790,7 +791,7 @@ func (a algorithmSignerWrapper) SignWithAlgorithm(rand io.Reader, data []byte, a
 func pickHostKey(hostKeys []Signer, algo string) AlgorithmSigner {
 	for _, k := range hostKeys {
 		if s, ok := k.(MultiAlgorithmSigner); ok {
-			if !contains(s.Algorithms(), underlyingAlgo(algo)) {
+			if !slices.Contains(s.Algorithms(), underlyingAlgo(algo)) {
 				continue
 			}
 		}
diff --git a/vendor/golang.org/x/crypto/ssh/kex.go b/vendor/golang.org/x/crypto/ssh/kex.go
index 78aaf03103..5f7fdd8514 100644
--- a/vendor/golang.org/x/crypto/ssh/kex.go
+++ b/vendor/golang.org/x/crypto/ssh/kex.go
@@ -8,12 +8,14 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
+	"crypto/fips140"
 	"crypto/rand"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"math/big"
+	"slices"
 
 	"golang.org/x/crypto/curve25519"
 )
@@ -395,9 +397,27 @@ func ecHash(curve elliptic.Curve) crypto.Hash {
 	return crypto.SHA512
 }
 
+// kexAlgoMap defines the supported KEXs. KEXs not included are not supported
+// and will not be negotiated, even if explicitly configured. When FIPS mode is
+// enabled, only FIPS-approved algorithms are included.
 var kexAlgoMap = map[string]kexAlgorithm{}
 
 func init() {
+	// mlkem768x25519-sha256 we'll work with fips140=on but not fips140=only
+	// until Go 1.26.
+	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
+	kexAlgoMap[KeyExchangeECDHP521] = &ecdh{elliptic.P521()}
+	kexAlgoMap[KeyExchangeECDHP384] = &ecdh{elliptic.P384()}
+	kexAlgoMap[KeyExchangeECDHP256] = &ecdh{elliptic.P256()}
+
+	if fips140.Enabled() {
+		defaultKexAlgos = slices.DeleteFunc(defaultKexAlgos, func(algo string) bool {
+			_, ok := kexAlgoMap[algo]
+			return !ok
+		})
+		return
+	}
+
 	p, _ := new(big.Int).SetString(oakleyGroup2, 16)
 	kexAlgoMap[InsecureKeyExchangeDH1SHA1] = &dhGroup{
 		g:        new(big.Int).SetInt64(2),
@@ -431,14 +451,10 @@ func init() {
 		hashFunc: crypto.SHA512,
 	}
 
-	kexAlgoMap[KeyExchangeECDHP521] = &ecdh{elliptic.P521()}
-	kexAlgoMap[KeyExchangeECDHP384] = &ecdh{elliptic.P384()}
-	kexAlgoMap[KeyExchangeECDHP256] = &ecdh{elliptic.P256()}
 	kexAlgoMap[KeyExchangeCurve25519] = &curve25519sha256{}
 	kexAlgoMap[keyExchangeCurve25519LibSSH] = &curve25519sha256{}
 	kexAlgoMap[InsecureKeyExchangeDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1}
 	kexAlgoMap[KeyExchangeDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256}
-	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
 }
 
 // curve25519sha256 implements the curve25519-sha256 (formerly known as
diff --git a/vendor/golang.org/x/crypto/ssh/keys.go b/vendor/golang.org/x/crypto/ssh/keys.go
index a28c0de503..47a07539d9 100644
--- a/vendor/golang.org/x/crypto/ssh/keys.go
+++ b/vendor/golang.org/x/crypto/ssh/keys.go
@@ -27,6 +27,7 @@ import (
 	"fmt"
 	"io"
 	"math/big"
+	"slices"
 	"strings"
 
 	"golang.org/x/crypto/ssh/internal/bcrypt_pbkdf"
@@ -89,6 +90,11 @@ func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err err
 		}
 		return cert, nil, nil
 	}
+	if keyFormat := keyFormatForAlgorithm(algo); keyFormat != "" {
+		return nil, nil, fmt.Errorf("ssh: signature algorithm %q isn't a key format; key is malformed and should be re-encoded with type %q",
+			algo, keyFormat)
+	}
+
 	return nil, nil, fmt.Errorf("ssh: unknown key algorithm: %v", algo)
 }
 
@@ -191,9 +197,10 @@ func ParseKnownHosts(in []byte) (marker string, hosts []string, pubKey PublicKey
 	return "", nil, nil, "", nil, io.EOF
 }
 
-// ParseAuthorizedKey parses a public key from an authorized_keys
-// file used in OpenSSH according to the sshd(8) manual page.
+// ParseAuthorizedKey parses a public key from an authorized_keys file used in
+// OpenSSH according to the sshd(8) manual page. Invalid lines are ignored.
 func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error) {
+	var lastErr error
 	for len(in) > 0 {
 		end := bytes.IndexByte(in, '\n')
 		if end != -1 {
@@ -222,6 +229,8 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 
 		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
 			return out, comment, options, rest, nil
+		} else {
+			lastErr = err
 		}
 
 		// No key type recognised. Maybe there's an options field at
@@ -264,12 +273,18 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
 			options = candidateOptions
 			return out, comment, options, rest, nil
+		} else {
+			lastErr = err
 		}
 
 		in = rest
 		continue
 	}
 
+	if lastErr != nil {
+		return nil, "", nil, nil, fmt.Errorf("ssh: no key found; last parsing error for ignored line: %w", lastErr)
+	}
+
 	return nil, "", nil, nil, errors.New("ssh: no key found")
 }
 
@@ -395,11 +410,11 @@ func NewSignerWithAlgorithms(signer AlgorithmSigner, algorithms []string) (Multi
 	}
 
 	for _, algo := range algorithms {
-		if !contains(supportedAlgos, algo) {
+		if !slices.Contains(supportedAlgos, algo) {
 			return nil, fmt.Errorf("ssh: algorithm %q is not supported for key type %q",
 				algo, signer.PublicKey().Type())
 		}
-		if !contains(signerAlgos, algo) {
+		if !slices.Contains(signerAlgos, algo) {
 			return nil, fmt.Errorf("ssh: algorithm %q is restricted for the provided signer", algo)
 		}
 	}
@@ -486,10 +501,13 @@ func (r *rsaPublicKey) Marshal() []byte {
 
 func (r *rsaPublicKey) Verify(data []byte, sig *Signature) error {
 	supportedAlgos := algorithmsForKeyFormat(r.Type())
-	if !contains(supportedAlgos, sig.Format) {
+	if !slices.Contains(supportedAlgos, sig.Format) {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, r.Type())
 	}
-	hash := hashFuncs[sig.Format]
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
 	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
@@ -606,7 +624,11 @@ func (k *dsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 
@@ -651,7 +673,11 @@ func (k *dsaPrivateKey) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %s", algorithm)
 	}
 
-	h := hashFuncs[k.PublicKey().Type()].New()
+	hash, err := hashFunc(k.PublicKey().Type())
+	if err != nil {
+		return nil, err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 	r, s, err := dsa.Sign(rand, k.PrivateKey, digest)
@@ -801,8 +827,11 @@ func (k *ecdsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 
@@ -905,8 +934,11 @@ func (k *skECDSAPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
 
@@ -1009,7 +1041,11 @@ func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error {
 		return fmt.Errorf("invalid size %d for Ed25519 public key", l)
 	}
 
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
 
@@ -1112,11 +1148,14 @@ func (s *wrappedSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		algorithm = s.pubKey.Type()
 	}
 
-	if !contains(s.Algorithms(), algorithm) {
+	if !slices.Contains(s.Algorithms(), algorithm) {
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %q for key format %q", algorithm, s.pubKey.Type())
 	}
 
-	hashFunc := hashFuncs[algorithm]
+	hashFunc, err := hashFunc(algorithm)
+	if err != nil {
+		return nil, err
+	}
 	var digest []byte
 	if hashFunc != 0 {
 		h := hashFunc.New()
@@ -1451,6 +1490,7 @@ type openSSHEncryptedPrivateKey struct {
 	NumKeys      uint32
 	PubKey       []byte
 	PrivKeyBlock []byte
+	Rest         []byte `ssh:"rest"`
 }
 
 type openSSHPrivateKey struct {
diff --git a/vendor/golang.org/x/crypto/ssh/mac.go b/vendor/golang.org/x/crypto/ssh/mac.go
index de2639d57f..87d626fbbf 100644
--- a/vendor/golang.org/x/crypto/ssh/mac.go
+++ b/vendor/golang.org/x/crypto/ssh/mac.go
@@ -7,11 +7,13 @@ package ssh
 // Message authentication support
 
 import (
+	"crypto/fips140"
 	"crypto/hmac"
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
 	"hash"
+	"slices"
 )
 
 type macMode struct {
@@ -46,23 +48,37 @@ func (t truncatingMAC) Size() int {
 
 func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
 
-var macModes = map[string]*macMode{
-	HMACSHA512ETM: {64, true, func(key []byte) hash.Hash {
+// macModes defines the supported MACs. MACs not included are not supported
+// and will not be negotiated, even if explicitly configured. When FIPS mode is
+// enabled, only FIPS-approved algorithms are included.
+var macModes = map[string]*macMode{}
+
+func init() {
+	macModes[HMACSHA512ETM] = &macMode{64, true, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
-	}},
-	HMACSHA256ETM: {32, true, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA256ETM] = &macMode{32, true, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
-	}},
-	HMACSHA512: {64, false, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA512] = &macMode{64, false, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
-	}},
-	HMACSHA256: {32, false, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA256] = &macMode{32, false, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
-	}},
-	HMACSHA1: {20, false, func(key []byte) hash.Hash {
+	}}
+
+	if fips140.Enabled() {
+		defaultMACs = slices.DeleteFunc(defaultMACs, func(algo string) bool {
+			_, ok := macModes[algo]
+			return !ok
+		})
+		return
+	}
+
+	macModes[HMACSHA1] = &macMode{20, false, func(key []byte) hash.Hash {
 		return hmac.New(sha1.New, key)
-	}},
-	InsecureHMACSHA196: {20, false, func(key []byte) hash.Hash {
+	}}
+	macModes[InsecureHMACSHA196] = &macMode{20, false, func(key []byte) hash.Hash {
 		return truncatingMAC{12, hmac.New(sha1.New, key)}
-	}},
+	}}
 }
diff --git a/vendor/golang.org/x/crypto/ssh/messages.go b/vendor/golang.org/x/crypto/ssh/messages.go
index 251b9d06a3..ab22c3d38d 100644
--- a/vendor/golang.org/x/crypto/ssh/messages.go
+++ b/vendor/golang.org/x/crypto/ssh/messages.go
@@ -792,7 +792,7 @@ func marshalString(to []byte, s []byte) []byte {
 	return to[len(s):]
 }
 
-var bigIntType = reflect.TypeOf((*big.Int)(nil))
+var bigIntType = reflect.TypeFor[*big.Int]()
 
 // Decode a packet into its corresponding message.
 func decode(packet []byte) (interface{}, error) {
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index 98679ba5b6..064dcbaf5a 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"slices"
 	"strings"
 )
 
@@ -43,6 +44,9 @@ type Permissions struct {
 	// pass data from the authentication callbacks to the server
 	// application layer.
 	Extensions map[string]string
+
+	// ExtraData allows to store user defined data.
+	ExtraData map[any]any
 }
 
 type GSSAPIWithMICConfig struct {
@@ -126,6 +130,21 @@ type ServerConfig struct {
 	// Permissions.Extensions entry.
 	PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
 
+	// VerifiedPublicKeyCallback, if non-nil, is called after a client
+	// successfully confirms having control over a key that was previously
+	// approved by PublicKeyCallback. The permissions object passed to the
+	// callback is the one returned by PublicKeyCallback for the given public
+	// key and its ownership is transferred to the callback. The returned
+	// Permissions object can be the same object, optionally modified, or a
+	// completely new object. If VerifiedPublicKeyCallback is non-nil,
+	// PublicKeyCallback is not allowed to return a PartialSuccessError, which
+	// can instead be returned by VerifiedPublicKeyCallback.
+	//
+	// VerifiedPublicKeyCallback does not affect which authentication methods
+	// are included in the list of methods that can be attempted by the client.
+	VerifiedPublicKeyCallback func(conn ConnMetadata, key PublicKey, permissions *Permissions,
+		signatureAlgorithm string) (*Permissions, error)
+
 	// KeyboardInteractiveCallback, if non-nil, is called when
 	// keyboard-interactive authentication is selected (RFC
 	// 4256). The client object's Challenge function should be
@@ -246,7 +265,7 @@ func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewCha
 		fullConf.PublicKeyAuthAlgorithms = defaultPubKeyAuthAlgos
 	} else {
 		for _, algo := range fullConf.PublicKeyAuthAlgorithms {
-			if !contains(SupportedAlgorithms().PublicKeyAuths, algo) && !contains(InsecureAlgorithms().PublicKeyAuths, algo) {
+			if !slices.Contains(SupportedAlgorithms().PublicKeyAuths, algo) && !slices.Contains(InsecureAlgorithms().PublicKeyAuths, algo) {
 				c.Close()
 				return nil, nil, nil, fmt.Errorf("ssh: unsupported public key authentication algorithm %s", algo)
 			}
@@ -631,7 +650,7 @@ userAuthLoop:
 				return nil, parseError(msgUserAuthRequest)
 			}
 			algo := string(algoBytes)
-			if !contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) {
+			if !slices.Contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) {
 				authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
 				break
 			}
@@ -652,6 +671,9 @@ userAuthLoop:
 				candidate.pubKeyData = pubKeyData
 				candidate.perms, candidate.result = authConfig.PublicKeyCallback(s, pubKey)
 				_, isPartialSuccessError := candidate.result.(*PartialSuccessError)
+				if isPartialSuccessError && config.VerifiedPublicKeyCallback != nil {
+					return nil, errors.New("ssh: invalid library usage: PublicKeyCallback must not return partial success when VerifiedPublicKeyCallback is defined")
+				}
 
 				if (candidate.result == nil || isPartialSuccessError) &&
 					candidate.perms != nil &&
@@ -695,7 +717,7 @@ userAuthLoop:
 				// ssh-rsa-cert-v01@openssh.com algorithm with ssh-rsa public
 				// key type. The algorithm and public key type must be
 				// consistent: both must be certificate algorithms, or neither.
-				if !contains(algorithmsForKeyFormat(pubKey.Type()), algo) {
+				if !slices.Contains(algorithmsForKeyFormat(pubKey.Type()), algo) {
 					authErr = fmt.Errorf("ssh: public key type %q not compatible with selected algorithm %q",
 						pubKey.Type(), algo)
 					break
@@ -705,7 +727,7 @@ userAuthLoop:
 				// algorithm name that corresponds to algo with
 				// sig.Format.  This is usually the same, but
 				// for certs, the names differ.
-				if !contains(config.PublicKeyAuthAlgorithms, sig.Format) {
+				if !slices.Contains(config.PublicKeyAuthAlgorithms, sig.Format) {
 					authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format)
 					break
 				}
@@ -722,6 +744,12 @@ userAuthLoop:
 
 				authErr = candidate.result
 				perms = candidate.perms
+				if authErr == nil && config.VerifiedPublicKeyCallback != nil {
+					// Only call VerifiedPublicKeyCallback after the key has been accepted
+					// and successfully verified. If authErr is non-nil, the key is not
+					// considered verified and the callback must not run.
+					perms, authErr = config.VerifiedPublicKeyCallback(s, pubKey, perms, algo)
+				}
 			}
 		case "gssapi-with-mic":
 			if authConfig.GSSAPIWithMICConfig == nil {
diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
index 24bd7c8e83..a6249a1227 100644
--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go
+++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
 	if !ok {
 		return nil, errors.New("parse uint32 failed")
 	}
+	// Each ASN.1 encoded OID must have a minimum
+	// of 2 bytes; 64 maximum mechanisms is an
+	// arbitrary, but reasonable ceiling.
+	const maxMechs = 64
+	if n > maxMechs || int(n)*2 > len(rest) {
+		return nil, errors.New("invalid mechanism count")
+	}
 	s := &userAuthRequestGSSAPI{
 		N:    n,
 		OIDS: make([]asn1.ObjectIdentifier, n),
@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
 		if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
 			return nil, err
 		}
-
 	}
 	return s, nil
 }
diff --git a/vendor/golang.org/x/crypto/ssh/streamlocal.go b/vendor/golang.org/x/crypto/ssh/streamlocal.go
index b171b330bc..152470fcb7 100644
--- a/vendor/golang.org/x/crypto/ssh/streamlocal.go
+++ b/vendor/golang.org/x/crypto/ssh/streamlocal.go
@@ -44,7 +44,7 @@ func (c *Client) ListenUnix(socketPath string) (net.Listener, error) {
 	if !ok {
 		return nil, errors.New("ssh: streamlocal-forward@openssh.com request denied by peer")
 	}
-	ch := c.forwards.add(&net.UnixAddr{Name: socketPath, Net: "unix"})
+	ch := c.forwards.add("unix", socketPath)
 
 	return &unixListener{socketPath, c, ch}, nil
 }
@@ -96,7 +96,7 @@ func (l *unixListener) Accept() (net.Conn, error) {
 // Close closes the listener.
 func (l *unixListener) Close() error {
 	// this also closes the listener.
-	l.conn.forwards.remove(&net.UnixAddr{Name: l.socketPath, Net: "unix"})
+	l.conn.forwards.remove("unix", l.socketPath)
 	m := streamLocalChannelForwardMsg{
 		l.socketPath,
 	}
diff --git a/vendor/golang.org/x/crypto/ssh/tcpip.go b/vendor/golang.org/x/crypto/ssh/tcpip.go
index 93d844f035..78c41fe5a1 100644
--- a/vendor/golang.org/x/crypto/ssh/tcpip.go
+++ b/vendor/golang.org/x/crypto/ssh/tcpip.go
@@ -11,6 +11,7 @@ import (
 	"io"
 	"math/rand"
 	"net"
+	"net/netip"
 	"strconv"
 	"strings"
 	"sync"
@@ -22,14 +23,21 @@ import (
 // the returned net.Listener. The listener must be serviced, or the
 // SSH connection may hang.
 // N must be "tcp", "tcp4", "tcp6", or "unix".
+//
+// If the address is a hostname, it is sent to the remote peer as-is, without
+// being resolved locally, and the Listener Addr method will return a zero IP.
 func (c *Client) Listen(n, addr string) (net.Listener, error) {
 	switch n {
 	case "tcp", "tcp4", "tcp6":
-		laddr, err := net.ResolveTCPAddr(n, addr)
+		host, portStr, err := net.SplitHostPort(addr)
+		if err != nil {
+			return nil, err
+		}
+		port, err := strconv.ParseInt(portStr, 10, 32)
 		if err != nil {
 			return nil, err
 		}
-		return c.ListenTCP(laddr)
+		return c.listenTCPInternal(host, int(port))
 	case "unix":
 		return c.ListenUnix(addr)
 	default:
@@ -102,15 +110,24 @@ func (c *Client) handleForwards() {
 // ListenTCP requests the remote peer open a listening socket
 // on laddr. Incoming connections will be available by calling
 // Accept on the returned net.Listener.
+//
+// ListenTCP accepts an IP address, to provide a hostname use [Client.Listen]
+// with "tcp", "tcp4", or "tcp6" network instead.
 func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
 	c.handleForwardsOnce.Do(c.handleForwards)
 	if laddr.Port == 0 && isBrokenOpenSSHVersion(string(c.ServerVersion())) {
 		return c.autoPortListenWorkaround(laddr)
 	}
 
+	return c.listenTCPInternal(laddr.IP.String(), laddr.Port)
+}
+
+func (c *Client) listenTCPInternal(host string, port int) (net.Listener, error) {
+	c.handleForwardsOnce.Do(c.handleForwards)
+
 	m := channelForwardMsg{
-		laddr.IP.String(),
-		uint32(laddr.Port),
+		host,
+		uint32(port),
 	}
 	// send message
 	ok, resp, err := c.SendRequest("tcpip-forward", true, Marshal(&m))
@@ -123,20 +140,33 @@ func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
 
 	// If the original port was 0, then the remote side will
 	// supply a real port number in the response.
-	if laddr.Port == 0 {
+	if port == 0 {
 		var p struct {
 			Port uint32
 		}
 		if err := Unmarshal(resp, &p); err != nil {
 			return nil, err
 		}
-		laddr.Port = int(p.Port)
+		port = int(p.Port)
 	}
+	// Construct a local address placeholder for the remote listener. If the
+	// original host is an IP address, preserve it so that Listener.Addr()
+	// reports the same IP. If the host is a hostname or cannot be parsed as an
+	// IP, fall back to IPv4zero. The port field is always set, even if the
+	// original port was 0, because in that case the remote server will assign
+	// one, allowing callers to determine which port was selected.
+	ip := net.IPv4zero
+	if parsed, err := netip.ParseAddr(host); err == nil {
+		ip = net.IP(parsed.AsSlice())
+	}
+	laddr := &net.TCPAddr{
+		IP:   ip,
+		Port: port,
+	}
+	addr := net.JoinHostPort(host, strconv.FormatInt(int64(port), 10))
+	ch := c.forwards.add("tcp", addr)
 
-	// Register this forward, using the port number we obtained.
-	ch := c.forwards.add(laddr)
-
-	return &tcpListener{laddr, c, ch}, nil
+	return &tcpListener{laddr, addr, c, ch}, nil
 }
 
 // forwardList stores a mapping between remote
@@ -149,8 +179,9 @@ type forwardList struct {
 // forwardEntry represents an established mapping of a laddr on a
 // remote ssh server to a channel connected to a tcpListener.
 type forwardEntry struct {
-	laddr net.Addr
-	c     chan forward
+	addr    string // host:port or socket path
+	network string // tcp or unix
+	c       chan forward
 }
 
 // forward represents an incoming forwarded tcpip connection. The
@@ -161,12 +192,13 @@ type forward struct {
 	raddr net.Addr   // the raddr of the incoming connection
 }
 
-func (l *forwardList) add(addr net.Addr) chan forward {
+func (l *forwardList) add(n, addr string) chan forward {
 	l.Lock()
 	defer l.Unlock()
 	f := forwardEntry{
-		laddr: addr,
-		c:     make(chan forward, 1),
+		addr:    addr,
+		network: n,
+		c:       make(chan forward, 1),
 	}
 	l.entries = append(l.entries, f)
 	return f.c
@@ -185,19 +217,20 @@ func parseTCPAddr(addr string, port uint32) (*net.TCPAddr, error) {
 	if port == 0 || port > 65535 {
 		return nil, fmt.Errorf("ssh: port number out of range: %d", port)
 	}
-	ip := net.ParseIP(string(addr))
-	if ip == nil {
+	ip, err := netip.ParseAddr(addr)
+	if err != nil {
 		return nil, fmt.Errorf("ssh: cannot parse IP address %q", addr)
 	}
-	return &net.TCPAddr{IP: ip, Port: int(port)}, nil
+	return &net.TCPAddr{IP: net.IP(ip.AsSlice()), Port: int(port)}, nil
 }
 
 func (l *forwardList) handleChannels(in <-chan NewChannel) {
 	for ch := range in {
 		var (
-			laddr net.Addr
-			raddr net.Addr
-			err   error
+			addr    string
+			network string
+			raddr   net.Addr
+			err     error
 		)
 		switch channelType := ch.ChannelType(); channelType {
 		case "forwarded-tcpip":
@@ -207,40 +240,34 @@ func (l *forwardList) handleChannels(in <-chan NewChannel) {
 				continue
 			}
 
-			// RFC 4254 section 7.2 specifies that incoming
-			// addresses should list the address, in string
-			// format. It is implied that this should be an IP
-			// address, as it would be impossible to connect to it
-			// otherwise.
-			laddr, err = parseTCPAddr(payload.Addr, payload.Port)
-			if err != nil {
-				ch.Reject(ConnectionFailed, err.Error())
-				continue
-			}
+			// RFC 4254 section 7.2 specifies that incoming addresses should
+			// list the address that was connected, in string format. It is the
+			// same address used in the tcpip-forward request. The originator
+			// address is an IP address instead.
+			addr = net.JoinHostPort(payload.Addr, strconv.FormatUint(uint64(payload.Port), 10))
+
 			raddr, err = parseTCPAddr(payload.OriginAddr, payload.OriginPort)
 			if err != nil {
 				ch.Reject(ConnectionFailed, err.Error())
 				continue
 			}
-
+			network = "tcp"
 		case "forwarded-streamlocal@openssh.com":
 			var payload forwardedStreamLocalPayload
 			if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
 				ch.Reject(ConnectionFailed, "could not parse forwarded-streamlocal@openssh.com payload: "+err.Error())
 				continue
 			}
-			laddr = &net.UnixAddr{
-				Name: payload.SocketPath,
-				Net:  "unix",
-			}
+			addr = payload.SocketPath
 			raddr = &net.UnixAddr{
 				Name: "@",
 				Net:  "unix",
 			}
+			network = "unix"
 		default:
 			panic(fmt.Errorf("ssh: unknown channel type %s", channelType))
 		}
-		if ok := l.forward(laddr, raddr, ch); !ok {
+		if ok := l.forward(network, addr, raddr, ch); !ok {
 			// Section 7.2, implementations MUST reject spurious incoming
 			// connections.
 			ch.Reject(Prohibited, "no forward for address")
@@ -252,11 +279,11 @@ func (l *forwardList) handleChannels(in <-chan NewChannel) {
 
 // remove removes the forward entry, and the channel feeding its
 // listener.
-func (l *forwardList) remove(addr net.Addr) {
+func (l *forwardList) remove(n, addr string) {
 	l.Lock()
 	defer l.Unlock()
 	for i, f := range l.entries {
-		if addr.Network() == f.laddr.Network() && addr.String() == f.laddr.String() {
+		if n == f.network && addr == f.addr {
 			l.entries = append(l.entries[:i], l.entries[i+1:]...)
 			close(f.c)
 			return
@@ -274,11 +301,11 @@ func (l *forwardList) closeAll() {
 	l.entries = nil
 }
 
-func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
+func (l *forwardList) forward(n, addr string, raddr net.Addr, ch NewChannel) bool {
 	l.Lock()
 	defer l.Unlock()
 	for _, f := range l.entries {
-		if laddr.Network() == f.laddr.Network() && laddr.String() == f.laddr.String() {
+		if n == f.network && addr == f.addr {
 			f.c <- forward{newCh: ch, raddr: raddr}
 			return true
 		}
@@ -288,6 +315,7 @@ func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
 
 type tcpListener struct {
 	laddr *net.TCPAddr
+	addr  string
 
 	conn *Client
 	in   <-chan forward
@@ -314,13 +342,21 @@ func (l *tcpListener) Accept() (net.Conn, error) {
 
 // Close closes the listener.
 func (l *tcpListener) Close() error {
+	host, port, err := net.SplitHostPort(l.addr)
+	if err != nil {
+		return err
+	}
+	rport, err := strconv.ParseUint(port, 10, 32)
+	if err != nil {
+		return err
+	}
 	m := channelForwardMsg{
-		l.laddr.IP.String(),
-		uint32(l.laddr.Port),
+		host,
+		uint32(rport),
 	}
 
 	// this also closes the listener.
-	l.conn.forwards.remove(l.laddr)
+	l.conn.forwards.remove("tcp", l.addr)
 	ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m))
 	if err == nil && !ok {
 		err = errors.New("ssh: cancel-tcpip-forward failed")
diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go
index 663619845c..fa3dd6a429 100644
--- a/vendor/golang.org/x/crypto/ssh/transport.go
+++ b/vendor/golang.org/x/crypto/ssh/transport.go
@@ -8,6 +8,7 @@ import (
 	"bufio"
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"log"
 )
@@ -254,6 +255,9 @@ var (
 // (to setup server->client keys) or clientKeys (for client->server keys).
 func newPacketCipher(d direction, algs DirectionAlgorithms, kex *kexResult) (packetCipher, error) {
 	cipherMode := cipherModes[algs.Cipher]
+	if cipherMode == nil {
+		return nil, fmt.Errorf("ssh: unsupported cipher %v", algs.Cipher)
+	}
 
 	iv := make([]byte, cipherMode.ivSize)
 	key := make([]byte, cipherMode.keySize)
diff --git a/vendor/golang.org/x/mod/LICENSE b/vendor/golang.org/x/mod/LICENSE
new file mode 100644
index 0000000000..2a7cf70da6
--- /dev/null
+++ b/vendor/golang.org/x/mod/LICENSE
@@ -0,0 +1,27 @@
+Copyright 2009 The Go Authors.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google LLC nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/golang.org/x/mod/PATENTS b/vendor/golang.org/x/mod/PATENTS
new file mode 100644
index 0000000000..733099041f
--- /dev/null
+++ b/vendor/golang.org/x/mod/PATENTS
@@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.
diff --git a/vendor/golang.org/x/mod/semver/semver.go b/vendor/golang.org/x/mod/semver/semver.go
new file mode 100644
index 0000000000..824b282c83
--- /dev/null
+++ b/vendor/golang.org/x/mod/semver/semver.go
@@ -0,0 +1,407 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package semver implements comparison of semantic version strings.
+// In this package, semantic version strings must begin with a leading "v",
+// as in "v1.0.0".
+//
+// The general form of a semantic version string accepted by this package is
+//
+//	vMAJOR[.MINOR[.PATCH[-PRERELEASE][+BUILD]]]
+//
+// where square brackets indicate optional parts of the syntax;
+// MAJOR, MINOR, and PATCH are decimal integers without extra leading zeros;
+// PRERELEASE and BUILD are each a series of non-empty dot-separated identifiers
+// using only alphanumeric characters and hyphens; and
+// all-numeric PRERELEASE identifiers must not have leading zeros.
+//
+// This package follows Semantic Versioning 2.0.0 (see semver.org)
+// with two exceptions. First, it requires the "v" prefix. Second, it recognizes
+// vMAJOR and vMAJOR.MINOR (with no prerelease or build suffixes)
+// as shorthands for vMAJOR.0.0 and vMAJOR.MINOR.0.
+package semver
+
+import (
+	"slices"
+	"strings"
+)
+
+// parsed returns the parsed form of a semantic version string.
+type parsed struct {
+	major      string
+	minor      string
+	patch      string
+	short      string
+	prerelease string
+	build      string
+}
+
+// IsValid reports whether v is a valid semantic version string.
+func IsValid(v string) bool {
+	_, ok := parse(v)
+	return ok
+}
+
+// Canonical returns the canonical formatting of the semantic version v.
+// It fills in any missing .MINOR or .PATCH and discards build metadata.
+// Two semantic versions compare equal only if their canonical formatting
+// is an identical string.
+// The canonical invalid semantic version is the empty string.
+func Canonical(v string) string {
+	p, ok := parse(v)
+	if !ok {
+		return ""
+	}
+	if p.build != "" {
+		return v[:len(v)-len(p.build)]
+	}
+	if p.short != "" {
+		return v + p.short
+	}
+	return v
+}
+
+// Major returns the major version prefix of the semantic version v.
+// For example, Major("v2.1.0") == "v2".
+// If v is an invalid semantic version string, Major returns the empty string.
+func Major(v string) string {
+	pv, ok := parse(v)
+	if !ok {
+		return ""
+	}
+	return v[:1+len(pv.major)]
+}
+
+// MajorMinor returns the major.minor version prefix of the semantic version v.
+// For example, MajorMinor("v2.1.0") == "v2.1".
+// If v is an invalid semantic version string, MajorMinor returns the empty string.
+func MajorMinor(v string) string {
+	pv, ok := parse(v)
+	if !ok {
+		return ""
+	}
+	i := 1 + len(pv.major)
+	if j := i + 1 + len(pv.minor); j <= len(v) && v[i] == '.' && v[i+1:j] == pv.minor {
+		return v[:j]
+	}
+	return v[:i] + "." + pv.minor
+}
+
+// Prerelease returns the prerelease suffix of the semantic version v.
+// For example, Prerelease("v2.1.0-pre+meta") == "-pre".
+// If v is an invalid semantic version string, Prerelease returns the empty string.
+func Prerelease(v string) string {
+	pv, ok := parse(v)
+	if !ok {
+		return ""
+	}
+	return pv.prerelease
+}
+
+// Build returns the build suffix of the semantic version v.
+// For example, Build("v2.1.0+meta") == "+meta".
+// If v is an invalid semantic version string, Build returns the empty string.
+func Build(v string) string {
+	pv, ok := parse(v)
+	if !ok {
+		return ""
+	}
+	return pv.build
+}
+
+// Compare returns an integer comparing two versions according to
+// semantic version precedence.
+// The result will be 0 if v == w, -1 if v < w, or +1 if v > w.
+//
+// An invalid semantic version string is considered less than a valid one.
+// All invalid semantic version strings compare equal to each other.
+func Compare(v, w string) int {
+	pv, ok1 := parse(v)
+	pw, ok2 := parse(w)
+	if !ok1 && !ok2 {
+		return 0
+	}
+	if !ok1 {
+		return -1
+	}
+	if !ok2 {
+		return +1
+	}
+	if c := compareInt(pv.major, pw.major); c != 0 {
+		return c
+	}
+	if c := compareInt(pv.minor, pw.minor); c != 0 {
+		return c
+	}
+	if c := compareInt(pv.patch, pw.patch); c != 0 {
+		return c
+	}
+	return comparePrerelease(pv.prerelease, pw.prerelease)
+}
+
+// Max canonicalizes its arguments and then returns the version string
+// that compares greater.
+//
+// Deprecated: use [Compare] instead. In most cases, returning a canonicalized
+// version is not expected or desired.
+func Max(v, w string) string {
+	v = Canonical(v)
+	w = Canonical(w)
+	if Compare(v, w) > 0 {
+		return v
+	}
+	return w
+}
+
+// ByVersion implements [sort.Interface] for sorting semantic version strings.
+type ByVersion []string
+
+func (vs ByVersion) Len() int           { return len(vs) }
+func (vs ByVersion) Swap(i, j int)      { vs[i], vs[j] = vs[j], vs[i] }
+func (vs ByVersion) Less(i, j int) bool { return compareVersion(vs[i], vs[j]) < 0 }
+
+// Sort sorts a list of semantic version strings using [Compare] and falls back
+// to use [strings.Compare] if both versions are considered equal.
+func Sort(list []string) {
+	slices.SortFunc(list, compareVersion)
+}
+
+func compareVersion(a, b string) int {
+	cmp := Compare(a, b)
+	if cmp != 0 {
+		return cmp
+	}
+	return strings.Compare(a, b)
+}
+
+func parse(v string) (p parsed, ok bool) {
+	if v == "" || v[0] != 'v' {
+		return
+	}
+	p.major, v, ok = parseInt(v[1:])
+	if !ok {
+		return
+	}
+	if v == "" {
+		p.minor = "0"
+		p.patch = "0"
+		p.short = ".0.0"
+		return
+	}
+	if v[0] != '.' {
+		ok = false
+		return
+	}
+	p.minor, v, ok = parseInt(v[1:])
+	if !ok {
+		return
+	}
+	if v == "" {
+		p.patch = "0"
+		p.short = ".0"
+		return
+	}
+	if v[0] != '.' {
+		ok = false
+		return
+	}
+	p.patch, v, ok = parseInt(v[1:])
+	if !ok {
+		return
+	}
+	if len(v) > 0 && v[0] == '-' {
+		p.prerelease, v, ok = parsePrerelease(v)
+		if !ok {
+			return
+		}
+	}
+	if len(v) > 0 && v[0] == '+' {
+		p.build, v, ok = parseBuild(v)
+		if !ok {
+			return
+		}
+	}
+	if v != "" {
+		ok = false
+		return
+	}
+	ok = true
+	return
+}
+
+func parseInt(v string) (t, rest string, ok bool) {
+	if v == "" {
+		return
+	}
+	if v[0] < '0' || '9' < v[0] {
+		return
+	}
+	i := 1
+	for i < len(v) && '0' <= v[i] && v[i] <= '9' {
+		i++
+	}
+	if v[0] == '0' && i != 1 {
+		return
+	}
+	return v[:i], v[i:], true
+}
+
+func parsePrerelease(v string) (t, rest string, ok bool) {
+	// "A pre-release version MAY be denoted by appending a hyphen and
+	// a series of dot separated identifiers immediately following the patch version.
+	// Identifiers MUST comprise only ASCII alphanumerics and hyphen [0-9A-Za-z-].
+	// Identifiers MUST NOT be empty. Numeric identifiers MUST NOT include leading zeroes."
+	if v == "" || v[0] != '-' {
+		return
+	}
+	i := 1
+	start := 1
+	for i < len(v) && v[i] != '+' {
+		if !isIdentChar(v[i]) && v[i] != '.' {
+			return
+		}
+		if v[i] == '.' {
+			if start == i || isBadNum(v[start:i]) {
+				return
+			}
+			start = i + 1
+		}
+		i++
+	}
+	if start == i || isBadNum(v[start:i]) {
+		return
+	}
+	return v[:i], v[i:], true
+}
+
+func parseBuild(v string) (t, rest string, ok bool) {
+	if v == "" || v[0] != '+' {
+		return
+	}
+	i := 1
+	start := 1
+	for i < len(v) {
+		if !isIdentChar(v[i]) && v[i] != '.' {
+			return
+		}
+		if v[i] == '.' {
+			if start == i {
+				return
+			}
+			start = i + 1
+		}
+		i++
+	}
+	if start == i {
+		return
+	}
+	return v[:i], v[i:], true
+}
+
+func isIdentChar(c byte) bool {
+	return 'A' <= c && c <= 'Z' || 'a' <= c && c <= 'z' || '0' <= c && c <= '9' || c == '-'
+}
+
+func isBadNum(v string) bool {
+	i := 0
+	for i < len(v) && '0' <= v[i] && v[i] <= '9' {
+		i++
+	}
+	return i == len(v) && i > 1 && v[0] == '0'
+}
+
+func isNum(v string) bool {
+	i := 0
+	for i < len(v) && '0' <= v[i] && v[i] <= '9' {
+		i++
+	}
+	return i == len(v)
+}
+
+func compareInt(x, y string) int {
+	if x == y {
+		return 0
+	}
+	if len(x) < len(y) {
+		return -1
+	}
+	if len(x) > len(y) {
+		return +1
+	}
+	if x < y {
+		return -1
+	} else {
+		return +1
+	}
+}
+
+func comparePrerelease(x, y string) int {
+	// "When major, minor, and patch are equal, a pre-release version has
+	// lower precedence than a normal version.
+	// Example: 1.0.0-alpha < 1.0.0.
+	// Precedence for two pre-release versions with the same major, minor,
+	// and patch version MUST be determined by comparing each dot separated
+	// identifier from left to right until a difference is found as follows:
+	// identifiers consisting of only digits are compared numerically and
+	// identifiers with letters or hyphens are compared lexically in ASCII
+	// sort order. Numeric identifiers always have lower precedence than
+	// non-numeric identifiers. A larger set of pre-release fields has a
+	// higher precedence than a smaller set, if all of the preceding
+	// identifiers are equal.
+	// Example: 1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta <
+	// 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0."
+	if x == y {
+		return 0
+	}
+	if x == "" {
+		return +1
+	}
+	if y == "" {
+		return -1
+	}
+	for x != "" && y != "" {
+		x = x[1:] // skip - or .
+		y = y[1:] // skip - or .
+		var dx, dy string
+		dx, x = nextIdent(x)
+		dy, y = nextIdent(y)
+		if dx != dy {
+			ix := isNum(dx)
+			iy := isNum(dy)
+			if ix != iy {
+				if ix {
+					return -1
+				} else {
+					return +1
+				}
+			}
+			if ix {
+				if len(dx) < len(dy) {
+					return -1
+				}
+				if len(dx) > len(dy) {
+					return +1
+				}
+			}
+			if dx < dy {
+				return -1
+			} else {
+				return +1
+			}
+		}
+	}
+	if x == "" {
+		return -1
+	} else {
+		return +1
+	}
+}
+
+func nextIdent(x string) (dx, rest string) {
+	i := 0
+	for i < len(x) && x[i] != '.' {
+		i++
+	}
+	return x[:i], x[i:]
+}
diff --git a/vendor/golang.org/x/net/context/context.go b/vendor/golang.org/x/net/context/context.go
index d3cb951752..24cea68820 100644
--- a/vendor/golang.org/x/net/context/context.go
+++ b/vendor/golang.org/x/net/context/context.go
@@ -2,42 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package context defines the Context type, which carries deadlines,
-// cancellation signals, and other request-scoped values across API boundaries
-// and between processes.
-// As of Go 1.7 this package is available in the standard library under the
-// name [context].
-//
-// Incoming requests to a server should create a [Context], and outgoing
-// calls to servers should accept a Context. The chain of function
-// calls between them must propagate the Context, optionally replacing
-// it with a derived Context created using [WithCancel], [WithDeadline],
-// [WithTimeout], or [WithValue].
-//
-// Programs that use Contexts should follow these rules to keep interfaces
-// consistent across packages and enable static analysis tools to check context
-// propagation:
-//
-// Do not store Contexts inside a struct type; instead, pass a Context
-// explicitly to each function that needs it. This is discussed further in
-// https://go.dev/blog/context-and-structs. The Context should be the first
-// parameter, typically named ctx:
-//
-//	func DoSomething(ctx context.Context, arg Arg) error {
-//		// ... use ctx ...
-//	}
-//
-// Do not pass a nil [Context], even if a function permits it. Pass [context.TODO]
-// if you are unsure about which Context to use.
-//
-// Use context Values only for request-scoped data that transits processes and
-// APIs, not for passing optional parameters to functions.
-//
-// The same Context may be passed to functions running in different goroutines;
-// Contexts are safe for simultaneous use by multiple goroutines.
+// Package context has been superseded by the standard library [context] package.
 //
-// See https://go.dev/blog/context for example code for a server that uses
-// Contexts.
+// Deprecated: Use the standard library context package instead.
 package context
 
 import (
diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
index 04c6bec210..12f2273706 100644
--- a/vendor/golang.org/x/net/html/escape.go
+++ b/vendor/golang.org/x/net/html/escape.go
@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
 		case '\r':
 			esc = "
"
 		default:
-			panic("unrecognized escape character")
+			panic("html: unrecognized escape character")
 		}
 		s = s[i+1:]
 		if _, err := w.WriteString(esc); err != nil {
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 518ee4c94e..88fc0056a3 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int {
 					return -1
 				}
 			default:
-				panic("unreachable")
+				panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s))
 			}
 		}
 		switch s {
@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) {
 				return
 			}
 		default:
-			panic("unreachable")
+			panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s))
 		}
 	}
 }
@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
 	}
 
 	if n.Type == ElementNode {
-		p.oe = append(p.oe, n)
+		p.insertOpenElement(n)
+	}
+}
+
+func (p *parser) insertOpenElement(n *Node) {
+	p.oe = append(p.oe, n)
+	if len(p.oe) > 512 {
+		panic("html: open stack of elements exceeds 512 nodes")
 	}
 }
 
@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
 			p.im = inFramesetIM
 			return true
 		case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
-			p.oe = append(p.oe, p.head)
+			p.insertOpenElement(p.head)
 			defer p.oe.remove(p.head)
 			return inHeadIM(p)
 		case a.Head:
@@ -1678,7 +1685,7 @@ func inTableBodyIM(p *parser) bool {
 	return inTableIM(p)
 }
 
-// Section 12.2.6.4.14.
+// Section 13.2.6.4.14.
 func inRowIM(p *parser) bool {
 	switch p.tok.Type {
 	case StartTagToken:
@@ -1690,7 +1697,9 @@ func inRowIM(p *parser) bool {
 			p.im = inCellIM
 			return true
 		case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr:
-			if p.popUntil(tableScope, a.Tr) {
+			if p.elementInScope(tableScope, a.Tr) {
+				p.clearStackToContext(tableRowScope)
+				p.oe.pop()
 				p.im = inTableBodyIM
 				return false
 			}
@@ -1700,22 +1709,28 @@ func inRowIM(p *parser) bool {
 	case EndTagToken:
 		switch p.tok.DataAtom {
 		case a.Tr:
-			if p.popUntil(tableScope, a.Tr) {
+			if p.elementInScope(tableScope, a.Tr) {
+				p.clearStackToContext(tableRowScope)
+				p.oe.pop()
 				p.im = inTableBodyIM
 				return true
 			}
 			// Ignore the token.
 			return true
 		case a.Table:
-			if p.popUntil(tableScope, a.Tr) {
+			if p.elementInScope(tableScope, a.Tr) {
+				p.clearStackToContext(tableRowScope)
+				p.oe.pop()
 				p.im = inTableBodyIM
 				return false
 			}
 			// Ignore the token.
 			return true
 		case a.Tbody, a.Tfoot, a.Thead:
-			if p.elementInScope(tableScope, p.tok.DataAtom) {
-				p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String())
+			if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) {
+				p.clearStackToContext(tableRowScope)
+				p.oe.pop()
+				p.im = inTableBodyIM
 				return false
 			}
 			// Ignore the token.
@@ -2222,16 +2237,20 @@ func parseForeignContent(p *parser) bool {
 			p.acknowledgeSelfClosingTag()
 		}
 	case EndTagToken:
+		if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) {
+			p.oe = p.oe[:len(p.oe)-1]
+			return true
+		}
 		for i := len(p.oe) - 1; i >= 0; i-- {
-			if p.oe[i].Namespace == "" {
-				return p.im(p)
-			}
 			if strings.EqualFold(p.oe[i].Data, p.tok.Data) {
 				p.oe = p.oe[:i]
+				return true
+			}
+			if i > 0 && p.oe[i-1].Namespace == "" {
 				break
 			}
 		}
-		return true
+		return p.im(p)
 	default:
 		// Ignore the token.
 	}
@@ -2312,9 +2331,13 @@ func (p *parser) parseCurrentToken() {
 	}
 }
 
-func (p *parser) parse() error {
+func (p *parser) parse() (err error) {
+	defer func() {
+		if panicErr := recover(); panicErr != nil {
+			err = fmt.Errorf("%s", panicErr)
+		}
+	}()
 	// Iterate until EOF. Any other error will cause an early return.
-	var err error
 	for err != io.EOF {
 		// CDATA sections are allowed only in foreign content.
 		n := p.oe.top()
@@ -2343,6 +2366,8 @@ func (p *parser) parse() error {
 // s. Conversely, explicit s in r's data can be silently dropped,
 // with no corresponding node in the resulting tree.
 //
+// Parse will reject HTML that is nested deeper than 512 elements.
+//
 // The input is assumed to be UTF-8 encoded.
 func Parse(r io.Reader) (*Node, error) {
 	return ParseWithOptions(r)
diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go
index e8c1233455..0157d89e1f 100644
--- a/vendor/golang.org/x/net/html/render.go
+++ b/vendor/golang.org/x/net/html/render.go
@@ -184,7 +184,7 @@ func render1(w writer, n *Node) error {
 		return err
 	}
 
-	// Add initial newline where there is danger of a newline beging ignored.
+	// Add initial newline where there is danger of a newline being ignored.
 	if c := n.FirstChild; c != nil && c.Type == TextNode && strings.HasPrefix(c.Data, "\n") {
 		switch n.Data {
 		case "pre", "listing", "textarea":
diff --git a/vendor/golang.org/x/net/http2/config.go b/vendor/golang.org/x/net/http2/config.go
index 02fe0c2d48..8a7a89d016 100644
--- a/vendor/golang.org/x/net/http2/config.go
+++ b/vendor/golang.org/x/net/http2/config.go
@@ -27,6 +27,7 @@ import (
 //   - If the resulting value is zero or out of range, use a default.
 type http2Config struct {
 	MaxConcurrentStreams         uint32
+	StrictMaxConcurrentRequests  bool
 	MaxDecoderHeaderTableSize    uint32
 	MaxEncoderHeaderTableSize    uint32
 	MaxReadFrameSize             uint32
@@ -64,12 +65,13 @@ func configFromServer(h1 *http.Server, h2 *Server) http2Config {
 // (the net/http Transport).
 func configFromTransport(h2 *Transport) http2Config {
 	conf := http2Config{
-		MaxEncoderHeaderTableSize: h2.MaxEncoderHeaderTableSize,
-		MaxDecoderHeaderTableSize: h2.MaxDecoderHeaderTableSize,
-		MaxReadFrameSize:          h2.MaxReadFrameSize,
-		SendPingTimeout:           h2.ReadIdleTimeout,
-		PingTimeout:               h2.PingTimeout,
-		WriteByteTimeout:          h2.WriteByteTimeout,
+		StrictMaxConcurrentRequests: h2.StrictMaxConcurrentStreams,
+		MaxEncoderHeaderTableSize:   h2.MaxEncoderHeaderTableSize,
+		MaxDecoderHeaderTableSize:   h2.MaxDecoderHeaderTableSize,
+		MaxReadFrameSize:            h2.MaxReadFrameSize,
+		SendPingTimeout:             h2.ReadIdleTimeout,
+		PingTimeout:                 h2.PingTimeout,
+		WriteByteTimeout:            h2.WriteByteTimeout,
 	}
 
 	// Unlike most config fields, where out-of-range values revert to the default,
@@ -128,6 +130,9 @@ func fillNetHTTPConfig(conf *http2Config, h2 *http.HTTP2Config) {
 	if h2.MaxConcurrentStreams != 0 {
 		conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams)
 	}
+	if http2ConfigStrictMaxConcurrentRequests(h2) {
+		conf.StrictMaxConcurrentRequests = true
+	}
 	if h2.MaxEncoderHeaderTableSize != 0 {
 		conf.MaxEncoderHeaderTableSize = uint32(h2.MaxEncoderHeaderTableSize)
 	}
diff --git a/vendor/golang.org/x/net/http2/config_go125.go b/vendor/golang.org/x/net/http2/config_go125.go
new file mode 100644
index 0000000000..b4373fe33c
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/config_go125.go
@@ -0,0 +1,15 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.26
+
+package http2
+
+import (
+	"net/http"
+)
+
+func http2ConfigStrictMaxConcurrentRequests(h2 *http.HTTP2Config) bool {
+	return false
+}
diff --git a/vendor/golang.org/x/net/http2/config_go126.go b/vendor/golang.org/x/net/http2/config_go126.go
new file mode 100644
index 0000000000..6b071c149d
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/config_go126.go
@@ -0,0 +1,15 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.26
+
+package http2
+
+import (
+	"net/http"
+)
+
+func http2ConfigStrictMaxConcurrentRequests(h2 *http.HTTP2Config) bool {
+	return h2.StrictMaxConcurrentRequests
+}
diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
index db3264da8c..9a4bd123c9 100644
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@@ -280,6 +280,8 @@ type Framer struct {
 	// lastHeaderStream is non-zero if the last frame was an
 	// unfinished HEADERS/CONTINUATION.
 	lastHeaderStream uint32
+	// lastFrameType holds the type of the last frame for verifying frame order.
+	lastFrameType FrameType
 
 	maxReadSize uint32
 	headerBuf   [frameHeaderLen]byte
@@ -347,7 +349,7 @@ func (fr *Framer) maxHeaderListSize() uint32 {
 func (f *Framer) startWrite(ftype FrameType, flags Flags, streamID uint32) {
 	// Write the FrameHeader.
 	f.wbuf = append(f.wbuf[:0],
-		0, // 3 bytes of length, filled in in endWrite
+		0, // 3 bytes of length, filled in endWrite
 		0,
 		0,
 		byte(ftype),
@@ -488,30 +490,41 @@ func terminalReadFrameError(err error) bool {
 	return err != nil
 }
 
-// ReadFrame reads a single frame. The returned Frame is only valid
-// until the next call to ReadFrame.
+// ReadFrameHeader reads the header of the next frame.
+// It reads the 9-byte fixed frame header, and does not read any portion of the
+// frame payload. The caller is responsible for consuming the payload, either
+// with ReadFrameForHeader or directly from the Framer's io.Reader.
 //
-// If the frame is larger than previously set with SetMaxReadFrameSize, the
-// returned error is ErrFrameTooLarge. Other errors may be of type
-// ConnectionError, StreamError, or anything else from the underlying
-// reader.
+// If the frame is larger than previously set with SetMaxReadFrameSize, it
+// returns the frame header and ErrFrameTooLarge.
 //
-// If ReadFrame returns an error and a non-nil Frame, the Frame's StreamID
-// indicates the stream responsible for the error.
-func (fr *Framer) ReadFrame() (Frame, error) {
+// If the returned FrameHeader.StreamID is non-zero, it indicates the stream
+// responsible for the error.
+func (fr *Framer) ReadFrameHeader() (FrameHeader, error) {
 	fr.errDetail = nil
-	if fr.lastFrame != nil {
-		fr.lastFrame.invalidate()
-	}
 	fh, err := readFrameHeader(fr.headerBuf[:], fr.r)
 	if err != nil {
-		return nil, err
+		return fh, err
 	}
 	if fh.Length > fr.maxReadSize {
 		if fh == invalidHTTP1LookingFrameHeader() {
-			return nil, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", ErrFrameTooLarge)
+			return fh, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", ErrFrameTooLarge)
 		}
-		return nil, ErrFrameTooLarge
+		return fh, ErrFrameTooLarge
+	}
+	if err := fr.checkFrameOrder(fh); err != nil {
+		return fh, err
+	}
+	return fh, nil
+}
+
+// ReadFrameForHeader reads the payload for the frame with the given FrameHeader.
+//
+// It behaves identically to ReadFrame, other than not checking the maximum
+// frame size.
+func (fr *Framer) ReadFrameForHeader(fh FrameHeader) (Frame, error) {
+	if fr.lastFrame != nil {
+		fr.lastFrame.invalidate()
 	}
 	payload := fr.getReadBuf(fh.Length)
 	if _, err := io.ReadFull(fr.r, payload); err != nil {
@@ -527,9 +540,7 @@ func (fr *Framer) ReadFrame() (Frame, error) {
 		}
 		return nil, err
 	}
-	if err := fr.checkFrameOrder(f); err != nil {
-		return nil, err
-	}
+	fr.lastFrame = f
 	if fr.logReads {
 		fr.debugReadLoggerf("http2: Framer %p: read %v", fr, summarizeFrame(f))
 	}
@@ -539,6 +550,24 @@ func (fr *Framer) ReadFrame() (Frame, error) {
 	return f, nil
 }
 
+// ReadFrame reads a single frame. The returned Frame is only valid
+// until the next call to ReadFrame or ReadFrameBodyForHeader.
+//
+// If the frame is larger than previously set with SetMaxReadFrameSize, the
+// returned error is ErrFrameTooLarge. Other errors may be of type
+// ConnectionError, StreamError, or anything else from the underlying
+// reader.
+//
+// If ReadFrame returns an error and a non-nil Frame, the Frame's StreamID
+// indicates the stream responsible for the error.
+func (fr *Framer) ReadFrame() (Frame, error) {
+	fh, err := fr.ReadFrameHeader()
+	if err != nil {
+		return nil, err
+	}
+	return fr.ReadFrameForHeader(fh)
+}
+
 // connError returns ConnectionError(code) but first
 // stashes away a public reason to the caller can optionally relay it
 // to the peer before hanging up on them. This might help others debug
@@ -551,20 +580,19 @@ func (fr *Framer) connError(code ErrCode, reason string) error {
 // checkFrameOrder reports an error if f is an invalid frame to return
 // next from ReadFrame. Mostly it checks whether HEADERS and
 // CONTINUATION frames are contiguous.
-func (fr *Framer) checkFrameOrder(f Frame) error {
-	last := fr.lastFrame
-	fr.lastFrame = f
+func (fr *Framer) checkFrameOrder(fh FrameHeader) error {
+	lastType := fr.lastFrameType
+	fr.lastFrameType = fh.Type
 	if fr.AllowIllegalReads {
 		return nil
 	}
 
-	fh := f.Header()
 	if fr.lastHeaderStream != 0 {
 		if fh.Type != FrameContinuation {
 			return fr.connError(ErrCodeProtocol,
 				fmt.Sprintf("got %s for stream %d; expected CONTINUATION following %s for stream %d",
 					fh.Type, fh.StreamID,
-					last.Header().Type, fr.lastHeaderStream))
+					lastType, fr.lastHeaderStream))
 		}
 		if fh.StreamID != fr.lastHeaderStream {
 			return fr.connError(ErrCodeProtocol,
@@ -1152,7 +1180,16 @@ type PriorityFrame struct {
 	PriorityParam
 }
 
-// PriorityParam are the stream prioritzation parameters.
+var defaultRFC9218Priority = PriorityParam{
+	incremental: 0,
+	urgency:     3,
+}
+
+// Note that HTTP/2 has had two different prioritization schemes, and
+// PriorityParam struct below is a superset of both schemes. The exported
+// symbols are from RFC 7540 and the non-exported ones are from RFC 9218.
+
+// PriorityParam are the stream prioritization parameters.
 type PriorityParam struct {
 	// StreamDep is a 31-bit stream identifier for the
 	// stream that this stream depends on. Zero means no
@@ -1167,6 +1204,20 @@ type PriorityParam struct {
 	// the spec, "Add one to the value to obtain a weight between
 	// 1 and 256."
 	Weight uint8
+
+	// "The urgency (u) parameter value is Integer (see Section 3.3.1 of
+	// [STRUCTURED-FIELDS]), between 0 and 7 inclusive, in descending order of
+	// priority. The default is 3."
+	urgency uint8
+
+	// "The incremental (i) parameter value is Boolean (see Section 3.3.6 of
+	// [STRUCTURED-FIELDS]). It indicates if an HTTP response can be processed
+	// incrementally, i.e., provide some meaningful output as chunks of the
+	// response arrive."
+	//
+	// We use uint8 (i.e. 0 is false, 1 is true) instead of bool so we can
+	// avoid unnecessary type conversions and because either type takes 1 byte.
+	incremental uint8
 }
 
 func (p PriorityParam) IsZero() bool {
diff --git a/vendor/golang.org/x/net/http2/http2.go b/vendor/golang.org/x/net/http2/http2.go
index 6878f8ecc9..105fe12fef 100644
--- a/vendor/golang.org/x/net/http2/http2.go
+++ b/vendor/golang.org/x/net/http2/http2.go
@@ -34,7 +34,6 @@ var (
 	VerboseLogs    bool
 	logFrameWrites bool
 	logFrameReads  bool
-	inTests        bool
 
 	// Enabling extended CONNECT by causes browsers to attempt to use
 	// WebSockets-over-HTTP/2. This results in problems when the server's websocket
diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
index 64085f6e16..bdc5520ebd 100644
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -181,6 +181,10 @@ type Server struct {
 type serverInternalState struct {
 	mu          sync.Mutex
 	activeConns map[*serverConn]struct{}
+
+	// Pool of error channels. This is per-Server rather than global
+	// because channels can't be reused across synctest bubbles.
+	errChanPool sync.Pool
 }
 
 func (s *serverInternalState) registerConn(sc *serverConn) {
@@ -212,6 +216,27 @@ func (s *serverInternalState) startGracefulShutdown() {
 	s.mu.Unlock()
 }
 
+// Global error channel pool used for uninitialized Servers.
+// We use a per-Server pool when possible to avoid using channels across synctest bubbles.
+var errChanPool = sync.Pool{
+	New: func() any { return make(chan error, 1) },
+}
+
+func (s *serverInternalState) getErrChan() chan error {
+	if s == nil {
+		return errChanPool.Get().(chan error) // Server used without calling ConfigureServer
+	}
+	return s.errChanPool.Get().(chan error)
+}
+
+func (s *serverInternalState) putErrChan(ch chan error) {
+	if s == nil {
+		errChanPool.Put(ch) // Server used without calling ConfigureServer
+		return
+	}
+	s.errChanPool.Put(ch)
+}
+
 // ConfigureServer adds HTTP/2 support to a net/http Server.
 //
 // The configuration conf may be nil.
@@ -224,7 +249,10 @@ func ConfigureServer(s *http.Server, conf *Server) error {
 	if conf == nil {
 		conf = new(Server)
 	}
-	conf.state = &serverInternalState{activeConns: make(map[*serverConn]struct{})}
+	conf.state = &serverInternalState{
+		activeConns: make(map[*serverConn]struct{}),
+		errChanPool: sync.Pool{New: func() any { return make(chan error, 1) }},
+	}
 	if h1, h2 := s, conf; h2.IdleTimeout == 0 {
 		if h1.IdleTimeout != 0 {
 			h2.IdleTimeout = h1.IdleTimeout
@@ -1124,25 +1152,6 @@ func (sc *serverConn) readPreface() error {
 	}
 }
 
-var errChanPool = sync.Pool{
-	New: func() interface{} { return make(chan error, 1) },
-}
-
-func getErrChan() chan error {
-	if inTests {
-		// Channels cannot be reused across synctest tests.
-		return make(chan error, 1)
-	} else {
-		return errChanPool.Get().(chan error)
-	}
-}
-
-func putErrChan(ch chan error) {
-	if !inTests {
-		errChanPool.Put(ch)
-	}
-}
-
 var writeDataPool = sync.Pool{
 	New: func() interface{} { return new(writeData) },
 }
@@ -1150,7 +1159,7 @@ var writeDataPool = sync.Pool{
 // writeDataFromHandler writes DATA response frames from a handler on
 // the given stream.
 func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStream bool) error {
-	ch := getErrChan()
+	ch := sc.srv.state.getErrChan()
 	writeArg := writeDataPool.Get().(*writeData)
 	*writeArg = writeData{stream.id, data, endStream}
 	err := sc.writeFrameFromHandler(FrameWriteRequest{
@@ -1182,7 +1191,7 @@ func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStrea
 			return errStreamClosed
 		}
 	}
-	putErrChan(ch)
+	sc.srv.state.putErrChan(ch)
 	if frameWriteDone {
 		writeDataPool.Put(writeArg)
 	}
@@ -2436,7 +2445,7 @@ func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) erro
 		// waiting for this frame to be written, so an http.Flush mid-handler
 		// writes out the correct value of keys, before a handler later potentially
 		// mutates it.
-		errc = getErrChan()
+		errc = sc.srv.state.getErrChan()
 	}
 	if err := sc.writeFrameFromHandler(FrameWriteRequest{
 		write:  headerData,
@@ -2448,7 +2457,7 @@ func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) erro
 	if errc != nil {
 		select {
 		case err := <-errc:
-			putErrChan(errc)
+			sc.srv.state.putErrChan(errc)
 			return err
 		case <-sc.doneServing:
 			return errClientDisconnected
@@ -3129,7 +3138,7 @@ func (w *responseWriter) Push(target string, opts *http.PushOptions) error {
 		method: opts.Method,
 		url:    u,
 		header: cloneHeader(opts.Header),
-		done:   getErrChan(),
+		done:   sc.srv.state.getErrChan(),
 	}
 
 	select {
@@ -3146,7 +3155,7 @@ func (w *responseWriter) Push(target string, opts *http.PushOptions) error {
 	case <-st.cw:
 		return errStreamClosed
 	case err := <-msg.done:
-		putErrChan(msg.done)
+		sc.srv.state.putErrChan(msg.done)
 		return err
 	}
 }
diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
index 35e3902519..ccb87e6da3 100644
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -9,6 +9,7 @@ package http2
 import (
 	"bufio"
 	"bytes"
+	"compress/flate"
 	"compress/gzip"
 	"context"
 	"crypto/rand"
@@ -355,6 +356,7 @@ type ClientConn struct {
 	readIdleTimeout             time.Duration
 	pingTimeout                 time.Duration
 	extendedConnectAllowed      bool
+	strictMaxConcurrentStreams  bool
 
 	// rstStreamPingsBlocked works around an unfortunate gRPC behavior.
 	// gRPC strictly limits the number of PING frames that it will receive.
@@ -374,11 +376,24 @@ type ClientConn struct {
 	// completely unresponsive connection.
 	pendingResets int
 
+	// readBeforeStreamID is the smallest stream ID that has not been followed by
+	// a frame read from the peer. We use this to determine when a request may
+	// have been sent to a completely unresponsive connection:
+	// If the request ID is less than readBeforeStreamID, then we have had some
+	// indication of life on the connection since sending the request.
+	readBeforeStreamID uint32
+
 	// reqHeaderMu is a 1-element semaphore channel controlling access to sending new requests.
 	// Write to reqHeaderMu to lock it, read from it to unlock.
 	// Lock reqmu BEFORE mu or wmu.
 	reqHeaderMu chan struct{}
 
+	// internalStateHook reports state changes back to the net/http.ClientConn.
+	// Note that this is different from the user state hook registered by
+	// net/http.ClientConn.SetStateHook: The internal hook calls ClientConn,
+	// which calls the user hook.
+	internalStateHook func()
+
 	// wmu is held while writing.
 	// Acquire BEFORE mu when holding both, to avoid blocking mu on network writes.
 	// Only acquire both at the same time when changing peer settings.
@@ -708,7 +723,7 @@ func canRetryError(err error) bool {
 
 func (t *Transport) dialClientConn(ctx context.Context, addr string, singleUse bool) (*ClientConn, error) {
 	if t.transportTestHooks != nil {
-		return t.newClientConn(nil, singleUse)
+		return t.newClientConn(nil, singleUse, nil)
 	}
 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
@@ -718,7 +733,7 @@ func (t *Transport) dialClientConn(ctx context.Context, addr string, singleUse b
 	if err != nil {
 		return nil, err
 	}
-	return t.newClientConn(tconn, singleUse)
+	return t.newClientConn(tconn, singleUse, nil)
 }
 
 func (t *Transport) newTLSConfig(host string) *tls.Config {
@@ -770,10 +785,10 @@ func (t *Transport) expectContinueTimeout() time.Duration {
 }
 
 func (t *Transport) NewClientConn(c net.Conn) (*ClientConn, error) {
-	return t.newClientConn(c, t.disableKeepAlives())
+	return t.newClientConn(c, t.disableKeepAlives(), nil)
 }
 
-func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, error) {
+func (t *Transport) newClientConn(c net.Conn, singleUse bool, internalStateHook func()) (*ClientConn, error) {
 	conf := configFromTransport(t)
 	cc := &ClientConn{
 		t:                           t,
@@ -784,7 +799,8 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 		initialWindowSize:           65535,    // spec default
 		initialStreamRecvWindowSize: conf.MaxUploadBufferPerStream,
 		maxConcurrentStreams:        initialMaxConcurrentStreams, // "infinite", per spec. Use a smaller value until we have received server settings.
-		peerMaxHeaderListSize:       0xffffffffffffffff,          // "infinite", per spec. Use 2^64-1 instead.
+		strictMaxConcurrentStreams:  conf.StrictMaxConcurrentRequests,
+		peerMaxHeaderListSize:       0xffffffffffffffff, // "infinite", per spec. Use 2^64-1 instead.
 		streams:                     make(map[uint32]*clientStream),
 		singleUse:                   singleUse,
 		seenSettingsChan:            make(chan struct{}),
@@ -794,6 +810,7 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 		pings:                       make(map[[8]byte]chan struct{}),
 		reqHeaderMu:                 make(chan struct{}, 1),
 		lastActive:                  time.Now(),
+		internalStateHook:           internalStateHook,
 	}
 	if t.transportTestHooks != nil {
 		t.transportTestHooks.newclientconn(cc)
@@ -1018,7 +1035,7 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {
 		return
 	}
 	var maxConcurrentOkay bool
-	if cc.t.StrictMaxConcurrentStreams {
+	if cc.strictMaxConcurrentStreams {
 		// We'll tell the caller we can take a new request to
 		// prevent the caller from dialing a new TCP
 		// connection, but then we'll block later before
@@ -1034,10 +1051,7 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {
 		maxConcurrentOkay = cc.currentRequestCountLocked() < int(cc.maxConcurrentStreams)
 	}
 
-	st.canTakeNewRequest = cc.goAway == nil && !cc.closed && !cc.closing && maxConcurrentOkay &&
-		!cc.doNotReuse &&
-		int64(cc.nextStreamID)+2*int64(cc.pendingRequests) < math.MaxInt32 &&
-		!cc.tooIdleLocked()
+	st.canTakeNewRequest = maxConcurrentOkay && cc.isUsableLocked()
 
 	// If this connection has never been used for a request and is closed,
 	// then let it take a request (which will fail).
@@ -1053,6 +1067,31 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {
 	return
 }
 
+func (cc *ClientConn) isUsableLocked() bool {
+	return cc.goAway == nil &&
+		!cc.closed &&
+		!cc.closing &&
+		!cc.doNotReuse &&
+		int64(cc.nextStreamID)+2*int64(cc.pendingRequests) < math.MaxInt32 &&
+		!cc.tooIdleLocked()
+}
+
+// canReserveLocked reports whether a net/http.ClientConn can reserve a slot on this conn.
+//
+// This follows slightly different rules than clientConnIdleState.canTakeNewRequest.
+// We only permit reservations up to the conn's concurrency limit.
+// This differs from ClientConn.ReserveNewRequest, which permits reservations
+// past the limit when StrictMaxConcurrentStreams is set.
+func (cc *ClientConn) canReserveLocked() bool {
+	if cc.currentRequestCountLocked() >= int(cc.maxConcurrentStreams) {
+		return false
+	}
+	if !cc.isUsableLocked() {
+		return false
+	}
+	return true
+}
+
 // currentRequestCountLocked reports the number of concurrency slots currently in use,
 // including active streams, reserved slots, and reset streams waiting for acknowledgement.
 func (cc *ClientConn) currentRequestCountLocked() int {
@@ -1064,6 +1103,14 @@ func (cc *ClientConn) canTakeNewRequestLocked() bool {
 	return st.canTakeNewRequest
 }
 
+// availableLocked reports the number of concurrency slots available.
+func (cc *ClientConn) availableLocked() int {
+	if !cc.canTakeNewRequestLocked() {
+		return 0
+	}
+	return max(0, int(cc.maxConcurrentStreams)-cc.currentRequestCountLocked())
+}
+
 // tooIdleLocked reports whether this connection has been been sitting idle
 // for too much wall time.
 func (cc *ClientConn) tooIdleLocked() bool {
@@ -1088,6 +1135,7 @@ func (cc *ClientConn) closeConn() {
 	t := time.AfterFunc(250*time.Millisecond, cc.forceCloseConn)
 	defer t.Stop()
 	cc.tconn.Close()
+	cc.maybeCallStateHook()
 }
 
 // A tls.Conn.Close can hang for a long time if the peer is unresponsive.
@@ -1613,6 +1661,8 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 	}
 	bodyClosed := cs.reqBodyClosed
 	closeOnIdle := cc.singleUse || cc.doNotReuse || cc.t.disableKeepAlives() || cc.goAway != nil
+	// Have we read any frames from the connection since sending this request?
+	readSinceStream := cc.readBeforeStreamID > cs.ID
 	cc.mu.Unlock()
 	if mustCloseBody {
 		cs.reqBody.Close()
@@ -1644,8 +1694,10 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 				//
 				// This could be due to the server becoming unresponsive.
 				// To avoid sending too many requests on a dead connection,
-				// we let the request continue to consume a concurrency slot
-				// until we can confirm the server is still responding.
+				// if we haven't read any frames from the connection since
+				// sending this request, we let it continue to consume
+				// a concurrency slot until we can confirm the server is
+				// still responding.
 				// We do this by sending a PING frame along with the RST_STREAM
 				// (unless a ping is already in flight).
 				//
@@ -1656,7 +1708,7 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 				// because it's short lived and will probably be closed before
 				// we get the ping response.
 				ping := false
-				if !closeOnIdle {
+				if !closeOnIdle && !readSinceStream {
 					cc.mu.Lock()
 					// rstStreamPingsBlocked works around a gRPC behavior:
 					// see comment on the field for details.
@@ -1690,6 +1742,7 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 	}
 
 	close(cs.donec)
+	cc.maybeCallStateHook()
 }
 
 // awaitOpenSlotForStreamLocked waits until len(streams) < maxConcurrentStreams.
@@ -2742,6 +2795,7 @@ func (rl *clientConnReadLoop) streamByID(id uint32, headerOrData bool) *clientSt
 		// See comment on ClientConn.rstStreamPingsBlocked for details.
 		rl.cc.rstStreamPingsBlocked = false
 	}
+	rl.cc.readBeforeStreamID = rl.cc.nextStreamID
 	cs := rl.cc.streams[id]
 	if cs != nil && !cs.readAborted {
 		return cs
@@ -2792,6 +2846,7 @@ func (rl *clientConnReadLoop) processSettings(f *SettingsFrame) error {
 
 func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
 	cc := rl.cc
+	defer cc.maybeCallStateHook()
 	cc.mu.Lock()
 	defer cc.mu.Unlock()
 
@@ -2972,6 +3027,7 @@ func (cc *ClientConn) Ping(ctx context.Context) error {
 func (rl *clientConnReadLoop) processPing(f *PingFrame) error {
 	if f.IsAck() {
 		cc := rl.cc
+		defer cc.maybeCallStateHook()
 		cc.mu.Lock()
 		defer cc.mu.Unlock()
 		// If ack, notify listener if any
@@ -3074,35 +3130,102 @@ type erringRoundTripper struct{ err error }
 func (rt erringRoundTripper) RoundTripErr() error                             { return rt.err }
 func (rt erringRoundTripper) RoundTrip(*http.Request) (*http.Response, error) { return nil, rt.err }
 
+var errConcurrentReadOnResBody = errors.New("http2: concurrent read on response body")
+
 // gzipReader wraps a response body so it can lazily
-// call gzip.NewReader on the first call to Read
+// get gzip.Reader from the pool on the first call to Read.
+// After Close is called it puts gzip.Reader to the pool immediately
+// if there is no Read in progress or later when Read completes.
 type gzipReader struct {
 	_    incomparable
 	body io.ReadCloser // underlying Response.Body
-	zr   *gzip.Reader  // lazily-initialized gzip reader
-	zerr error         // sticky error
+	mu   sync.Mutex    // guards zr and zerr
+	zr   *gzip.Reader  // stores gzip reader from the pool between reads
+	zerr error         // sticky gzip reader init error or sentinel value to detect concurrent read and read after close
 }
 
-func (gz *gzipReader) Read(p []byte) (n int, err error) {
+type eofReader struct{}
+
+func (eofReader) Read([]byte) (int, error) { return 0, io.EOF }
+func (eofReader) ReadByte() (byte, error)  { return 0, io.EOF }
+
+var gzipPool = sync.Pool{New: func() any { return new(gzip.Reader) }}
+
+// gzipPoolGet gets a gzip.Reader from the pool and resets it to read from r.
+func gzipPoolGet(r io.Reader) (*gzip.Reader, error) {
+	zr := gzipPool.Get().(*gzip.Reader)
+	if err := zr.Reset(r); err != nil {
+		gzipPoolPut(zr)
+		return nil, err
+	}
+	return zr, nil
+}
+
+// gzipPoolPut puts a gzip.Reader back into the pool.
+func gzipPoolPut(zr *gzip.Reader) {
+	// Reset will allocate bufio.Reader if we pass it anything
+	// other than a flate.Reader, so ensure that it's getting one.
+	var r flate.Reader = eofReader{}
+	zr.Reset(r)
+	gzipPool.Put(zr)
+}
+
+// acquire returns a gzip.Reader for reading response body.
+// The reader must be released after use.
+func (gz *gzipReader) acquire() (*gzip.Reader, error) {
+	gz.mu.Lock()
+	defer gz.mu.Unlock()
 	if gz.zerr != nil {
-		return 0, gz.zerr
+		return nil, gz.zerr
 	}
 	if gz.zr == nil {
-		gz.zr, err = gzip.NewReader(gz.body)
-		if err != nil {
-			gz.zerr = err
-			return 0, err
+		gz.zr, gz.zerr = gzipPoolGet(gz.body)
+		if gz.zerr != nil {
+			return nil, gz.zerr
 		}
 	}
-	return gz.zr.Read(p)
+	ret := gz.zr
+	gz.zr, gz.zerr = nil, errConcurrentReadOnResBody
+	return ret, nil
 }
 
-func (gz *gzipReader) Close() error {
-	if err := gz.body.Close(); err != nil {
-		return err
+// release returns the gzip.Reader to the pool if Close was called during Read.
+func (gz *gzipReader) release(zr *gzip.Reader) {
+	gz.mu.Lock()
+	defer gz.mu.Unlock()
+	if gz.zerr == errConcurrentReadOnResBody {
+		gz.zr, gz.zerr = zr, nil
+	} else { // fs.ErrClosed
+		gzipPoolPut(zr)
+	}
+}
+
+// close returns the gzip.Reader to the pool immediately or
+// signals release to do so after Read completes.
+func (gz *gzipReader) close() {
+	gz.mu.Lock()
+	defer gz.mu.Unlock()
+	if gz.zerr == nil && gz.zr != nil {
+		gzipPoolPut(gz.zr)
+		gz.zr = nil
 	}
 	gz.zerr = fs.ErrClosed
-	return nil
+}
+
+func (gz *gzipReader) Read(p []byte) (n int, err error) {
+	zr, err := gz.acquire()
+	if err != nil {
+		return 0, err
+	}
+	defer gz.release(zr)
+
+	return zr.Read(p)
+}
+
+func (gz *gzipReader) Close() error {
+	gz.close()
+
+	return gz.body.Close()
 }
 
 type errorReader struct{ err error }
@@ -3128,9 +3251,13 @@ func registerHTTPSProtocol(t *http.Transport, rt noDialH2RoundTripper) (err erro
 }
 
 // noDialH2RoundTripper is a RoundTripper which only tries to complete the request
-// if there's already has a cached connection to the host.
+// if there's already a cached connection to the host.
 // (The field is exported so it can be accessed via reflect from net/http; tested
 // by TestNoDialH2RoundTripperType)
+//
+// A noDialH2RoundTripper is registered with http1.Transport.RegisterProtocol,
+// and the http1.Transport can use type assertions to call non-RoundTrip methods on it.
+// This lets us expose, for example, NewClientConn to net/http.
 type noDialH2RoundTripper struct{ *Transport }
 
 func (rt noDialH2RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -3141,6 +3268,85 @@ func (rt noDialH2RoundTripper) RoundTrip(req *http.Request) (*http.Response, err
 	return res, err
 }
 
+func (rt noDialH2RoundTripper) NewClientConn(conn net.Conn, internalStateHook func()) (http.RoundTripper, error) {
+	tr := rt.Transport
+	cc, err := tr.newClientConn(conn, tr.disableKeepAlives(), internalStateHook)
+	if err != nil {
+		return nil, err
+	}
+
+	// RoundTrip should block when the conn is at its concurrency limit,
+	// not return an error. Setting strictMaxConcurrentStreams enables this.
+	cc.strictMaxConcurrentStreams = true
+
+	return netHTTPClientConn{cc}, nil
+}
+
+// netHTTPClientConn wraps ClientConn and implements the interface net/http expects from
+// the RoundTripper returned by NewClientConn.
+type netHTTPClientConn struct {
+	cc *ClientConn
+}
+
+func (cc netHTTPClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
+	return cc.cc.RoundTrip(req)
+}
+
+func (cc netHTTPClientConn) Close() error {
+	return cc.cc.Close()
+}
+
+func (cc netHTTPClientConn) Err() error {
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	if cc.cc.closed {
+		return errors.New("connection closed")
+	}
+	return nil
+}
+
+func (cc netHTTPClientConn) Reserve() error {
+	defer cc.cc.maybeCallStateHook()
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	if !cc.cc.canReserveLocked() {
+		return errors.New("connection is unavailable")
+	}
+	cc.cc.streamsReserved++
+	return nil
+}
+
+func (cc netHTTPClientConn) Release() {
+	defer cc.cc.maybeCallStateHook()
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	// We don't complain if streamsReserved is 0.
+	//
+	// This is consistent with RoundTrip: both Release and RoundTrip will
+	// consume a reservation iff one exists.
+	if cc.cc.streamsReserved > 0 {
+		cc.cc.streamsReserved--
+	}
+}
+
+func (cc netHTTPClientConn) Available() int {
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	return cc.cc.availableLocked()
+}
+
+func (cc netHTTPClientConn) InFlight() int {
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	return cc.cc.currentRequestCountLocked()
+}
+
+func (cc *ClientConn) maybeCallStateHook() {
+	if cc.internalStateHook != nil {
+		cc.internalStateHook()
+	}
+}
+
 func (t *Transport) idleConnTimeout() time.Duration {
 	// to keep things backwards compatible, we use non-zero values of
 	// IdleConnTimeout, followed by using the IdleConnTimeout on the underlying
diff --git a/vendor/golang.org/x/net/http2/writesched.go b/vendor/golang.org/x/net/http2/writesched.go
index cc893adc29..7de27be525 100644
--- a/vendor/golang.org/x/net/http2/writesched.go
+++ b/vendor/golang.org/x/net/http2/writesched.go
@@ -42,6 +42,8 @@ type OpenStreamOptions struct {
 	// PusherID is zero if the stream was initiated by the client. Otherwise,
 	// PusherID names the stream that pushed the newly opened stream.
 	PusherID uint32
+	// priority is used to set the priority of the newly opened stream.
+	priority PriorityParam
 }
 
 // FrameWriteRequest is a request to write a frame.
@@ -183,45 +185,75 @@ func (wr *FrameWriteRequest) replyToWriter(err error) {
 }
 
 // writeQueue is used by implementations of WriteScheduler.
+//
+// Each writeQueue contains a queue of FrameWriteRequests, meant to store all
+// FrameWriteRequests associated with a given stream. This is implemented as a
+// two-stage queue: currQueue[currPos:] and nextQueue. Removing an item is done
+// by incrementing currPos of currQueue. Adding an item is done by appending it
+// to the nextQueue. If currQueue is empty when trying to remove an item, we
+// can swap currQueue and nextQueue to remedy the situation.
+// This two-stage queue is analogous to the use of two lists in Okasaki's
+// purely functional queue but without the overhead of reversing the list when
+// swapping stages.
+//
+// writeQueue also contains prev and next, this can be used by implementations
+// of WriteScheduler to construct data structures that represent the order of
+// writing between different streams (e.g. circular linked list).
 type writeQueue struct {
-	s          []FrameWriteRequest
+	currQueue []FrameWriteRequest
+	nextQueue []FrameWriteRequest
+	currPos   int
+
 	prev, next *writeQueue
 }
 
-func (q *writeQueue) empty() bool { return len(q.s) == 0 }
+func (q *writeQueue) empty() bool {
+	return (len(q.currQueue) - q.currPos + len(q.nextQueue)) == 0
+}
 
 func (q *writeQueue) push(wr FrameWriteRequest) {
-	q.s = append(q.s, wr)
+	q.nextQueue = append(q.nextQueue, wr)
 }
 
 func (q *writeQueue) shift() FrameWriteRequest {
-	if len(q.s) == 0 {
+	if q.empty() {
 		panic("invalid use of queue")
 	}
-	wr := q.s[0]
-	// TODO: less copy-happy queue.
-	copy(q.s, q.s[1:])
-	q.s[len(q.s)-1] = FrameWriteRequest{}
-	q.s = q.s[:len(q.s)-1]
+	if q.currPos >= len(q.currQueue) {
+		q.currQueue, q.currPos, q.nextQueue = q.nextQueue, 0, q.currQueue[:0]
+	}
+	wr := q.currQueue[q.currPos]
+	q.currQueue[q.currPos] = FrameWriteRequest{}
+	q.currPos++
 	return wr
 }
 
+func (q *writeQueue) peek() *FrameWriteRequest {
+	if q.currPos < len(q.currQueue) {
+		return &q.currQueue[q.currPos]
+	}
+	if len(q.nextQueue) > 0 {
+		return &q.nextQueue[0]
+	}
+	return nil
+}
+
 // consume consumes up to n bytes from q.s[0]. If the frame is
 // entirely consumed, it is removed from the queue. If the frame
 // is partially consumed, the frame is kept with the consumed
 // bytes removed. Returns true iff any bytes were consumed.
 func (q *writeQueue) consume(n int32) (FrameWriteRequest, bool) {
-	if len(q.s) == 0 {
+	if q.empty() {
 		return FrameWriteRequest{}, false
 	}
-	consumed, rest, numresult := q.s[0].Consume(n)
+	consumed, rest, numresult := q.peek().Consume(n)
 	switch numresult {
 	case 0:
 		return FrameWriteRequest{}, false
 	case 1:
 		q.shift()
 	case 2:
-		q.s[0] = rest
+		*q.peek() = rest
 	}
 	return consumed, true
 }
@@ -230,10 +262,15 @@ type writeQueuePool []*writeQueue
 
 // put inserts an unused writeQueue into the pool.
 func (p *writeQueuePool) put(q *writeQueue) {
-	for i := range q.s {
-		q.s[i] = FrameWriteRequest{}
+	for i := range q.currQueue {
+		q.currQueue[i] = FrameWriteRequest{}
+	}
+	for i := range q.nextQueue {
+		q.nextQueue[i] = FrameWriteRequest{}
 	}
-	q.s = q.s[:0]
+	q.currQueue = q.currQueue[:0]
+	q.nextQueue = q.nextQueue[:0]
+	q.currPos = 0
 	*p = append(*p, q)
 }
 
diff --git a/vendor/golang.org/x/net/http2/writesched_priority.go b/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
similarity index 77%
rename from vendor/golang.org/x/net/http2/writesched_priority.go
rename to vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
index f6783339d1..4e33c29a24 100644
--- a/vendor/golang.org/x/net/http2/writesched_priority.go
+++ b/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
@@ -11,7 +11,7 @@ import (
 )
 
 // RFC 7540, Section 5.3.5: the default weight is 16.
-const priorityDefaultWeight = 15 // 16 = 15 + 1
+const priorityDefaultWeightRFC7540 = 15 // 16 = 15 + 1
 
 // PriorityWriteSchedulerConfig configures a priorityWriteScheduler.
 type PriorityWriteSchedulerConfig struct {
@@ -66,8 +66,8 @@ func NewPriorityWriteScheduler(cfg *PriorityWriteSchedulerConfig) WriteScheduler
 		}
 	}
 
-	ws := &priorityWriteScheduler{
-		nodes:                make(map[uint32]*priorityNode),
+	ws := &priorityWriteSchedulerRFC7540{
+		nodes:                make(map[uint32]*priorityNodeRFC7540),
 		maxClosedNodesInTree: cfg.MaxClosedNodesInTree,
 		maxIdleNodesInTree:   cfg.MaxIdleNodesInTree,
 		enableWriteThrottle:  cfg.ThrottleOutOfOrderWrites,
@@ -81,32 +81,32 @@ func NewPriorityWriteScheduler(cfg *PriorityWriteSchedulerConfig) WriteScheduler
 	return ws
 }
 
-type priorityNodeState int
+type priorityNodeStateRFC7540 int
 
 const (
-	priorityNodeOpen priorityNodeState = iota
-	priorityNodeClosed
-	priorityNodeIdle
+	priorityNodeOpenRFC7540 priorityNodeStateRFC7540 = iota
+	priorityNodeClosedRFC7540
+	priorityNodeIdleRFC7540
 )
 
-// priorityNode is a node in an HTTP/2 priority tree.
+// priorityNodeRFC7540 is a node in an HTTP/2 priority tree.
 // Each node is associated with a single stream ID.
 // See RFC 7540, Section 5.3.
-type priorityNode struct {
-	q            writeQueue        // queue of pending frames to write
-	id           uint32            // id of the stream, or 0 for the root of the tree
-	weight       uint8             // the actual weight is weight+1, so the value is in [1,256]
-	state        priorityNodeState // open | closed | idle
-	bytes        int64             // number of bytes written by this node, or 0 if closed
-	subtreeBytes int64             // sum(node.bytes) of all nodes in this subtree
+type priorityNodeRFC7540 struct {
+	q            writeQueue               // queue of pending frames to write
+	id           uint32                   // id of the stream, or 0 for the root of the tree
+	weight       uint8                    // the actual weight is weight+1, so the value is in [1,256]
+	state        priorityNodeStateRFC7540 // open | closed | idle
+	bytes        int64                    // number of bytes written by this node, or 0 if closed
+	subtreeBytes int64                    // sum(node.bytes) of all nodes in this subtree
 
 	// These links form the priority tree.
-	parent     *priorityNode
-	kids       *priorityNode // start of the kids list
-	prev, next *priorityNode // doubly-linked list of siblings
+	parent     *priorityNodeRFC7540
+	kids       *priorityNodeRFC7540 // start of the kids list
+	prev, next *priorityNodeRFC7540 // doubly-linked list of siblings
 }
 
-func (n *priorityNode) setParent(parent *priorityNode) {
+func (n *priorityNodeRFC7540) setParent(parent *priorityNodeRFC7540) {
 	if n == parent {
 		panic("setParent to self")
 	}
@@ -141,7 +141,7 @@ func (n *priorityNode) setParent(parent *priorityNode) {
 	}
 }
 
-func (n *priorityNode) addBytes(b int64) {
+func (n *priorityNodeRFC7540) addBytes(b int64) {
 	n.bytes += b
 	for ; n != nil; n = n.parent {
 		n.subtreeBytes += b
@@ -154,7 +154,7 @@ func (n *priorityNode) addBytes(b int64) {
 //
 // f(n, openParent) takes two arguments: the node to visit, n, and a bool that is true
 // if any ancestor p of n is still open (ignoring the root node).
-func (n *priorityNode) walkReadyInOrder(openParent bool, tmp *[]*priorityNode, f func(*priorityNode, bool) bool) bool {
+func (n *priorityNodeRFC7540) walkReadyInOrder(openParent bool, tmp *[]*priorityNodeRFC7540, f func(*priorityNodeRFC7540, bool) bool) bool {
 	if !n.q.empty() && f(n, openParent) {
 		return true
 	}
@@ -165,7 +165,7 @@ func (n *priorityNode) walkReadyInOrder(openParent bool, tmp *[]*priorityNode, f
 	// Don't consider the root "open" when updating openParent since
 	// we can't send data frames on the root stream (only control frames).
 	if n.id != 0 {
-		openParent = openParent || (n.state == priorityNodeOpen)
+		openParent = openParent || (n.state == priorityNodeOpenRFC7540)
 	}
 
 	// Common case: only one kid or all kids have the same weight.
@@ -195,7 +195,7 @@ func (n *priorityNode) walkReadyInOrder(openParent bool, tmp *[]*priorityNode, f
 		*tmp = append(*tmp, n.kids)
 		n.kids.setParent(nil)
 	}
-	sort.Sort(sortPriorityNodeSiblings(*tmp))
+	sort.Sort(sortPriorityNodeSiblingsRFC7540(*tmp))
 	for i := len(*tmp) - 1; i >= 0; i-- {
 		(*tmp)[i].setParent(n) // setParent inserts at the head of n.kids
 	}
@@ -207,15 +207,15 @@ func (n *priorityNode) walkReadyInOrder(openParent bool, tmp *[]*priorityNode, f
 	return false
 }
 
-type sortPriorityNodeSiblings []*priorityNode
+type sortPriorityNodeSiblingsRFC7540 []*priorityNodeRFC7540
 
-func (z sortPriorityNodeSiblings) Len() int      { return len(z) }
-func (z sortPriorityNodeSiblings) Swap(i, k int) { z[i], z[k] = z[k], z[i] }
-func (z sortPriorityNodeSiblings) Less(i, k int) bool {
+func (z sortPriorityNodeSiblingsRFC7540) Len() int      { return len(z) }
+func (z sortPriorityNodeSiblingsRFC7540) Swap(i, k int) { z[i], z[k] = z[k], z[i] }
+func (z sortPriorityNodeSiblingsRFC7540) Less(i, k int) bool {
 	// Prefer the subtree that has sent fewer bytes relative to its weight.
 	// See sections 5.3.2 and 5.3.4.
-	wi, bi := float64(z[i].weight+1), float64(z[i].subtreeBytes)
-	wk, bk := float64(z[k].weight+1), float64(z[k].subtreeBytes)
+	wi, bi := float64(z[i].weight)+1, float64(z[i].subtreeBytes)
+	wk, bk := float64(z[k].weight)+1, float64(z[k].subtreeBytes)
 	if bi == 0 && bk == 0 {
 		return wi >= wk
 	}
@@ -225,13 +225,13 @@ func (z sortPriorityNodeSiblings) Less(i, k int) bool {
 	return bi/bk <= wi/wk
 }
 
-type priorityWriteScheduler struct {
+type priorityWriteSchedulerRFC7540 struct {
 	// root is the root of the priority tree, where root.id = 0.
 	// The root queues control frames that are not associated with any stream.
-	root priorityNode
+	root priorityNodeRFC7540
 
 	// nodes maps stream ids to priority tree nodes.
-	nodes map[uint32]*priorityNode
+	nodes map[uint32]*priorityNodeRFC7540
 
 	// maxID is the maximum stream id in nodes.
 	maxID uint32
@@ -239,7 +239,7 @@ type priorityWriteScheduler struct {
 	// lists of nodes that have been closed or are idle, but are kept in
 	// the tree for improved prioritization. When the lengths exceed either
 	// maxClosedNodesInTree or maxIdleNodesInTree, old nodes are discarded.
-	closedNodes, idleNodes []*priorityNode
+	closedNodes, idleNodes []*priorityNodeRFC7540
 
 	// From the config.
 	maxClosedNodesInTree int
@@ -248,19 +248,19 @@ type priorityWriteScheduler struct {
 	enableWriteThrottle  bool
 
 	// tmp is scratch space for priorityNode.walkReadyInOrder to reduce allocations.
-	tmp []*priorityNode
+	tmp []*priorityNodeRFC7540
 
 	// pool of empty queues for reuse.
 	queuePool writeQueuePool
 }
 
-func (ws *priorityWriteScheduler) OpenStream(streamID uint32, options OpenStreamOptions) {
+func (ws *priorityWriteSchedulerRFC7540) OpenStream(streamID uint32, options OpenStreamOptions) {
 	// The stream may be currently idle but cannot be opened or closed.
 	if curr := ws.nodes[streamID]; curr != nil {
-		if curr.state != priorityNodeIdle {
+		if curr.state != priorityNodeIdleRFC7540 {
 			panic(fmt.Sprintf("stream %d already opened", streamID))
 		}
-		curr.state = priorityNodeOpen
+		curr.state = priorityNodeOpenRFC7540
 		return
 	}
 
@@ -272,11 +272,11 @@ func (ws *priorityWriteScheduler) OpenStream(streamID uint32, options OpenStream
 	if parent == nil {
 		parent = &ws.root
 	}
-	n := &priorityNode{
+	n := &priorityNodeRFC7540{
 		q:      *ws.queuePool.get(),
 		id:     streamID,
-		weight: priorityDefaultWeight,
-		state:  priorityNodeOpen,
+		weight: priorityDefaultWeightRFC7540,
+		state:  priorityNodeOpenRFC7540,
 	}
 	n.setParent(parent)
 	ws.nodes[streamID] = n
@@ -285,24 +285,23 @@ func (ws *priorityWriteScheduler) OpenStream(streamID uint32, options OpenStream
 	}
 }
 
-func (ws *priorityWriteScheduler) CloseStream(streamID uint32) {
+func (ws *priorityWriteSchedulerRFC7540) CloseStream(streamID uint32) {
 	if streamID == 0 {
 		panic("violation of WriteScheduler interface: cannot close stream 0")
 	}
 	if ws.nodes[streamID] == nil {
 		panic(fmt.Sprintf("violation of WriteScheduler interface: unknown stream %d", streamID))
 	}
-	if ws.nodes[streamID].state != priorityNodeOpen {
+	if ws.nodes[streamID].state != priorityNodeOpenRFC7540 {
 		panic(fmt.Sprintf("violation of WriteScheduler interface: stream %d already closed", streamID))
 	}
 
 	n := ws.nodes[streamID]
-	n.state = priorityNodeClosed
+	n.state = priorityNodeClosedRFC7540
 	n.addBytes(-n.bytes)
 
 	q := n.q
 	ws.queuePool.put(&q)
-	n.q.s = nil
 	if ws.maxClosedNodesInTree > 0 {
 		ws.addClosedOrIdleNode(&ws.closedNodes, ws.maxClosedNodesInTree, n)
 	} else {
@@ -310,7 +309,7 @@ func (ws *priorityWriteScheduler) CloseStream(streamID uint32) {
 	}
 }
 
-func (ws *priorityWriteScheduler) AdjustStream(streamID uint32, priority PriorityParam) {
+func (ws *priorityWriteSchedulerRFC7540) AdjustStream(streamID uint32, priority PriorityParam) {
 	if streamID == 0 {
 		panic("adjustPriority on root")
 	}
@@ -324,11 +323,11 @@ func (ws *priorityWriteScheduler) AdjustStream(streamID uint32, priority Priorit
 			return
 		}
 		ws.maxID = streamID
-		n = &priorityNode{
+		n = &priorityNodeRFC7540{
 			q:      *ws.queuePool.get(),
 			id:     streamID,
-			weight: priorityDefaultWeight,
-			state:  priorityNodeIdle,
+			weight: priorityDefaultWeightRFC7540,
+			state:  priorityNodeIdleRFC7540,
 		}
 		n.setParent(&ws.root)
 		ws.nodes[streamID] = n
@@ -340,7 +339,7 @@ func (ws *priorityWriteScheduler) AdjustStream(streamID uint32, priority Priorit
 	parent := ws.nodes[priority.StreamDep]
 	if parent == nil {
 		n.setParent(&ws.root)
-		n.weight = priorityDefaultWeight
+		n.weight = priorityDefaultWeightRFC7540
 		return
 	}
 
@@ -381,8 +380,8 @@ func (ws *priorityWriteScheduler) AdjustStream(streamID uint32, priority Priorit
 	n.weight = priority.Weight
 }
 
-func (ws *priorityWriteScheduler) Push(wr FrameWriteRequest) {
-	var n *priorityNode
+func (ws *priorityWriteSchedulerRFC7540) Push(wr FrameWriteRequest) {
+	var n *priorityNodeRFC7540
 	if wr.isControl() {
 		n = &ws.root
 	} else {
@@ -401,8 +400,8 @@ func (ws *priorityWriteScheduler) Push(wr FrameWriteRequest) {
 	n.q.push(wr)
 }
 
-func (ws *priorityWriteScheduler) Pop() (wr FrameWriteRequest, ok bool) {
-	ws.root.walkReadyInOrder(false, &ws.tmp, func(n *priorityNode, openParent bool) bool {
+func (ws *priorityWriteSchedulerRFC7540) Pop() (wr FrameWriteRequest, ok bool) {
+	ws.root.walkReadyInOrder(false, &ws.tmp, func(n *priorityNodeRFC7540, openParent bool) bool {
 		limit := int32(math.MaxInt32)
 		if openParent {
 			limit = ws.writeThrottleLimit
@@ -428,7 +427,7 @@ func (ws *priorityWriteScheduler) Pop() (wr FrameWriteRequest, ok bool) {
 	return wr, ok
 }
 
-func (ws *priorityWriteScheduler) addClosedOrIdleNode(list *[]*priorityNode, maxSize int, n *priorityNode) {
+func (ws *priorityWriteSchedulerRFC7540) addClosedOrIdleNode(list *[]*priorityNodeRFC7540, maxSize int, n *priorityNodeRFC7540) {
 	if maxSize == 0 {
 		return
 	}
@@ -442,7 +441,7 @@ func (ws *priorityWriteScheduler) addClosedOrIdleNode(list *[]*priorityNode, max
 	*list = append(*list, n)
 }
 
-func (ws *priorityWriteScheduler) removeNode(n *priorityNode) {
+func (ws *priorityWriteSchedulerRFC7540) removeNode(n *priorityNodeRFC7540) {
 	for n.kids != nil {
 		n.kids.setParent(n.parent)
 	}
diff --git a/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go b/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
new file mode 100644
index 0000000000..dfbfc1eb34
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
@@ -0,0 +1,224 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+import (
+	"fmt"
+	"math"
+)
+
+type streamMetadata struct {
+	location *writeQueue
+	priority PriorityParam
+}
+
+type priorityWriteSchedulerRFC9218 struct {
+	// control contains control frames (SETTINGS, PING, etc.).
+	control writeQueue
+
+	// heads contain the head of a circular list of streams.
+	// We put these heads within a nested array that represents urgency and
+	// incremental, as defined in
+	// https://www.rfc-editor.org/rfc/rfc9218.html#name-priority-parameters.
+	// 8 represents u=0 up to u=7, and 2 represents i=false and i=true.
+	heads [8][2]*writeQueue
+
+	// streams contains a mapping between each stream ID and their metadata, so
+	// we can quickly locate them when needing to, for example, adjust their
+	// priority.
+	streams map[uint32]streamMetadata
+
+	// queuePool are empty queues for reuse.
+	queuePool writeQueuePool
+
+	// prioritizeIncremental is used to determine whether we should prioritize
+	// incremental streams or not, when urgency is the same in a given Pop()
+	// call.
+	prioritizeIncremental bool
+
+	// priorityUpdateBuf is used to buffer the most recent PRIORITY_UPDATE we
+	// receive per https://www.rfc-editor.org/rfc/rfc9218.html#name-the-priority_update-frame.
+	priorityUpdateBuf struct {
+		// streamID being 0 means that the buffer is empty. This is a safe
+		// assumption as PRIORITY_UPDATE for stream 0 is a PROTOCOL_ERROR.
+		streamID uint32
+		priority PriorityParam
+	}
+}
+
+func newPriorityWriteSchedulerRFC9218() WriteScheduler {
+	ws := &priorityWriteSchedulerRFC9218{
+		streams: make(map[uint32]streamMetadata),
+	}
+	return ws
+}
+
+func (ws *priorityWriteSchedulerRFC9218) OpenStream(streamID uint32, opt OpenStreamOptions) {
+	if ws.streams[streamID].location != nil {
+		panic(fmt.Errorf("stream %d already opened", streamID))
+	}
+	if streamID == ws.priorityUpdateBuf.streamID {
+		ws.priorityUpdateBuf.streamID = 0
+		opt.priority = ws.priorityUpdateBuf.priority
+	}
+	q := ws.queuePool.get()
+	ws.streams[streamID] = streamMetadata{
+		location: q,
+		priority: opt.priority,
+	}
+
+	u, i := opt.priority.urgency, opt.priority.incremental
+	if ws.heads[u][i] == nil {
+		ws.heads[u][i] = q
+		q.next = q
+		q.prev = q
+	} else {
+		// Queues are stored in a ring.
+		// Insert the new stream before ws.head, putting it at the end of the list.
+		q.prev = ws.heads[u][i].prev
+		q.next = ws.heads[u][i]
+		q.prev.next = q
+		q.next.prev = q
+	}
+}
+
+func (ws *priorityWriteSchedulerRFC9218) CloseStream(streamID uint32) {
+	metadata := ws.streams[streamID]
+	q, u, i := metadata.location, metadata.priority.urgency, metadata.priority.incremental
+	if q == nil {
+		return
+	}
+	if q.next == q {
+		// This was the only open stream.
+		ws.heads[u][i] = nil
+	} else {
+		q.prev.next = q.next
+		q.next.prev = q.prev
+		if ws.heads[u][i] == q {
+			ws.heads[u][i] = q.next
+		}
+	}
+	delete(ws.streams, streamID)
+	ws.queuePool.put(q)
+}
+
+func (ws *priorityWriteSchedulerRFC9218) AdjustStream(streamID uint32, priority PriorityParam) {
+	metadata := ws.streams[streamID]
+	q, u, i := metadata.location, metadata.priority.urgency, metadata.priority.incremental
+	if q == nil {
+		ws.priorityUpdateBuf.streamID = streamID
+		ws.priorityUpdateBuf.priority = priority
+		return
+	}
+
+	// Remove stream from current location.
+	if q.next == q {
+		// This was the only open stream.
+		ws.heads[u][i] = nil
+	} else {
+		q.prev.next = q.next
+		q.next.prev = q.prev
+		if ws.heads[u][i] == q {
+			ws.heads[u][i] = q.next
+		}
+	}
+
+	// Insert stream to the new queue.
+	u, i = priority.urgency, priority.incremental
+	if ws.heads[u][i] == nil {
+		ws.heads[u][i] = q
+		q.next = q
+		q.prev = q
+	} else {
+		// Queues are stored in a ring.
+		// Insert the new stream before ws.head, putting it at the end of the list.
+		q.prev = ws.heads[u][i].prev
+		q.next = ws.heads[u][i]
+		q.prev.next = q
+		q.next.prev = q
+	}
+
+	// Update the metadata.
+	ws.streams[streamID] = streamMetadata{
+		location: q,
+		priority: priority,
+	}
+}
+
+func (ws *priorityWriteSchedulerRFC9218) Push(wr FrameWriteRequest) {
+	if wr.isControl() {
+		ws.control.push(wr)
+		return
+	}
+	q := ws.streams[wr.StreamID()].location
+	if q == nil {
+		// This is a closed stream.
+		// wr should not be a HEADERS or DATA frame.
+		// We push the request onto the control queue.
+		if wr.DataSize() > 0 {
+			panic("add DATA on non-open stream")
+		}
+		ws.control.push(wr)
+		return
+	}
+	q.push(wr)
+}
+
+func (ws *priorityWriteSchedulerRFC9218) Pop() (FrameWriteRequest, bool) {
+	// Control and RST_STREAM frames first.
+	if !ws.control.empty() {
+		return ws.control.shift(), true
+	}
+
+	// On the next Pop(), we want to prioritize incremental if we prioritized
+	// non-incremental request of the same urgency this time. Vice-versa.
+	// i.e. when there are incremental and non-incremental requests at the same
+	// priority, we give 50% of our bandwidth to the incremental ones in
+	// aggregate and 50% to the first non-incremental one (since
+	// non-incremental streams do not use round-robin writes).
+	ws.prioritizeIncremental = !ws.prioritizeIncremental
+
+	// Always prioritize lowest u (i.e. highest urgency level).
+	for u := range ws.heads {
+		for i := range ws.heads[u] {
+			// When we want to prioritize incremental, we try to pop i=true
+			// first before i=false when u is the same.
+			if ws.prioritizeIncremental {
+				i = (i + 1) % 2
+			}
+			q := ws.heads[u][i]
+			if q == nil {
+				continue
+			}
+			for {
+				if wr, ok := q.consume(math.MaxInt32); ok {
+					if i == 1 {
+						// For incremental streams, we update head to q.next so
+						// we can round-robin between multiple streams that can
+						// immediately benefit from partial writes.
+						ws.heads[u][i] = q.next
+					} else {
+						// For non-incremental streams, we try to finish one to
+						// completion rather than doing round-robin. However,
+						// we update head here so that if q.consume() is !ok
+						// (e.g. the stream has no more frame to consume), head
+						// is updated to the next q that has frames to consume
+						// on future iterations. This way, we do not prioritize
+						// writing to unavailable stream on next Pop() calls,
+						// preventing head-of-line blocking.
+						ws.heads[u][i] = q
+					}
+					return wr, true
+				}
+				q = q.next
+				if q == ws.heads[u][i] {
+					break
+				}
+			}
+
+		}
+	}
+	return FrameWriteRequest{}, false
+}
diff --git a/vendor/golang.org/x/net/http2/writesched_roundrobin.go b/vendor/golang.org/x/net/http2/writesched_roundrobin.go
index 54fe86322d..737cff9ecb 100644
--- a/vendor/golang.org/x/net/http2/writesched_roundrobin.go
+++ b/vendor/golang.org/x/net/http2/writesched_roundrobin.go
@@ -25,7 +25,7 @@ type roundRobinWriteScheduler struct {
 }
 
 // newRoundRobinWriteScheduler constructs a new write scheduler.
-// The round robin scheduler priorizes control frames
+// The round robin scheduler prioritizes control frames
 // like SETTINGS and PING over DATA frames.
 // When there are no control frames to send, it performs a round-robin
 // selection from the ready streams.
diff --git a/vendor/golang.org/x/net/internal/httpcommon/request.go b/vendor/golang.org/x/net/internal/httpcommon/request.go
index 4b70553179..1e10f89ebf 100644
--- a/vendor/golang.org/x/net/internal/httpcommon/request.go
+++ b/vendor/golang.org/x/net/internal/httpcommon/request.go
@@ -51,7 +51,7 @@ type EncodeHeadersParam struct {
 	DefaultUserAgent string
 }
 
-// EncodeHeadersParam is the result of EncodeHeaders.
+// EncodeHeadersResult is the result of EncodeHeaders.
 type EncodeHeadersResult struct {
 	HasBody     bool
 	HasTrailers bool
@@ -399,7 +399,7 @@ type ServerRequestResult struct {
 
 	// If the request should be rejected, this is a short string suitable for passing
 	// to the http2 package's CountError function.
-	// It might be a bit odd to return errors this way rather than returing an error,
+	// It might be a bit odd to return errors this way rather than returning an error,
 	// but this ensures we don't forget to include a CountError reason.
 	InvalidReason string
 }
diff --git a/vendor/golang.org/x/net/internal/socks/socks.go b/vendor/golang.org/x/net/internal/socks/socks.go
index 84fcc32b63..8eedb84cec 100644
--- a/vendor/golang.org/x/net/internal/socks/socks.go
+++ b/vendor/golang.org/x/net/internal/socks/socks.go
@@ -297,7 +297,7 @@ func (up *UsernamePassword) Authenticate(ctx context.Context, rw io.ReadWriter,
 		b = append(b, up.Username...)
 		b = append(b, byte(len(up.Password)))
 		b = append(b, up.Password...)
-		// TODO(mikio): handle IO deadlines and cancelation if
+		// TODO(mikio): handle IO deadlines and cancellation if
 		// necessary
 		if _, err := rw.Write(b); err != nil {
 			return err
diff --git a/vendor/golang.org/x/net/trace/events.go b/vendor/golang.org/x/net/trace/events.go
index 3aaffdd1f7..c2b3c00980 100644
--- a/vendor/golang.org/x/net/trace/events.go
+++ b/vendor/golang.org/x/net/trace/events.go
@@ -58,8 +58,8 @@ func RenderEvents(w http.ResponseWriter, req *http.Request, sensitive bool) {
 		Buckets: buckets,
 	}
 
-	data.Families = make([]string, 0, len(families))
 	famMu.RLock()
+	data.Families = make([]string, 0, len(families))
 	for name := range families {
 		data.Families = append(data.Families, name)
 	}
diff --git a/vendor/golang.org/x/net/websocket/hybi.go b/vendor/golang.org/x/net/websocket/hybi.go
index dda7434666..c7e76cd91b 100644
--- a/vendor/golang.org/x/net/websocket/hybi.go
+++ b/vendor/golang.org/x/net/websocket/hybi.go
@@ -440,6 +440,7 @@ func hybiClientHandshake(config *Config, br *bufio.Reader, bw *bufio.Writer) (er
 	if err != nil {
 		return err
 	}
+	defer resp.Body.Close()
 	if resp.StatusCode != 101 {
 		return ErrBadStatus
 	}
diff --git a/vendor/golang.org/x/oauth2/oauth2.go b/vendor/golang.org/x/oauth2/oauth2.go
index de34feb844..3e3b630695 100644
--- a/vendor/golang.org/x/oauth2/oauth2.go
+++ b/vendor/golang.org/x/oauth2/oauth2.go
@@ -9,7 +9,6 @@
 package oauth2 // import "golang.org/x/oauth2"
 
 import (
-	"bytes"
 	"context"
 	"errors"
 	"net/http"
@@ -158,7 +157,7 @@ func SetAuthURLParam(key, value string) AuthCodeOption {
 // PKCE), https://www.oauth.com/oauth2-servers/pkce/ and
 // https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html#name-cross-site-request-forgery (describing both approaches)
 func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string {
-	var buf bytes.Buffer
+	var buf strings.Builder
 	buf.WriteString(c.Endpoint.AuthURL)
 	v := url.Values{
 		"response_type": {"code"},
diff --git a/vendor/golang.org/x/sync/errgroup/errgroup.go b/vendor/golang.org/x/sync/errgroup/errgroup.go
index 1d8cffae8c..f69fd75468 100644
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@@ -3,7 +3,7 @@
 // license that can be found in the LICENSE file.
 
 // Package errgroup provides synchronization, error propagation, and Context
-// cancelation for groups of goroutines working on subtasks of a common task.
+// cancellation for groups of goroutines working on subtasks of a common task.
 //
 // [errgroup.Group] is related to [sync.WaitGroup] but adds handling of tasks
 // returning errors.
@@ -144,8 +144,8 @@ func (g *Group) SetLimit(n int) {
 		g.sem = nil
 		return
 	}
-	if len(g.sem) != 0 {
-		panic(fmt.Errorf("errgroup: modify limit while %v goroutines in the group are still active", len(g.sem)))
+	if active := len(g.sem); active != 0 {
+		panic(fmt.Errorf("errgroup: modify limit while %v goroutines in the group are still active", active))
 	}
 	g.sem = make(chan token, n)
 }
diff --git a/vendor/golang.org/x/sys/cpu/cpu_arm64.s b/vendor/golang.org/x/sys/cpu/cpu_arm64.s
index 22cc99844a..3b0450a06a 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_arm64.s
+++ b/vendor/golang.org/x/sys/cpu/cpu_arm64.s
@@ -9,31 +9,27 @@
 // func getisar0() uint64
 TEXT ·getisar0(SB),NOSPLIT,$0-8
 	// get Instruction Set Attributes 0 into x0
-	// mrs x0, ID_AA64ISAR0_EL1 = d5380600
-	WORD	$0xd5380600
+	MRS	ID_AA64ISAR0_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
 
 // func getisar1() uint64
 TEXT ·getisar1(SB),NOSPLIT,$0-8
 	// get Instruction Set Attributes 1 into x0
-	// mrs x0, ID_AA64ISAR1_EL1 = d5380620
-	WORD	$0xd5380620
+	MRS	ID_AA64ISAR1_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
 
 // func getpfr0() uint64
 TEXT ·getpfr0(SB),NOSPLIT,$0-8
 	// get Processor Feature Register 0 into x0
-	// mrs x0, ID_AA64PFR0_EL1 = d5380400
-	WORD	$0xd5380400
+	MRS	ID_AA64PFR0_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
 
 // func getzfr0() uint64
 TEXT ·getzfr0(SB),NOSPLIT,$0-8
 	// get SVE Feature Register 0 into x0
-	// mrs	x0, ID_AA64ZFR0_EL1 = d5380480
-	WORD $0xd5380480
+	MRS	ID_AA64ZFR0_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
diff --git a/vendor/golang.org/x/sys/cpu/cpu_x86.go b/vendor/golang.org/x/sys/cpu/cpu_x86.go
index 1e642f3304..f5723d4f7e 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_x86.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_x86.go
@@ -64,6 +64,80 @@ func initOptions() {
 
 func archInit() {
 
+	// From internal/cpu
+	const (
+		// eax bits
+		cpuid_AVXVNNI = 1 << 4
+
+		// ecx bits
+		cpuid_SSE3            = 1 << 0
+		cpuid_PCLMULQDQ       = 1 << 1
+		cpuid_AVX512VBMI      = 1 << 1
+		cpuid_AVX512VBMI2     = 1 << 6
+		cpuid_SSSE3           = 1 << 9
+		cpuid_AVX512GFNI      = 1 << 8
+		cpuid_AVX512VAES      = 1 << 9
+		cpuid_AVX512VNNI      = 1 << 11
+		cpuid_AVX512BITALG    = 1 << 12
+		cpuid_FMA             = 1 << 12
+		cpuid_AVX512VPOPCNTDQ = 1 << 14
+		cpuid_SSE41           = 1 << 19
+		cpuid_SSE42           = 1 << 20
+		cpuid_POPCNT          = 1 << 23
+		cpuid_AES             = 1 << 25
+		cpuid_OSXSAVE         = 1 << 27
+		cpuid_AVX             = 1 << 28
+
+		// "Extended Feature Flag" bits returned in EBX for CPUID EAX=0x7 ECX=0x0
+		cpuid_BMI1     = 1 << 3
+		cpuid_AVX2     = 1 << 5
+		cpuid_BMI2     = 1 << 8
+		cpuid_ERMS     = 1 << 9
+		cpuid_AVX512F  = 1 << 16
+		cpuid_AVX512DQ = 1 << 17
+		cpuid_ADX      = 1 << 19
+		cpuid_AVX512CD = 1 << 28
+		cpuid_SHA      = 1 << 29
+		cpuid_AVX512BW = 1 << 30
+		cpuid_AVX512VL = 1 << 31
+
+		// "Extended Feature Flag" bits returned in ECX for CPUID EAX=0x7 ECX=0x0
+		cpuid_AVX512_VBMI      = 1 << 1
+		cpuid_AVX512_VBMI2     = 1 << 6
+		cpuid_GFNI             = 1 << 8
+		cpuid_AVX512VPCLMULQDQ = 1 << 10
+		cpuid_AVX512_BITALG    = 1 << 12
+
+		// edx bits
+		cpuid_FSRM = 1 << 4
+		// edx bits for CPUID 0x80000001
+		cpuid_RDTSCP = 1 << 27
+	)
+	// Additional constants not in internal/cpu
+	const (
+		// eax=1: edx
+		cpuid_SSE2 = 1 << 26
+		// eax=1: ecx
+		cpuid_CX16   = 1 << 13
+		cpuid_RDRAND = 1 << 30
+		// eax=7,ecx=0: ebx
+		cpuid_RDSEED     = 1 << 18
+		cpuid_AVX512IFMA = 1 << 21
+		cpuid_AVX512PF   = 1 << 26
+		cpuid_AVX512ER   = 1 << 27
+		// eax=7,ecx=0: edx
+		cpuid_AVX5124VNNIW = 1 << 2
+		cpuid_AVX5124FMAPS = 1 << 3
+		cpuid_AMXBF16      = 1 << 22
+		cpuid_AMXTile      = 1 << 24
+		cpuid_AMXInt8      = 1 << 25
+		// eax=7,ecx=1: eax
+		cpuid_AVX512BF16 = 1 << 5
+		cpuid_AVXIFMA    = 1 << 23
+		// eax=7,ecx=1: edx
+		cpuid_AVXVNNIInt8 = 1 << 4
+	)
+
 	Initialized = true
 
 	maxID, _, _, _ := cpuid(0, 0)
@@ -73,90 +147,90 @@ func archInit() {
 	}
 
 	_, _, ecx1, edx1 := cpuid(1, 0)
-	X86.HasSSE2 = isSet(26, edx1)
-
-	X86.HasSSE3 = isSet(0, ecx1)
-	X86.HasPCLMULQDQ = isSet(1, ecx1)
-	X86.HasSSSE3 = isSet(9, ecx1)
-	X86.HasFMA = isSet(12, ecx1)
-	X86.HasCX16 = isSet(13, ecx1)
-	X86.HasSSE41 = isSet(19, ecx1)
-	X86.HasSSE42 = isSet(20, ecx1)
-	X86.HasPOPCNT = isSet(23, ecx1)
-	X86.HasAES = isSet(25, ecx1)
-	X86.HasOSXSAVE = isSet(27, ecx1)
-	X86.HasRDRAND = isSet(30, ecx1)
+	X86.HasSSE2 = isSet(edx1, cpuid_SSE2)
+
+	X86.HasSSE3 = isSet(ecx1, cpuid_SSE3)
+	X86.HasPCLMULQDQ = isSet(ecx1, cpuid_PCLMULQDQ)
+	X86.HasSSSE3 = isSet(ecx1, cpuid_SSSE3)
+	X86.HasFMA = isSet(ecx1, cpuid_FMA)
+	X86.HasCX16 = isSet(ecx1, cpuid_CX16)
+	X86.HasSSE41 = isSet(ecx1, cpuid_SSE41)
+	X86.HasSSE42 = isSet(ecx1, cpuid_SSE42)
+	X86.HasPOPCNT = isSet(ecx1, cpuid_POPCNT)
+	X86.HasAES = isSet(ecx1, cpuid_AES)
+	X86.HasOSXSAVE = isSet(ecx1, cpuid_OSXSAVE)
+	X86.HasRDRAND = isSet(ecx1, cpuid_RDRAND)
 
 	var osSupportsAVX, osSupportsAVX512 bool
 	// For XGETBV, OSXSAVE bit is required and sufficient.
 	if X86.HasOSXSAVE {
 		eax, _ := xgetbv()
 		// Check if XMM and YMM registers have OS support.
-		osSupportsAVX = isSet(1, eax) && isSet(2, eax)
+		osSupportsAVX = isSet(eax, 1<<1) && isSet(eax, 1<<2)
 
 		if runtime.GOOS == "darwin" {
 			// Darwin requires special AVX512 checks, see cpu_darwin_x86.go
 			osSupportsAVX512 = osSupportsAVX && darwinSupportsAVX512()
 		} else {
 			// Check if OPMASK and ZMM registers have OS support.
-			osSupportsAVX512 = osSupportsAVX && isSet(5, eax) && isSet(6, eax) && isSet(7, eax)
+			osSupportsAVX512 = osSupportsAVX && isSet(eax, 1<<5) && isSet(eax, 1<<6) && isSet(eax, 1<<7)
 		}
 	}
 
-	X86.HasAVX = isSet(28, ecx1) && osSupportsAVX
+	X86.HasAVX = isSet(ecx1, cpuid_AVX) && osSupportsAVX
 
 	if maxID < 7 {
 		return
 	}
 
 	eax7, ebx7, ecx7, edx7 := cpuid(7, 0)
-	X86.HasBMI1 = isSet(3, ebx7)
-	X86.HasAVX2 = isSet(5, ebx7) && osSupportsAVX
-	X86.HasBMI2 = isSet(8, ebx7)
-	X86.HasERMS = isSet(9, ebx7)
-	X86.HasRDSEED = isSet(18, ebx7)
-	X86.HasADX = isSet(19, ebx7)
-
-	X86.HasAVX512 = isSet(16, ebx7) && osSupportsAVX512 // Because avx-512 foundation is the core required extension
+	X86.HasBMI1 = isSet(ebx7, cpuid_BMI1)
+	X86.HasAVX2 = isSet(ebx7, cpuid_AVX2) && osSupportsAVX
+	X86.HasBMI2 = isSet(ebx7, cpuid_BMI2)
+	X86.HasERMS = isSet(ebx7, cpuid_ERMS)
+	X86.HasRDSEED = isSet(ebx7, cpuid_RDSEED)
+	X86.HasADX = isSet(ebx7, cpuid_ADX)
+
+	X86.HasAVX512 = isSet(ebx7, cpuid_AVX512F) && osSupportsAVX512 // Because avx-512 foundation is the core required extension
 	if X86.HasAVX512 {
 		X86.HasAVX512F = true
-		X86.HasAVX512CD = isSet(28, ebx7)
-		X86.HasAVX512ER = isSet(27, ebx7)
-		X86.HasAVX512PF = isSet(26, ebx7)
-		X86.HasAVX512VL = isSet(31, ebx7)
-		X86.HasAVX512BW = isSet(30, ebx7)
-		X86.HasAVX512DQ = isSet(17, ebx7)
-		X86.HasAVX512IFMA = isSet(21, ebx7)
-		X86.HasAVX512VBMI = isSet(1, ecx7)
-		X86.HasAVX5124VNNIW = isSet(2, edx7)
-		X86.HasAVX5124FMAPS = isSet(3, edx7)
-		X86.HasAVX512VPOPCNTDQ = isSet(14, ecx7)
-		X86.HasAVX512VPCLMULQDQ = isSet(10, ecx7)
-		X86.HasAVX512VNNI = isSet(11, ecx7)
-		X86.HasAVX512GFNI = isSet(8, ecx7)
-		X86.HasAVX512VAES = isSet(9, ecx7)
-		X86.HasAVX512VBMI2 = isSet(6, ecx7)
-		X86.HasAVX512BITALG = isSet(12, ecx7)
+		X86.HasAVX512CD = isSet(ebx7, cpuid_AVX512CD)
+		X86.HasAVX512ER = isSet(ebx7, cpuid_AVX512ER)
+		X86.HasAVX512PF = isSet(ebx7, cpuid_AVX512PF)
+		X86.HasAVX512VL = isSet(ebx7, cpuid_AVX512VL)
+		X86.HasAVX512BW = isSet(ebx7, cpuid_AVX512BW)
+		X86.HasAVX512DQ = isSet(ebx7, cpuid_AVX512DQ)
+		X86.HasAVX512IFMA = isSet(ebx7, cpuid_AVX512IFMA)
+		X86.HasAVX512VBMI = isSet(ecx7, cpuid_AVX512_VBMI)
+		X86.HasAVX5124VNNIW = isSet(edx7, cpuid_AVX5124VNNIW)
+		X86.HasAVX5124FMAPS = isSet(edx7, cpuid_AVX5124FMAPS)
+		X86.HasAVX512VPOPCNTDQ = isSet(ecx7, cpuid_AVX512VPOPCNTDQ)
+		X86.HasAVX512VPCLMULQDQ = isSet(ecx7, cpuid_AVX512VPCLMULQDQ)
+		X86.HasAVX512VNNI = isSet(ecx7, cpuid_AVX512VNNI)
+		X86.HasAVX512GFNI = isSet(ecx7, cpuid_AVX512GFNI)
+		X86.HasAVX512VAES = isSet(ecx7, cpuid_AVX512VAES)
+		X86.HasAVX512VBMI2 = isSet(ecx7, cpuid_AVX512VBMI2)
+		X86.HasAVX512BITALG = isSet(ecx7, cpuid_AVX512BITALG)
 	}
 
-	X86.HasAMXTile = isSet(24, edx7)
-	X86.HasAMXInt8 = isSet(25, edx7)
-	X86.HasAMXBF16 = isSet(22, edx7)
+	X86.HasAMXTile = isSet(edx7, cpuid_AMXTile)
+	X86.HasAMXInt8 = isSet(edx7, cpuid_AMXInt8)
+	X86.HasAMXBF16 = isSet(edx7, cpuid_AMXBF16)
 
 	// These features depend on the second level of extended features.
 	if eax7 >= 1 {
 		eax71, _, _, edx71 := cpuid(7, 1)
 		if X86.HasAVX512 {
-			X86.HasAVX512BF16 = isSet(5, eax71)
+			X86.HasAVX512BF16 = isSet(eax71, cpuid_AVX512BF16)
 		}
 		if X86.HasAVX {
-			X86.HasAVXIFMA = isSet(23, eax71)
-			X86.HasAVXVNNI = isSet(4, eax71)
-			X86.HasAVXVNNIInt8 = isSet(4, edx71)
+			X86.HasAVXIFMA = isSet(eax71, cpuid_AVXIFMA)
+			X86.HasAVXVNNI = isSet(eax71, cpuid_AVXVNNI)
+			X86.HasAVXVNNIInt8 = isSet(edx71, cpuid_AVXVNNIInt8)
 		}
 	}
 }
 
-func isSet(bitpos uint, value uint32) bool {
-	return value&(1<
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -255,6 +256,7 @@ struct ltchars {
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -529,6 +531,7 @@ ccflags="$@"
 		$2 ~ /^O[CNPFPL][A-Z]+[^_][A-Z]+$/ ||
 		$2 ~ /^(NL|CR|TAB|BS|VT|FF)DLY$/ ||
 		$2 ~ /^(NL|CR|TAB|BS|VT|FF)[0-9]$/ ||
+		$2 ~ /^(DT|EI|ELF|EV|NN|NT|PF|SHF|SHN|SHT|STB|STT|VER)_/ ||
 		$2 ~ /^O?XTABS$/ ||
 		$2 ~ /^TC[IO](ON|OFF)$/ ||
 		$2 ~ /^IN_/ ||
@@ -611,7 +614,7 @@ ccflags="$@"
 		$2 !~ /IOC_MAGIC/ &&
 		$2 ~ /^[A-Z][A-Z0-9_]+_MAGIC2?$/ ||
 		$2 ~ /^(VM|VMADDR)_/ ||
-		$2 ~ /^IOCTL_VM_SOCKETS_/ ||
+		$2 ~ /^(IOCTL_VM_SOCKETS_|IOCTL_MEI_)/ ||
 		$2 ~ /^(TASKSTATS|TS)_/ ||
 		$2 ~ /^CGROUPSTATS_/ ||
 		$2 ~ /^GENL_/ ||
diff --git a/vendor/golang.org/x/sys/unix/syscall_linux.go b/vendor/golang.org/x/sys/unix/syscall_linux.go
index 4958a65708..06c0eea6fb 100644
--- a/vendor/golang.org/x/sys/unix/syscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
@@ -801,9 +801,7 @@ func (sa *SockaddrPPPoE) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	// one. The kernel expects SID to be in network byte order.
 	binary.BigEndian.PutUint16(sa.raw[6:8], sa.SID)
 	copy(sa.raw[8:14], sa.Remote)
-	for i := 14; i < 14+IFNAMSIZ; i++ {
-		sa.raw[i] = 0
-	}
+	clear(sa.raw[14 : 14+IFNAMSIZ])
 	copy(sa.raw[14:], sa.Dev)
 	return unsafe.Pointer(&sa.raw), SizeofSockaddrPPPoX, nil
 }
@@ -2645,3 +2643,9 @@ func SchedGetAttr(pid int, flags uint) (*SchedAttr, error) {
 
 //sys	Cachestat(fd uint, crange *CachestatRange, cstat *Cachestat_t, flags uint) (err error)
 //sys	Mseal(b []byte, flags uint) (err error)
+
+//sys	setMemPolicy(mode int, mask *CPUSet, size int) (err error) = SYS_SET_MEMPOLICY
+
+func SetMemPolicy(mode int, mask *CPUSet) error {
+	return setMemPolicy(mode, mask, _CPU_SETSIZE)
+}
diff --git a/vendor/golang.org/x/sys/unix/syscall_netbsd.go b/vendor/golang.org/x/sys/unix/syscall_netbsd.go
index 88162099af..34a4676973 100644
--- a/vendor/golang.org/x/sys/unix/syscall_netbsd.go
+++ b/vendor/golang.org/x/sys/unix/syscall_netbsd.go
@@ -248,6 +248,23 @@ func Statvfs(path string, buf *Statvfs_t) (err error) {
 	return Statvfs1(path, buf, ST_WAIT)
 }
 
+func Getvfsstat(buf []Statvfs_t, flags int) (n int, err error) {
+	var (
+		_p0     unsafe.Pointer
+		bufsize uintptr
+	)
+	if len(buf) > 0 {
+		_p0 = unsafe.Pointer(&buf[0])
+		bufsize = unsafe.Sizeof(Statvfs_t{}) * uintptr(len(buf))
+	}
+	r0, _, e1 := Syscall(SYS_GETVFSSTAT, uintptr(_p0), bufsize, uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
 /*
  * Exposed directly
  */
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux.go b/vendor/golang.org/x/sys/unix/zerrors_linux.go
index b6db27d937..120a7b35d1 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go
@@ -853,20 +853,86 @@ const (
 	DM_VERSION_MAJOR                            = 0x4
 	DM_VERSION_MINOR                            = 0x32
 	DM_VERSION_PATCHLEVEL                       = 0x0
+	DT_ADDRRNGHI                                = 0x6ffffeff
+	DT_ADDRRNGLO                                = 0x6ffffe00
 	DT_BLK                                      = 0x6
 	DT_CHR                                      = 0x2
+	DT_DEBUG                                    = 0x15
 	DT_DIR                                      = 0x4
+	DT_ENCODING                                 = 0x20
 	DT_FIFO                                     = 0x1
+	DT_FINI                                     = 0xd
+	DT_FLAGS_1                                  = 0x6ffffffb
+	DT_GNU_HASH                                 = 0x6ffffef5
+	DT_HASH                                     = 0x4
+	DT_HIOS                                     = 0x6ffff000
+	DT_HIPROC                                   = 0x7fffffff
+	DT_INIT                                     = 0xc
+	DT_JMPREL                                   = 0x17
 	DT_LNK                                      = 0xa
+	DT_LOOS                                     = 0x6000000d
+	DT_LOPROC                                   = 0x70000000
+	DT_NEEDED                                   = 0x1
+	DT_NULL                                     = 0x0
+	DT_PLTGOT                                   = 0x3
+	DT_PLTREL                                   = 0x14
+	DT_PLTRELSZ                                 = 0x2
 	DT_REG                                      = 0x8
+	DT_REL                                      = 0x11
+	DT_RELA                                     = 0x7
+	DT_RELACOUNT                                = 0x6ffffff9
+	DT_RELAENT                                  = 0x9
+	DT_RELASZ                                   = 0x8
+	DT_RELCOUNT                                 = 0x6ffffffa
+	DT_RELENT                                   = 0x13
+	DT_RELSZ                                    = 0x12
+	DT_RPATH                                    = 0xf
 	DT_SOCK                                     = 0xc
+	DT_SONAME                                   = 0xe
+	DT_STRSZ                                    = 0xa
+	DT_STRTAB                                   = 0x5
+	DT_SYMBOLIC                                 = 0x10
+	DT_SYMENT                                   = 0xb
+	DT_SYMTAB                                   = 0x6
+	DT_TEXTREL                                  = 0x16
 	DT_UNKNOWN                                  = 0x0
+	DT_VALRNGHI                                 = 0x6ffffdff
+	DT_VALRNGLO                                 = 0x6ffffd00
+	DT_VERDEF                                   = 0x6ffffffc
+	DT_VERDEFNUM                                = 0x6ffffffd
+	DT_VERNEED                                  = 0x6ffffffe
+	DT_VERNEEDNUM                               = 0x6fffffff
+	DT_VERSYM                                   = 0x6ffffff0
 	DT_WHT                                      = 0xe
 	ECHO                                        = 0x8
 	ECRYPTFS_SUPER_MAGIC                        = 0xf15f
 	EFD_SEMAPHORE                               = 0x1
 	EFIVARFS_MAGIC                              = 0xde5e81e4
 	EFS_SUPER_MAGIC                             = 0x414a53
+	EI_CLASS                                    = 0x4
+	EI_DATA                                     = 0x5
+	EI_MAG0                                     = 0x0
+	EI_MAG1                                     = 0x1
+	EI_MAG2                                     = 0x2
+	EI_MAG3                                     = 0x3
+	EI_NIDENT                                   = 0x10
+	EI_OSABI                                    = 0x7
+	EI_PAD                                      = 0x8
+	EI_VERSION                                  = 0x6
+	ELFCLASS32                                  = 0x1
+	ELFCLASS64                                  = 0x2
+	ELFCLASSNONE                                = 0x0
+	ELFCLASSNUM                                 = 0x3
+	ELFDATA2LSB                                 = 0x1
+	ELFDATA2MSB                                 = 0x2
+	ELFDATANONE                                 = 0x0
+	ELFMAG                                      = "\177ELF"
+	ELFMAG0                                     = 0x7f
+	ELFMAG1                                     = 'E'
+	ELFMAG2                                     = 'L'
+	ELFMAG3                                     = 'F'
+	ELFOSABI_LINUX                              = 0x3
+	ELFOSABI_NONE                               = 0x0
 	EM_386                                      = 0x3
 	EM_486                                      = 0x6
 	EM_68K                                      = 0x4
@@ -1152,14 +1218,24 @@ const (
 	ETH_P_WCCP                                  = 0x883e
 	ETH_P_X25                                   = 0x805
 	ETH_P_XDSA                                  = 0xf8
+	ET_CORE                                     = 0x4
+	ET_DYN                                      = 0x3
+	ET_EXEC                                     = 0x2
+	ET_HIPROC                                   = 0xffff
+	ET_LOPROC                                   = 0xff00
+	ET_NONE                                     = 0x0
+	ET_REL                                      = 0x1
 	EV_ABS                                      = 0x3
 	EV_CNT                                      = 0x20
+	EV_CURRENT                                  = 0x1
 	EV_FF                                       = 0x15
 	EV_FF_STATUS                                = 0x17
 	EV_KEY                                      = 0x1
 	EV_LED                                      = 0x11
 	EV_MAX                                      = 0x1f
 	EV_MSC                                      = 0x4
+	EV_NONE                                     = 0x0
+	EV_NUM                                      = 0x2
 	EV_PWR                                      = 0x16
 	EV_REL                                      = 0x2
 	EV_REP                                      = 0x14
@@ -1539,6 +1615,8 @@ const (
 	IN_OPEN                                     = 0x20
 	IN_Q_OVERFLOW                               = 0x4000
 	IN_UNMOUNT                                  = 0x2000
+	IOCTL_MEI_CONNECT_CLIENT                    = 0xc0104801
+	IOCTL_MEI_CONNECT_CLIENT_VTAG               = 0xc0144804
 	IPPROTO_AH                                  = 0x33
 	IPPROTO_BEETPH                              = 0x5e
 	IPPROTO_COMP                                = 0x6c
@@ -2276,7 +2354,167 @@ const (
 	NLM_F_REPLACE                               = 0x100
 	NLM_F_REQUEST                               = 0x1
 	NLM_F_ROOT                                  = 0x100
+	NN_386_IOPERM                               = "LINUX"
+	NN_386_TLS                                  = "LINUX"
+	NN_ARC_V2                                   = "LINUX"
+	NN_ARM_FPMR                                 = "LINUX"
+	NN_ARM_GCS                                  = "LINUX"
+	NN_ARM_HW_BREAK                             = "LINUX"
+	NN_ARM_HW_WATCH                             = "LINUX"
+	NN_ARM_PACA_KEYS                            = "LINUX"
+	NN_ARM_PACG_KEYS                            = "LINUX"
+	NN_ARM_PAC_ENABLED_KEYS                     = "LINUX"
+	NN_ARM_PAC_MASK                             = "LINUX"
+	NN_ARM_POE                                  = "LINUX"
+	NN_ARM_SSVE                                 = "LINUX"
+	NN_ARM_SVE                                  = "LINUX"
+	NN_ARM_SYSTEM_CALL                          = "LINUX"
+	NN_ARM_TAGGED_ADDR_CTRL                     = "LINUX"
+	NN_ARM_TLS                                  = "LINUX"
+	NN_ARM_VFP                                  = "LINUX"
+	NN_ARM_ZA                                   = "LINUX"
+	NN_ARM_ZT                                   = "LINUX"
+	NN_AUXV                                     = "CORE"
+	NN_FILE                                     = "CORE"
+	NN_GNU_PROPERTY_TYPE_0                      = "GNU"
+	NN_LOONGARCH_CPUCFG                         = "LINUX"
+	NN_LOONGARCH_CSR                            = "LINUX"
+	NN_LOONGARCH_HW_BREAK                       = "LINUX"
+	NN_LOONGARCH_HW_WATCH                       = "LINUX"
+	NN_LOONGARCH_LASX                           = "LINUX"
+	NN_LOONGARCH_LBT                            = "LINUX"
+	NN_LOONGARCH_LSX                            = "LINUX"
+	NN_MIPS_DSP                                 = "LINUX"
+	NN_MIPS_FP_MODE                             = "LINUX"
+	NN_MIPS_MSA                                 = "LINUX"
+	NN_PPC_DEXCR                                = "LINUX"
+	NN_PPC_DSCR                                 = "LINUX"
+	NN_PPC_EBB                                  = "LINUX"
+	NN_PPC_HASHKEYR                             = "LINUX"
+	NN_PPC_PKEY                                 = "LINUX"
+	NN_PPC_PMU                                  = "LINUX"
+	NN_PPC_PPR                                  = "LINUX"
+	NN_PPC_SPE                                  = "LINUX"
+	NN_PPC_TAR                                  = "LINUX"
+	NN_PPC_TM_CDSCR                             = "LINUX"
+	NN_PPC_TM_CFPR                              = "LINUX"
+	NN_PPC_TM_CGPR                              = "LINUX"
+	NN_PPC_TM_CPPR                              = "LINUX"
+	NN_PPC_TM_CTAR                              = "LINUX"
+	NN_PPC_TM_CVMX                              = "LINUX"
+	NN_PPC_TM_CVSX                              = "LINUX"
+	NN_PPC_TM_SPR                               = "LINUX"
+	NN_PPC_VMX                                  = "LINUX"
+	NN_PPC_VSX                                  = "LINUX"
+	NN_PRFPREG                                  = "CORE"
+	NN_PRPSINFO                                 = "CORE"
+	NN_PRSTATUS                                 = "CORE"
+	NN_PRXFPREG                                 = "LINUX"
+	NN_RISCV_CSR                                = "LINUX"
+	NN_RISCV_TAGGED_ADDR_CTRL                   = "LINUX"
+	NN_RISCV_VECTOR                             = "LINUX"
+	NN_S390_CTRS                                = "LINUX"
+	NN_S390_GS_BC                               = "LINUX"
+	NN_S390_GS_CB                               = "LINUX"
+	NN_S390_HIGH_GPRS                           = "LINUX"
+	NN_S390_LAST_BREAK                          = "LINUX"
+	NN_S390_PREFIX                              = "LINUX"
+	NN_S390_PV_CPU_DATA                         = "LINUX"
+	NN_S390_RI_CB                               = "LINUX"
+	NN_S390_SYSTEM_CALL                         = "LINUX"
+	NN_S390_TDB                                 = "LINUX"
+	NN_S390_TIMER                               = "LINUX"
+	NN_S390_TODCMP                              = "LINUX"
+	NN_S390_TODPREG                             = "LINUX"
+	NN_S390_VXRS_HIGH                           = "LINUX"
+	NN_S390_VXRS_LOW                            = "LINUX"
+	NN_SIGINFO                                  = "CORE"
+	NN_TASKSTRUCT                               = "CORE"
+	NN_VMCOREDD                                 = "LINUX"
+	NN_X86_SHSTK                                = "LINUX"
+	NN_X86_XSAVE_LAYOUT                         = "LINUX"
+	NN_X86_XSTATE                               = "LINUX"
 	NSFS_MAGIC                                  = 0x6e736673
+	NT_386_IOPERM                               = 0x201
+	NT_386_TLS                                  = 0x200
+	NT_ARC_V2                                   = 0x600
+	NT_ARM_FPMR                                 = 0x40e
+	NT_ARM_GCS                                  = 0x410
+	NT_ARM_HW_BREAK                             = 0x402
+	NT_ARM_HW_WATCH                             = 0x403
+	NT_ARM_PACA_KEYS                            = 0x407
+	NT_ARM_PACG_KEYS                            = 0x408
+	NT_ARM_PAC_ENABLED_KEYS                     = 0x40a
+	NT_ARM_PAC_MASK                             = 0x406
+	NT_ARM_POE                                  = 0x40f
+	NT_ARM_SSVE                                 = 0x40b
+	NT_ARM_SVE                                  = 0x405
+	NT_ARM_SYSTEM_CALL                          = 0x404
+	NT_ARM_TAGGED_ADDR_CTRL                     = 0x409
+	NT_ARM_TLS                                  = 0x401
+	NT_ARM_VFP                                  = 0x400
+	NT_ARM_ZA                                   = 0x40c
+	NT_ARM_ZT                                   = 0x40d
+	NT_AUXV                                     = 0x6
+	NT_FILE                                     = 0x46494c45
+	NT_GNU_PROPERTY_TYPE_0                      = 0x5
+	NT_LOONGARCH_CPUCFG                         = 0xa00
+	NT_LOONGARCH_CSR                            = 0xa01
+	NT_LOONGARCH_HW_BREAK                       = 0xa05
+	NT_LOONGARCH_HW_WATCH                       = 0xa06
+	NT_LOONGARCH_LASX                           = 0xa03
+	NT_LOONGARCH_LBT                            = 0xa04
+	NT_LOONGARCH_LSX                            = 0xa02
+	NT_MIPS_DSP                                 = 0x800
+	NT_MIPS_FP_MODE                             = 0x801
+	NT_MIPS_MSA                                 = 0x802
+	NT_PPC_DEXCR                                = 0x111
+	NT_PPC_DSCR                                 = 0x105
+	NT_PPC_EBB                                  = 0x106
+	NT_PPC_HASHKEYR                             = 0x112
+	NT_PPC_PKEY                                 = 0x110
+	NT_PPC_PMU                                  = 0x107
+	NT_PPC_PPR                                  = 0x104
+	NT_PPC_SPE                                  = 0x101
+	NT_PPC_TAR                                  = 0x103
+	NT_PPC_TM_CDSCR                             = 0x10f
+	NT_PPC_TM_CFPR                              = 0x109
+	NT_PPC_TM_CGPR                              = 0x108
+	NT_PPC_TM_CPPR                              = 0x10e
+	NT_PPC_TM_CTAR                              = 0x10d
+	NT_PPC_TM_CVMX                              = 0x10a
+	NT_PPC_TM_CVSX                              = 0x10b
+	NT_PPC_TM_SPR                               = 0x10c
+	NT_PPC_VMX                                  = 0x100
+	NT_PPC_VSX                                  = 0x102
+	NT_PRFPREG                                  = 0x2
+	NT_PRPSINFO                                 = 0x3
+	NT_PRSTATUS                                 = 0x1
+	NT_PRXFPREG                                 = 0x46e62b7f
+	NT_RISCV_CSR                                = 0x900
+	NT_RISCV_TAGGED_ADDR_CTRL                   = 0x902
+	NT_RISCV_VECTOR                             = 0x901
+	NT_S390_CTRS                                = 0x304
+	NT_S390_GS_BC                               = 0x30c
+	NT_S390_GS_CB                               = 0x30b
+	NT_S390_HIGH_GPRS                           = 0x300
+	NT_S390_LAST_BREAK                          = 0x306
+	NT_S390_PREFIX                              = 0x305
+	NT_S390_PV_CPU_DATA                         = 0x30e
+	NT_S390_RI_CB                               = 0x30d
+	NT_S390_SYSTEM_CALL                         = 0x307
+	NT_S390_TDB                                 = 0x308
+	NT_S390_TIMER                               = 0x301
+	NT_S390_TODCMP                              = 0x302
+	NT_S390_TODPREG                             = 0x303
+	NT_S390_VXRS_HIGH                           = 0x30a
+	NT_S390_VXRS_LOW                            = 0x309
+	NT_SIGINFO                                  = 0x53494749
+	NT_TASKSTRUCT                               = 0x4
+	NT_VMCOREDD                                 = 0x700
+	NT_X86_SHSTK                                = 0x204
+	NT_X86_XSAVE_LAYOUT                         = 0x205
+	NT_X86_XSTATE                               = 0x202
 	OCFS2_SUPER_MAGIC                           = 0x7461636f
 	OCRNL                                       = 0x8
 	OFDEL                                       = 0x80
@@ -2463,6 +2701,59 @@ const (
 	PERF_RECORD_MISC_USER                       = 0x2
 	PERF_SAMPLE_BRANCH_PLM_ALL                  = 0x7
 	PERF_SAMPLE_WEIGHT_TYPE                     = 0x1004000
+	PF_ALG                                      = 0x26
+	PF_APPLETALK                                = 0x5
+	PF_ASH                                      = 0x12
+	PF_ATMPVC                                   = 0x8
+	PF_ATMSVC                                   = 0x14
+	PF_AX25                                     = 0x3
+	PF_BLUETOOTH                                = 0x1f
+	PF_BRIDGE                                   = 0x7
+	PF_CAIF                                     = 0x25
+	PF_CAN                                      = 0x1d
+	PF_DECnet                                   = 0xc
+	PF_ECONET                                   = 0x13
+	PF_FILE                                     = 0x1
+	PF_IB                                       = 0x1b
+	PF_IEEE802154                               = 0x24
+	PF_INET                                     = 0x2
+	PF_INET6                                    = 0xa
+	PF_IPX                                      = 0x4
+	PF_IRDA                                     = 0x17
+	PF_ISDN                                     = 0x22
+	PF_IUCV                                     = 0x20
+	PF_KCM                                      = 0x29
+	PF_KEY                                      = 0xf
+	PF_LLC                                      = 0x1a
+	PF_LOCAL                                    = 0x1
+	PF_MAX                                      = 0x2e
+	PF_MCTP                                     = 0x2d
+	PF_MPLS                                     = 0x1c
+	PF_NETBEUI                                  = 0xd
+	PF_NETLINK                                  = 0x10
+	PF_NETROM                                   = 0x6
+	PF_NFC                                      = 0x27
+	PF_PACKET                                   = 0x11
+	PF_PHONET                                   = 0x23
+	PF_PPPOX                                    = 0x18
+	PF_QIPCRTR                                  = 0x2a
+	PF_R                                        = 0x4
+	PF_RDS                                      = 0x15
+	PF_ROSE                                     = 0xb
+	PF_ROUTE                                    = 0x10
+	PF_RXRPC                                    = 0x21
+	PF_SECURITY                                 = 0xe
+	PF_SMC                                      = 0x2b
+	PF_SNA                                      = 0x16
+	PF_TIPC                                     = 0x1e
+	PF_UNIX                                     = 0x1
+	PF_UNSPEC                                   = 0x0
+	PF_VSOCK                                    = 0x28
+	PF_W                                        = 0x2
+	PF_WANPIPE                                  = 0x19
+	PF_X                                        = 0x1
+	PF_X25                                      = 0x9
+	PF_XDP                                      = 0x2c
 	PID_FS_MAGIC                                = 0x50494446
 	PIPEFS_MAGIC                                = 0x50495045
 	PPPIOCGNPMODE                               = 0xc008744c
@@ -2758,6 +3049,23 @@ const (
 	PTRACE_SYSCALL_INFO_NONE                    = 0x0
 	PTRACE_SYSCALL_INFO_SECCOMP                 = 0x3
 	PTRACE_TRACEME                              = 0x0
+	PT_AARCH64_MEMTAG_MTE                       = 0x70000002
+	PT_DYNAMIC                                  = 0x2
+	PT_GNU_EH_FRAME                             = 0x6474e550
+	PT_GNU_PROPERTY                             = 0x6474e553
+	PT_GNU_RELRO                                = 0x6474e552
+	PT_GNU_STACK                                = 0x6474e551
+	PT_HIOS                                     = 0x6fffffff
+	PT_HIPROC                                   = 0x7fffffff
+	PT_INTERP                                   = 0x3
+	PT_LOAD                                     = 0x1
+	PT_LOOS                                     = 0x60000000
+	PT_LOPROC                                   = 0x70000000
+	PT_NOTE                                     = 0x4
+	PT_NULL                                     = 0x0
+	PT_PHDR                                     = 0x6
+	PT_SHLIB                                    = 0x5
+	PT_TLS                                      = 0x7
 	P_ALL                                       = 0x0
 	P_PGID                                      = 0x2
 	P_PID                                       = 0x1
@@ -3091,6 +3399,47 @@ const (
 	SEEK_MAX                                    = 0x4
 	SEEK_SET                                    = 0x0
 	SELINUX_MAGIC                               = 0xf97cff8c
+	SHF_ALLOC                                   = 0x2
+	SHF_EXCLUDE                                 = 0x8000000
+	SHF_EXECINSTR                               = 0x4
+	SHF_GROUP                                   = 0x200
+	SHF_INFO_LINK                               = 0x40
+	SHF_LINK_ORDER                              = 0x80
+	SHF_MASKOS                                  = 0xff00000
+	SHF_MASKPROC                                = 0xf0000000
+	SHF_MERGE                                   = 0x10
+	SHF_ORDERED                                 = 0x4000000
+	SHF_OS_NONCONFORMING                        = 0x100
+	SHF_RELA_LIVEPATCH                          = 0x100000
+	SHF_RO_AFTER_INIT                           = 0x200000
+	SHF_STRINGS                                 = 0x20
+	SHF_TLS                                     = 0x400
+	SHF_WRITE                                   = 0x1
+	SHN_ABS                                     = 0xfff1
+	SHN_COMMON                                  = 0xfff2
+	SHN_HIPROC                                  = 0xff1f
+	SHN_HIRESERVE                               = 0xffff
+	SHN_LIVEPATCH                               = 0xff20
+	SHN_LOPROC                                  = 0xff00
+	SHN_LORESERVE                               = 0xff00
+	SHN_UNDEF                                   = 0x0
+	SHT_DYNAMIC                                 = 0x6
+	SHT_DYNSYM                                  = 0xb
+	SHT_HASH                                    = 0x5
+	SHT_HIPROC                                  = 0x7fffffff
+	SHT_HIUSER                                  = 0xffffffff
+	SHT_LOPROC                                  = 0x70000000
+	SHT_LOUSER                                  = 0x80000000
+	SHT_NOBITS                                  = 0x8
+	SHT_NOTE                                    = 0x7
+	SHT_NULL                                    = 0x0
+	SHT_NUM                                     = 0xc
+	SHT_PROGBITS                                = 0x1
+	SHT_REL                                     = 0x9
+	SHT_RELA                                    = 0x4
+	SHT_SHLIB                                   = 0xa
+	SHT_STRTAB                                  = 0x3
+	SHT_SYMTAB                                  = 0x2
 	SHUT_RD                                     = 0x0
 	SHUT_RDWR                                   = 0x2
 	SHUT_WR                                     = 0x1
@@ -3317,6 +3666,16 @@ const (
 	STATX_UID                                   = 0x8
 	STATX_WRITE_ATOMIC                          = 0x10000
 	STATX__RESERVED                             = 0x80000000
+	STB_GLOBAL                                  = 0x1
+	STB_LOCAL                                   = 0x0
+	STB_WEAK                                    = 0x2
+	STT_COMMON                                  = 0x5
+	STT_FILE                                    = 0x4
+	STT_FUNC                                    = 0x2
+	STT_NOTYPE                                  = 0x0
+	STT_OBJECT                                  = 0x1
+	STT_SECTION                                 = 0x3
+	STT_TLS                                     = 0x6
 	SYNC_FILE_RANGE_WAIT_AFTER                  = 0x4
 	SYNC_FILE_RANGE_WAIT_BEFORE                 = 0x1
 	SYNC_FILE_RANGE_WRITE                       = 0x2
@@ -3553,6 +3912,8 @@ const (
 	UTIME_OMIT                                  = 0x3ffffffe
 	V9FS_MAGIC                                  = 0x1021997
 	VERASE                                      = 0x2
+	VER_FLG_BASE                                = 0x1
+	VER_FLG_WEAK                                = 0x2
 	VINTR                                       = 0x0
 	VKILL                                       = 0x3
 	VLNEXT                                      = 0xf
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
index 1c37f9fbc4..97a61fc5b8 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
@@ -116,6 +116,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
index 6f54d34aef..a0d6d498c4 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
@@ -116,6 +116,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
index 783ec5c126..dd9c903f9a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
index ca83d3ba16..384c61ca3a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
@@ -120,6 +120,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
index 607e611c0c..6384c9831f 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
@@ -116,6 +116,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
index b9cb5bd3c0..553c1c6f15 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
index 65b078a638..b3339f2099 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
index 5298a3033d..177091d2bc 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
index 7bc557c876..c5abf156d0 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
index 152399bb04..f1f3fadf57 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x400
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
index 1a1ce2409c..203ad9c54a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x400
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
index 4231a1fb57..4b9abcb21a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x400
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
index 21c0e95266..f87983037d 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
index f00d1cd7cf..64347eb354 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
index bc8d539e6a..7d71911718 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
@@ -119,6 +119,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x400000
 	IN_NONBLOCK                      = 0x4000
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux.go b/vendor/golang.org/x/sys/unix/zsyscall_linux.go
index 5cc1e8eb2f..8935d10a31 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux.go
@@ -2238,3 +2238,13 @@ func Mseal(b []byte, flags uint) (err error) {
 	}
 	return
 }
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func setMemPolicy(mode int, mask *CPUSet, size int) (err error) {
+	_, _, e1 := Syscall(SYS_SET_MEMPOLICY, uintptr(mode), uintptr(unsafe.Pointer(mask)), uintptr(size))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux.go b/vendor/golang.org/x/sys/unix/ztypes_linux.go
index 944e75a11c..c1a4670171 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go
@@ -3590,6 +3590,8 @@ type Nhmsg struct {
 	Flags    uint32
 }
 
+const SizeofNhmsg = 0x8
+
 type NexthopGrp struct {
 	Id     uint32
 	Weight uint8
@@ -3597,6 +3599,8 @@ type NexthopGrp struct {
 	Resvd2 uint16
 }
 
+const SizeofNexthopGrp = 0x8
+
 const (
 	NHA_UNSPEC     = 0x0
 	NHA_ID         = 0x1
@@ -6332,3 +6336,30 @@ type SockDiagReq struct {
 }
 
 const RTM_NEWNVLAN = 0x70
+
+const (
+	MPOL_BIND                = 0x2
+	MPOL_DEFAULT             = 0x0
+	MPOL_F_ADDR              = 0x2
+	MPOL_F_MEMS_ALLOWED      = 0x4
+	MPOL_F_MOF               = 0x8
+	MPOL_F_MORON             = 0x10
+	MPOL_F_NODE              = 0x1
+	MPOL_F_NUMA_BALANCING    = 0x2000
+	MPOL_F_RELATIVE_NODES    = 0x4000
+	MPOL_F_SHARED            = 0x1
+	MPOL_F_STATIC_NODES      = 0x8000
+	MPOL_INTERLEAVE          = 0x3
+	MPOL_LOCAL               = 0x4
+	MPOL_MAX                 = 0x7
+	MPOL_MF_INTERNAL         = 0x10
+	MPOL_MF_LAZY             = 0x8
+	MPOL_MF_MOVE_ALL         = 0x4
+	MPOL_MF_MOVE             = 0x2
+	MPOL_MF_STRICT           = 0x1
+	MPOL_MF_VALID            = 0x7
+	MPOL_MODE_FLAGS          = 0xe000
+	MPOL_PREFERRED           = 0x1
+	MPOL_PREFERRED_MANY      = 0x5
+	MPOL_WEIGHTED_INTERLEAVE = 0x6
+)
diff --git a/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go b/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go
index 439548ec9a..50e8e64497 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go
@@ -104,7 +104,7 @@ type Statvfs_t struct {
 	Fsid        uint32
 	Namemax     uint32
 	Owner       uint32
-	Spare       [4]uint32
+	Spare       [4]uint64
 	Fstypename  [32]byte
 	Mntonname   [1024]byte
 	Mntfromname [1024]byte
diff --git a/vendor/golang.org/x/sys/windows/syscall_windows.go b/vendor/golang.org/x/sys/windows/syscall_windows.go
index 640f6b153f..69439df2a4 100644
--- a/vendor/golang.org/x/sys/windows/syscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/syscall_windows.go
@@ -321,6 +321,8 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	SetConsoleOutputCP(cp uint32) (err error) = kernel32.SetConsoleOutputCP
 //sys	WriteConsole(console Handle, buf *uint16, towrite uint32, written *uint32, reserved *byte) (err error) = kernel32.WriteConsoleW
 //sys	ReadConsole(console Handle, buf *uint16, toread uint32, read *uint32, inputControl *byte) (err error) = kernel32.ReadConsoleW
+//sys	GetNumberOfConsoleInputEvents(console Handle, numevents *uint32) (err error) = kernel32.GetNumberOfConsoleInputEvents
+//sys	FlushConsoleInputBuffer(console Handle) (err error) = kernel32.FlushConsoleInputBuffer
 //sys	resizePseudoConsole(pconsole Handle, size uint32) (hr error) = kernel32.ResizePseudoConsole
 //sys	CreateToolhelp32Snapshot(flags uint32, processId uint32) (handle Handle, err error) [failretval==InvalidHandle] = kernel32.CreateToolhelp32Snapshot
 //sys	Module32First(snapshot Handle, moduleEntry *ModuleEntry32) (err error) = kernel32.Module32FirstW
@@ -890,8 +892,12 @@ const socket_error = uintptr(^uint32(0))
 //sys	MultiByteToWideChar(codePage uint32, dwFlags uint32, str *byte, nstr int32, wchar *uint16, nwchar int32) (nwrite int32, err error) = kernel32.MultiByteToWideChar
 //sys	getBestInterfaceEx(sockaddr unsafe.Pointer, pdwBestIfIndex *uint32) (errcode error) = iphlpapi.GetBestInterfaceEx
 //sys   GetIfEntry2Ex(level uint32, row *MibIfRow2) (errcode error) = iphlpapi.GetIfEntry2Ex
+//sys   GetIpForwardEntry2(row *MibIpForwardRow2) (errcode error) = iphlpapi.GetIpForwardEntry2
+//sys   GetIpForwardTable2(family uint16, table **MibIpForwardTable2) (errcode error) = iphlpapi.GetIpForwardTable2
 //sys   GetUnicastIpAddressEntry(row *MibUnicastIpAddressRow) (errcode error) = iphlpapi.GetUnicastIpAddressEntry
+//sys   FreeMibTable(memory unsafe.Pointer) = iphlpapi.FreeMibTable
 //sys   NotifyIpInterfaceChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyIpInterfaceChange
+//sys   NotifyRouteChange2(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyRouteChange2
 //sys   NotifyUnicastIpAddressChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyUnicastIpAddressChange
 //sys   CancelMibChangeNotify2(notificationHandle Handle) (errcode error) = iphlpapi.CancelMibChangeNotify2
 
@@ -914,6 +920,17 @@ type RawSockaddrInet6 struct {
 	Scope_id uint32
 }
 
+// RawSockaddrInet is a union that contains an IPv4, an IPv6 address, or an address family. See
+// https://learn.microsoft.com/en-us/windows/win32/api/ws2ipdef/ns-ws2ipdef-sockaddr_inet.
+//
+// A [*RawSockaddrInet] may be converted to a [*RawSockaddrInet4] or [*RawSockaddrInet6] using
+// unsafe, depending on the address family.
+type RawSockaddrInet struct {
+	Family uint16
+	Port   uint16
+	Data   [6]uint32
+}
+
 type RawSockaddr struct {
 	Family uint16
 	Data   [14]int8
diff --git a/vendor/golang.org/x/sys/windows/types_windows.go b/vendor/golang.org/x/sys/windows/types_windows.go
index 993a2297db..6e4f50eb48 100644
--- a/vendor/golang.org/x/sys/windows/types_windows.go
+++ b/vendor/golang.org/x/sys/windows/types_windows.go
@@ -65,6 +65,22 @@ var signals = [...]string{
 	15: "terminated",
 }
 
+// File flags for [os.OpenFile]. The O_ prefix is used to indicate
+// that these flags are specific to the OpenFile function.
+const (
+	O_FILE_FLAG_OPEN_NO_RECALL     = FILE_FLAG_OPEN_NO_RECALL
+	O_FILE_FLAG_OPEN_REPARSE_POINT = FILE_FLAG_OPEN_REPARSE_POINT
+	O_FILE_FLAG_SESSION_AWARE      = FILE_FLAG_SESSION_AWARE
+	O_FILE_FLAG_POSIX_SEMANTICS    = FILE_FLAG_POSIX_SEMANTICS
+	O_FILE_FLAG_BACKUP_SEMANTICS   = FILE_FLAG_BACKUP_SEMANTICS
+	O_FILE_FLAG_DELETE_ON_CLOSE    = FILE_FLAG_DELETE_ON_CLOSE
+	O_FILE_FLAG_SEQUENTIAL_SCAN    = FILE_FLAG_SEQUENTIAL_SCAN
+	O_FILE_FLAG_RANDOM_ACCESS      = FILE_FLAG_RANDOM_ACCESS
+	O_FILE_FLAG_NO_BUFFERING       = FILE_FLAG_NO_BUFFERING
+	O_FILE_FLAG_OVERLAPPED         = FILE_FLAG_OVERLAPPED
+	O_FILE_FLAG_WRITE_THROUGH      = FILE_FLAG_WRITE_THROUGH
+)
+
 const (
 	FILE_READ_DATA        = 0x00000001
 	FILE_READ_ATTRIBUTES  = 0x00000080
@@ -2304,6 +2320,82 @@ type MibIfRow2 struct {
 	OutQLen                     uint64
 }
 
+// IP_ADDRESS_PREFIX stores an IP address prefix. See
+// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-ip_address_prefix.
+type IpAddressPrefix struct {
+	Prefix       RawSockaddrInet
+	PrefixLength uint8
+}
+
+// NL_ROUTE_ORIGIN enumeration from nldef.h or
+// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_route_origin.
+const (
+	NlroManual              = 0
+	NlroWellKnown           = 1
+	NlroDHCP                = 2
+	NlroRouterAdvertisement = 3
+	Nlro6to4                = 4
+)
+
+// NL_ROUTE_ORIGIN enumeration from nldef.h or
+// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_route_protocol.
+const (
+	MIB_IPPROTO_OTHER             = 1
+	MIB_IPPROTO_LOCAL             = 2
+	MIB_IPPROTO_NETMGMT           = 3
+	MIB_IPPROTO_ICMP              = 4
+	MIB_IPPROTO_EGP               = 5
+	MIB_IPPROTO_GGP               = 6
+	MIB_IPPROTO_HELLO             = 7
+	MIB_IPPROTO_RIP               = 8
+	MIB_IPPROTO_IS_IS             = 9
+	MIB_IPPROTO_ES_IS             = 10
+	MIB_IPPROTO_CISCO             = 11
+	MIB_IPPROTO_BBN               = 12
+	MIB_IPPROTO_OSPF              = 13
+	MIB_IPPROTO_BGP               = 14
+	MIB_IPPROTO_IDPR              = 15
+	MIB_IPPROTO_EIGRP             = 16
+	MIB_IPPROTO_DVMRP             = 17
+	MIB_IPPROTO_RPL               = 18
+	MIB_IPPROTO_DHCP              = 19
+	MIB_IPPROTO_NT_AUTOSTATIC     = 10002
+	MIB_IPPROTO_NT_STATIC         = 10006
+	MIB_IPPROTO_NT_STATIC_NON_DOD = 10007
+)
+
+// MIB_IPFORWARD_ROW2 stores information about an IP route entry. See
+// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipforward_row2.
+type MibIpForwardRow2 struct {
+	InterfaceLuid        uint64
+	InterfaceIndex       uint32
+	DestinationPrefix    IpAddressPrefix
+	NextHop              RawSockaddrInet
+	SitePrefixLength     uint8
+	ValidLifetime        uint32
+	PreferredLifetime    uint32
+	Metric               uint32
+	Protocol             uint32
+	Loopback             uint8
+	AutoconfigureAddress uint8
+	Publish              uint8
+	Immortal             uint8
+	Age                  uint32
+	Origin               uint32
+}
+
+// MIB_IPFORWARD_TABLE2 contains a table of IP route entries. See
+// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipforward_table2.
+type MibIpForwardTable2 struct {
+	NumEntries uint32
+	Table      [1]MibIpForwardRow2
+}
+
+// Rows returns the IP route entries in the table.
+func (t *MibIpForwardTable2) Rows() []MibIpForwardRow2 {
+	return unsafe.Slice(&t.Table[0], t.NumEntries)
+}
+
 // MIB_UNICASTIPADDRESS_ROW stores information about a unicast IP address. See
 // https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_unicastipaddress_row.
 type MibUnicastIpAddressRow struct {
diff --git a/vendor/golang.org/x/sys/windows/zsyscall_windows.go b/vendor/golang.org/x/sys/windows/zsyscall_windows.go
index 641a5f4b77..f25b7308a1 100644
--- a/vendor/golang.org/x/sys/windows/zsyscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/zsyscall_windows.go
@@ -182,13 +182,17 @@ var (
 	procDwmGetWindowAttribute                                = moddwmapi.NewProc("DwmGetWindowAttribute")
 	procDwmSetWindowAttribute                                = moddwmapi.NewProc("DwmSetWindowAttribute")
 	procCancelMibChangeNotify2                               = modiphlpapi.NewProc("CancelMibChangeNotify2")
+	procFreeMibTable                                         = modiphlpapi.NewProc("FreeMibTable")
 	procGetAdaptersAddresses                                 = modiphlpapi.NewProc("GetAdaptersAddresses")
 	procGetAdaptersInfo                                      = modiphlpapi.NewProc("GetAdaptersInfo")
 	procGetBestInterfaceEx                                   = modiphlpapi.NewProc("GetBestInterfaceEx")
 	procGetIfEntry                                           = modiphlpapi.NewProc("GetIfEntry")
 	procGetIfEntry2Ex                                        = modiphlpapi.NewProc("GetIfEntry2Ex")
+	procGetIpForwardEntry2                                   = modiphlpapi.NewProc("GetIpForwardEntry2")
+	procGetIpForwardTable2                                   = modiphlpapi.NewProc("GetIpForwardTable2")
 	procGetUnicastIpAddressEntry                             = modiphlpapi.NewProc("GetUnicastIpAddressEntry")
 	procNotifyIpInterfaceChange                              = modiphlpapi.NewProc("NotifyIpInterfaceChange")
+	procNotifyRouteChange2                                   = modiphlpapi.NewProc("NotifyRouteChange2")
 	procNotifyUnicastIpAddressChange                         = modiphlpapi.NewProc("NotifyUnicastIpAddressChange")
 	procAddDllDirectory                                      = modkernel32.NewProc("AddDllDirectory")
 	procAssignProcessToJobObject                             = modkernel32.NewProc("AssignProcessToJobObject")
@@ -238,6 +242,7 @@ var (
 	procFindResourceW                                        = modkernel32.NewProc("FindResourceW")
 	procFindVolumeClose                                      = modkernel32.NewProc("FindVolumeClose")
 	procFindVolumeMountPointClose                            = modkernel32.NewProc("FindVolumeMountPointClose")
+	procFlushConsoleInputBuffer                              = modkernel32.NewProc("FlushConsoleInputBuffer")
 	procFlushFileBuffers                                     = modkernel32.NewProc("FlushFileBuffers")
 	procFlushViewOfFile                                      = modkernel32.NewProc("FlushViewOfFile")
 	procFormatMessageW                                       = modkernel32.NewProc("FormatMessageW")
@@ -284,6 +289,7 @@ var (
 	procGetNamedPipeHandleStateW                             = modkernel32.NewProc("GetNamedPipeHandleStateW")
 	procGetNamedPipeInfo                                     = modkernel32.NewProc("GetNamedPipeInfo")
 	procGetNamedPipeServerProcessId                          = modkernel32.NewProc("GetNamedPipeServerProcessId")
+	procGetNumberOfConsoleInputEvents                        = modkernel32.NewProc("GetNumberOfConsoleInputEvents")
 	procGetOverlappedResult                                  = modkernel32.NewProc("GetOverlappedResult")
 	procGetPriorityClass                                     = modkernel32.NewProc("GetPriorityClass")
 	procGetProcAddress                                       = modkernel32.NewProc("GetProcAddress")
@@ -1622,6 +1628,11 @@ func CancelMibChangeNotify2(notificationHandle Handle) (errcode error) {
 	return
 }
 
+func FreeMibTable(memory unsafe.Pointer) {
+	syscall.SyscallN(procFreeMibTable.Addr(), uintptr(memory))
+	return
+}
+
 func GetAdaptersAddresses(family uint32, flags uint32, reserved uintptr, adapterAddresses *IpAdapterAddresses, sizePointer *uint32) (errcode error) {
 	r0, _, _ := syscall.SyscallN(procGetAdaptersAddresses.Addr(), uintptr(family), uintptr(flags), uintptr(reserved), uintptr(unsafe.Pointer(adapterAddresses)), uintptr(unsafe.Pointer(sizePointer)))
 	if r0 != 0 {
@@ -1662,6 +1673,22 @@ func GetIfEntry2Ex(level uint32, row *MibIfRow2) (errcode error) {
 	return
 }
 
+func GetIpForwardEntry2(row *MibIpForwardRow2) (errcode error) {
+	r0, _, _ := syscall.SyscallN(procGetIpForwardEntry2.Addr(), uintptr(unsafe.Pointer(row)))
+	if r0 != 0 {
+		errcode = syscall.Errno(r0)
+	}
+	return
+}
+
+func GetIpForwardTable2(family uint16, table **MibIpForwardTable2) (errcode error) {
+	r0, _, _ := syscall.SyscallN(procGetIpForwardTable2.Addr(), uintptr(family), uintptr(unsafe.Pointer(table)))
+	if r0 != 0 {
+		errcode = syscall.Errno(r0)
+	}
+	return
+}
+
 func GetUnicastIpAddressEntry(row *MibUnicastIpAddressRow) (errcode error) {
 	r0, _, _ := syscall.SyscallN(procGetUnicastIpAddressEntry.Addr(), uintptr(unsafe.Pointer(row)))
 	if r0 != 0 {
@@ -1682,6 +1709,18 @@ func NotifyIpInterfaceChange(family uint16, callback uintptr, callerContext unsa
 	return
 }
 
+func NotifyRouteChange2(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) {
+	var _p0 uint32
+	if initialNotification {
+		_p0 = 1
+	}
+	r0, _, _ := syscall.SyscallN(procNotifyRouteChange2.Addr(), uintptr(family), uintptr(callback), uintptr(callerContext), uintptr(_p0), uintptr(unsafe.Pointer(notificationHandle)))
+	if r0 != 0 {
+		errcode = syscall.Errno(r0)
+	}
+	return
+}
+
 func NotifyUnicastIpAddressChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) {
 	var _p0 uint32
 	if initialNotification {
@@ -2111,6 +2150,14 @@ func FindVolumeMountPointClose(findVolumeMountPoint Handle) (err error) {
 	return
 }
 
+func FlushConsoleInputBuffer(console Handle) (err error) {
+	r1, _, e1 := syscall.SyscallN(procFlushConsoleInputBuffer.Addr(), uintptr(console))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func FlushFileBuffers(handle Handle) (err error) {
 	r1, _, e1 := syscall.SyscallN(procFlushFileBuffers.Addr(), uintptr(handle))
 	if r1 == 0 {
@@ -2481,6 +2528,14 @@ func GetNamedPipeServerProcessId(pipe Handle, serverProcessID *uint32) (err erro
 	return
 }
 
+func GetNumberOfConsoleInputEvents(console Handle, numevents *uint32) (err error) {
+	r1, _, e1 := syscall.SyscallN(procGetNumberOfConsoleInputEvents.Addr(), uintptr(console), uintptr(unsafe.Pointer(numevents)))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func GetOverlappedResult(handle Handle, overlapped *Overlapped, done *uint32, wait bool) (err error) {
 	var _p0 uint32
 	if wait {
diff --git a/vendor/golang.org/x/term/terminal.go b/vendor/golang.org/x/term/terminal.go
index bddb2e2aeb..6ec537cdc1 100644
--- a/vendor/golang.org/x/term/terminal.go
+++ b/vendor/golang.org/x/term/terminal.go
@@ -160,7 +160,9 @@ const (
 	keyEnd
 	keyDeleteWord
 	keyDeleteLine
+	keyDelete
 	keyClearScreen
+	keyTranspose
 	keyPasteStart
 	keyPasteEnd
 )
@@ -194,6 +196,8 @@ func bytesToKey(b []byte, pasteActive bool) (rune, []byte) {
 			return keyDeleteLine, b[1:]
 		case 12: // ^L
 			return keyClearScreen, b[1:]
+		case 20: // ^T
+			return keyTranspose, b[1:]
 		case 23: // ^W
 			return keyDeleteWord, b[1:]
 		case 14: // ^N
@@ -228,6 +232,10 @@ func bytesToKey(b []byte, pasteActive bool) (rune, []byte) {
 		}
 	}
 
+	if !pasteActive && len(b) >= 4 && b[0] == keyEscape && b[1] == '[' && b[2] == '3' && b[3] == '~' {
+		return keyDelete, b[4:]
+	}
+
 	if !pasteActive && len(b) >= 6 && b[0] == keyEscape && b[1] == '[' && b[2] == '1' && b[3] == ';' && b[4] == '3' {
 		switch b[5] {
 		case 'C':
@@ -413,7 +421,7 @@ func (t *Terminal) eraseNPreviousChars(n int) {
 	}
 }
 
-// countToLeftWord returns then number of characters from the cursor to the
+// countToLeftWord returns the number of characters from the cursor to the
 // start of the previous word.
 func (t *Terminal) countToLeftWord() int {
 	if t.pos == 0 {
@@ -438,7 +446,7 @@ func (t *Terminal) countToLeftWord() int {
 	return t.pos - pos
 }
 
-// countToRightWord returns then number of characters from the cursor to the
+// countToRightWord returns the number of characters from the cursor to the
 // start of the next word.
 func (t *Terminal) countToRightWord() int {
 	pos := t.pos
@@ -478,7 +486,7 @@ func visualLength(runes []rune) int {
 	return length
 }
 
-// histroryAt unlocks the terminal and relocks it while calling History.At.
+// historyAt unlocks the terminal and relocks it while calling History.At.
 func (t *Terminal) historyAt(idx int) (string, bool) {
 	t.lock.Unlock()     // Unlock to avoid deadlock if History methods use the output writer.
 	defer t.lock.Lock() // panic in At (or Len) protection.
@@ -590,7 +598,7 @@ func (t *Terminal) handleKey(key rune) (line string, ok bool) {
 		}
 		t.line = t.line[:t.pos]
 		t.moveCursorToPos(t.pos)
-	case keyCtrlD:
+	case keyCtrlD, keyDelete:
 		// Erase the character under the current position.
 		// The EOF case when the line is empty is handled in
 		// readLine().
@@ -600,6 +608,24 @@ func (t *Terminal) handleKey(key rune) (line string, ok bool) {
 		}
 	case keyCtrlU:
 		t.eraseNPreviousChars(t.pos)
+	case keyTranspose:
+		// This transposes the two characters around the cursor and advances the cursor. Best-effort.
+		if len(t.line) < 2 || t.pos < 1 {
+			return
+		}
+		swap := t.pos
+		if swap == len(t.line) {
+			swap-- // special: at end of line, swap previous two chars
+		}
+		t.line[swap-1], t.line[swap] = t.line[swap], t.line[swap-1]
+		if t.pos < len(t.line) {
+			t.pos++
+		}
+		if t.echo {
+			t.moveCursorToPos(swap - 1)
+			t.writeLine(t.line[swap-1:])
+			t.moveCursorToPos(t.pos)
+		}
 	case keyClearScreen:
 		// Erases the screen and moves the cursor to the home position.
 		t.queue([]rune("\x1b[2J\x1b[H"))
diff --git a/vendor/golang.org/x/text/encoding/japanese/eucjp.go b/vendor/golang.org/x/text/encoding/japanese/eucjp.go
index 79313fa589..6fce8c5f52 100644
--- a/vendor/golang.org/x/text/encoding/japanese/eucjp.go
+++ b/vendor/golang.org/x/text/encoding/japanese/eucjp.go
@@ -17,9 +17,9 @@ import (
 var EUCJP encoding.Encoding = &eucJP
 
 var eucJP = internal.Encoding{
-	&internal.SimpleEncoding{eucJPDecoder{}, eucJPEncoder{}},
-	"EUC-JP",
-	identifier.EUCPkdFmtJapanese,
+	Encoding: &internal.SimpleEncoding{Decoder: eucJPDecoder{}, Encoder: eucJPEncoder{}},
+	Name:     "EUC-JP",
+	MIB:      identifier.EUCPkdFmtJapanese,
 }
 
 type eucJPDecoder struct{ transform.NopResetter }
diff --git a/vendor/golang.org/x/text/encoding/japanese/iso2022jp.go b/vendor/golang.org/x/text/encoding/japanese/iso2022jp.go
index 613226df5e..6f7bd460a6 100644
--- a/vendor/golang.org/x/text/encoding/japanese/iso2022jp.go
+++ b/vendor/golang.org/x/text/encoding/japanese/iso2022jp.go
@@ -17,9 +17,9 @@ import (
 var ISO2022JP encoding.Encoding = &iso2022JP
 
 var iso2022JP = internal.Encoding{
-	internal.FuncEncoding{iso2022JPNewDecoder, iso2022JPNewEncoder},
-	"ISO-2022-JP",
-	identifier.ISO2022JP,
+	Encoding: internal.FuncEncoding{Decoder: iso2022JPNewDecoder, Encoder: iso2022JPNewEncoder},
+	Name:     "ISO-2022-JP",
+	MIB:      identifier.ISO2022JP,
 }
 
 func iso2022JPNewDecoder() transform.Transformer {
diff --git a/vendor/golang.org/x/text/encoding/japanese/shiftjis.go b/vendor/golang.org/x/text/encoding/japanese/shiftjis.go
index 16fd8a6e3e..af65d43d95 100644
--- a/vendor/golang.org/x/text/encoding/japanese/shiftjis.go
+++ b/vendor/golang.org/x/text/encoding/japanese/shiftjis.go
@@ -18,9 +18,9 @@ import (
 var ShiftJIS encoding.Encoding = &shiftJIS
 
 var shiftJIS = internal.Encoding{
-	&internal.SimpleEncoding{shiftJISDecoder{}, shiftJISEncoder{}},
-	"Shift JIS",
-	identifier.ShiftJIS,
+	Encoding: &internal.SimpleEncoding{Decoder: shiftJISDecoder{}, Encoder: shiftJISEncoder{}},
+	Name:     "Shift JIS",
+	MIB:      identifier.ShiftJIS,
 }
 
 type shiftJISDecoder struct{ transform.NopResetter }
diff --git a/vendor/golang.org/x/text/encoding/korean/euckr.go b/vendor/golang.org/x/text/encoding/korean/euckr.go
index 034337f5df..81c834730c 100644
--- a/vendor/golang.org/x/text/encoding/korean/euckr.go
+++ b/vendor/golang.org/x/text/encoding/korean/euckr.go
@@ -20,9 +20,9 @@ var All = []encoding.Encoding{EUCKR}
 var EUCKR encoding.Encoding = &eucKR
 
 var eucKR = internal.Encoding{
-	&internal.SimpleEncoding{eucKRDecoder{}, eucKREncoder{}},
-	"EUC-KR",
-	identifier.EUCKR,
+	Encoding: &internal.SimpleEncoding{Decoder: eucKRDecoder{}, Encoder: eucKREncoder{}},
+	Name:     "EUC-KR",
+	MIB:      identifier.EUCKR,
 }
 
 type eucKRDecoder struct{ transform.NopResetter }
diff --git a/vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go b/vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go
index 0e0fabfd6b..2f2fd5d449 100644
--- a/vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go
+++ b/vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go
@@ -22,21 +22,21 @@ var (
 )
 
 var gbk = internal.Encoding{
-	&internal.SimpleEncoding{
-		gbkDecoder{gb18030: false},
-		gbkEncoder{gb18030: false},
+	Encoding: &internal.SimpleEncoding{
+		Decoder: gbkDecoder{gb18030: false},
+		Encoder: gbkEncoder{gb18030: false},
 	},
-	"GBK",
-	identifier.GBK,
+	Name: "GBK",
+	MIB:  identifier.GBK,
 }
 
 var gbk18030 = internal.Encoding{
-	&internal.SimpleEncoding{
-		gbkDecoder{gb18030: true},
-		gbkEncoder{gb18030: true},
+	Encoding: &internal.SimpleEncoding{
+		Decoder: gbkDecoder{gb18030: true},
+		Encoder: gbkEncoder{gb18030: true},
 	},
-	"GB18030",
-	identifier.GB18030,
+	Name: "GB18030",
+	MIB:  identifier.GB18030,
 }
 
 type gbkDecoder struct {
diff --git a/vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go b/vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go
index e15b7bf6a7..351750e60e 100644
--- a/vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go
+++ b/vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go
@@ -17,9 +17,9 @@ import (
 var HZGB2312 encoding.Encoding = &hzGB2312
 
 var hzGB2312 = internal.Encoding{
-	internal.FuncEncoding{hzGB2312NewDecoder, hzGB2312NewEncoder},
-	"HZ-GB2312",
-	identifier.HZGB2312,
+	Encoding: internal.FuncEncoding{Decoder: hzGB2312NewDecoder, Encoder: hzGB2312NewEncoder},
+	Name:     "HZ-GB2312",
+	MIB:      identifier.HZGB2312,
 }
 
 func hzGB2312NewDecoder() transform.Transformer {
diff --git a/vendor/golang.org/x/text/encoding/traditionalchinese/big5.go b/vendor/golang.org/x/text/encoding/traditionalchinese/big5.go
index 1fcddde082..5046920ee0 100644
--- a/vendor/golang.org/x/text/encoding/traditionalchinese/big5.go
+++ b/vendor/golang.org/x/text/encoding/traditionalchinese/big5.go
@@ -20,9 +20,9 @@ var All = []encoding.Encoding{Big5}
 var Big5 encoding.Encoding = &big5
 
 var big5 = internal.Encoding{
-	&internal.SimpleEncoding{big5Decoder{}, big5Encoder{}},
-	"Big5",
-	identifier.Big5,
+	Encoding: &internal.SimpleEncoding{Decoder: big5Decoder{}, Encoder: big5Encoder{}},
+	Name:     "Big5",
+	MIB:      identifier.Big5,
 }
 
 type big5Decoder struct{ transform.NopResetter }
diff --git a/vendor/golang.org/x/text/encoding/unicode/unicode.go b/vendor/golang.org/x/text/encoding/unicode/unicode.go
index dd99ad14d3..ce28c90628 100644
--- a/vendor/golang.org/x/text/encoding/unicode/unicode.go
+++ b/vendor/golang.org/x/text/encoding/unicode/unicode.go
@@ -60,9 +60,9 @@ func (utf8bomEncoding) NewDecoder() *encoding.Decoder {
 }
 
 var utf8enc = &internal.Encoding{
-	&internal.SimpleEncoding{utf8Decoder{}, runes.ReplaceIllFormed()},
-	"UTF-8",
-	identifier.UTF8,
+	Encoding: &internal.SimpleEncoding{Decoder: utf8Decoder{}, Encoder: runes.ReplaceIllFormed()},
+	Name:     "UTF-8",
+	MIB:      identifier.UTF8,
 }
 
 type utf8bomDecoder struct {
diff --git a/vendor/golang.org/x/text/unicode/bidi/core.go b/vendor/golang.org/x/text/unicode/bidi/core.go
index 9d2ae547b5..fb8273236d 100644
--- a/vendor/golang.org/x/text/unicode/bidi/core.go
+++ b/vendor/golang.org/x/text/unicode/bidi/core.go
@@ -427,13 +427,6 @@ type isolatingRunSequence struct {
 
 func (i *isolatingRunSequence) Len() int { return len(i.indexes) }
 
-func maxLevel(a, b level) level {
-	if a > b {
-		return a
-	}
-	return b
-}
-
 // Rule X10, second bullet: Determine the start-of-sequence (sos) and end-of-sequence (eos) types,
 // either L or R, for each isolating run sequence.
 func (p *paragraph) isolatingRunSequence(indexes []int) *isolatingRunSequence {
@@ -474,8 +467,8 @@ func (p *paragraph) isolatingRunSequence(indexes []int) *isolatingRunSequence {
 		indexes: indexes,
 		types:   types,
 		level:   level,
-		sos:     typeForLevel(maxLevel(prevLevel, level)),
-		eos:     typeForLevel(maxLevel(succLevel, level)),
+		sos:     typeForLevel(max(prevLevel, level)),
+		eos:     typeForLevel(max(succLevel, level)),
 	}
 }
 
diff --git a/vendor/golang.org/x/tools/go/ast/inspector/cursor.go b/vendor/golang.org/x/tools/go/ast/inspector/cursor.go
index 7e72d3c284..60ad425f34 100644
--- a/vendor/golang.org/x/tools/go/ast/inspector/cursor.go
+++ b/vendor/golang.org/x/tools/go/ast/inspector/cursor.go
@@ -453,6 +453,9 @@ func (c Cursor) FindNode(n ast.Node) (Cursor, bool) {
 // rooted at c such that n.Pos() <= start && end <= n.End().
 // (For an *ast.File, it uses the bounds n.FileStart-n.FileEnd.)
 //
+// An empty range (start == end) between two adjacent nodes is
+// considered to belong to the first node.
+//
 // It returns zero if none is found.
 // Precondition: start <= end.
 //
@@ -467,7 +470,9 @@ func (c Cursor) FindByPos(start, end token.Pos) (Cursor, bool) {
 	// This algorithm could be implemented using c.Inspect,
 	// but it is about 2.5x slower.
 
-	best := int32(-1) // push index of latest (=innermost) node containing range
+	// best is the push-index of the latest (=innermost) node containing range.
+	// (Beware: latest is not always innermost because FuncDecl.{Name,Type} overlap.)
+	best := int32(-1)
 	for i, limit := c.indices(); i < limit; i++ {
 		ev := events[i]
 		if ev.index > i { // push?
@@ -481,15 +486,35 @@ func (c Cursor) FindByPos(start, end token.Pos) (Cursor, bool) {
 					continue
 				}
 			} else {
+				// Edge case: FuncDecl.Name and .Type overlap:
+				// Don't update best from Name to FuncDecl.Type.
+				//
+				// The condition can be read as:
+				// - n is FuncType
+				// - n.parent is FuncDecl
+				// - best is strictly beneath the FuncDecl
+				if ev.typ == 1< ev.parent {
+					continue
+				}
+
 				nodeEnd = n.End()
 				if n.Pos() > start {
 					break // disjoint, after; stop
 				}
 			}
+
 			// Inv: node.{Pos,FileStart} <= start
 			if end <= nodeEnd {
 				// node fully contains target range
 				best = i
+
+				// Don't search beyond end of the first match.
+				// This is important only for an empty range (start=end)
+				// between two adjoining nodes, which would otherwise
+				// match both nodes; we want to match only the first.
+				limit = ev.index
 			} else if nodeEnd < start {
 				i = ev.index // disjoint, before; skip forward
 			}
diff --git a/vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go b/vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go
new file mode 100644
index 0000000000..7b90bc9235
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go
@@ -0,0 +1,236 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package gcexportdata provides functions for reading and writing
+// export data, which is a serialized description of the API of a Go
+// package including the names, kinds, types, and locations of all
+// exported declarations.
+//
+// The standard Go compiler (cmd/compile) writes an export data file
+// for each package it compiles, which it later reads when compiling
+// packages that import the earlier one. The compiler must thus
+// contain logic to both write and read export data.
+// (See the "Export" section in the cmd/compile/README file.)
+//
+// The [Read] function in this package can read files produced by the
+// compiler, producing [go/types] data structures. As a matter of
+// policy, Read supports export data files produced by only the last
+// two Go releases plus tip; see https://go.dev/issue/68898. The
+// export data files produced by the compiler contain additional
+// details related to generics, inlining, and other optimizations that
+// cannot be decoded by the [Read] function.
+//
+// In files written by the compiler, the export data is not at the
+// start of the file. Before calling Read, use [NewReader] to locate
+// the desired portion of the file.
+//
+// The [Write] function in this package encodes the exported API of a
+// Go package ([types.Package]) as a file. Such files can be later
+// decoded by Read, but cannot be consumed by the compiler.
+//
+// # Future changes
+//
+// Although Read supports the formats written by both Write and the
+// compiler, the two are quite different, and there is an open
+// proposal (https://go.dev/issue/69491) to separate these APIs.
+//
+// Under that proposal, this package would ultimately provide only the
+// Read operation for compiler export data, which must be defined in
+// this module (golang.org/x/tools), not in the standard library, to
+// avoid version skew for developer tools that need to read compiler
+// export data both before and after a Go release, such as from Go
+// 1.23 to Go 1.24. Because this package lives in the tools module,
+// clients can update their version of the module some time before the
+// Go 1.24 release and rebuild and redeploy their tools, which will
+// then be able to consume both Go 1.23 and Go 1.24 export data files,
+// so they will work before and after the Go update. (See discussion
+// at https://go.dev/issue/15651.)
+//
+// The operations to import and export [go/types] data structures
+// would be defined in the go/types package as Import and Export.
+// [Write] would (eventually) delegate to Export,
+// and [Read], when it detects a file produced by Export,
+// would delegate to Import.
+//
+// # Deprecations
+//
+// The [NewImporter] and [Find] functions are deprecated and should
+// not be used in new code. The [WriteBundle] and [ReadBundle]
+// functions are experimental, and there is an open proposal to
+// deprecate them (https://go.dev/issue/69573).
+package gcexportdata
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"go/token"
+	"go/types"
+	"io"
+	"os/exec"
+
+	"golang.org/x/tools/internal/gcimporter"
+)
+
+// Find returns the name of an object (.o) or archive (.a) file
+// containing type information for the specified import path,
+// using the go command.
+// If no file was found, an empty filename is returned.
+//
+// A relative srcDir is interpreted relative to the current working directory.
+//
+// Find also returns the package's resolved (canonical) import path,
+// reflecting the effects of srcDir and vendoring on importPath.
+//
+// Deprecated: Use the higher-level API in golang.org/x/tools/go/packages,
+// which is more efficient.
+func Find(importPath, srcDir string) (filename, path string) {
+	cmd := exec.Command("go", "list", "-json", "-export", "--", importPath)
+	cmd.Dir = srcDir
+	out, err := cmd.Output()
+	if err != nil {
+		return "", ""
+	}
+	var data struct {
+		ImportPath string
+		Export     string
+	}
+	json.Unmarshal(out, &data)
+	return data.Export, data.ImportPath
+}
+
+// NewReader returns a reader for the export data section of an object
+// (.o) or archive (.a) file read from r.  The new reader may provide
+// additional trailing data beyond the end of the export data.
+func NewReader(r io.Reader) (io.Reader, error) {
+	buf := bufio.NewReader(r)
+	size, err := gcimporter.FindExportData(buf)
+	if err != nil {
+		return nil, err
+	}
+
+	// We were given an archive and found the __.PKGDEF in it.
+	// This tells us the size of the export data, and we don't
+	// need to return the entire file.
+	return &io.LimitedReader{
+		R: buf,
+		N: size,
+	}, nil
+}
+
+// readAll works the same way as io.ReadAll, but avoids allocations and copies
+// by preallocating a byte slice of the necessary size if the size is known up
+// front. This is always possible when the input is an archive. In that case,
+// NewReader will return the known size using an io.LimitedReader.
+func readAll(r io.Reader) ([]byte, error) {
+	if lr, ok := r.(*io.LimitedReader); ok {
+		data := make([]byte, lr.N)
+		_, err := io.ReadFull(lr, data)
+		return data, err
+	}
+	return io.ReadAll(r)
+}
+
+// Read reads export data from in, decodes it, and returns type
+// information for the package.
+//
+// Read is capable of reading export data produced by [Write] at the
+// same source code version, or by the last two Go releases (plus tip)
+// of the standard Go compiler. Reading files from older compilers may
+// produce an error.
+//
+// The package path (effectively its linker symbol prefix) is
+// specified by path, since unlike the package name, this information
+// may not be recorded in the export data.
+//
+// File position information is added to fset.
+//
+// Read may inspect and add to the imports map to ensure that references
+// within the export data to other packages are consistent.  The caller
+// must ensure that imports[path] does not exist, or exists but is
+// incomplete (see types.Package.Complete), and Read inserts the
+// resulting package into this map entry.
+//
+// On return, the state of the reader is undefined.
+func Read(in io.Reader, fset *token.FileSet, imports map[string]*types.Package, path string) (*types.Package, error) {
+	data, err := readAll(in)
+	if err != nil {
+		return nil, fmt.Errorf("reading export data for %q: %v", path, err)
+	}
+
+	if bytes.HasPrefix(data, []byte("!")) {
+		return nil, fmt.Errorf("can't read export data for %q directly from an archive file (call gcexportdata.NewReader first to extract export data)", path)
+	}
+
+	// The indexed export format starts with an 'i'; the older
+	// binary export format starts with a 'c', 'd', or 'v'
+	// (from "version"). Select appropriate importer.
+	if len(data) > 0 {
+		switch data[0] {
+		case 'v', 'c', 'd':
+			// binary, produced by cmd/compile till go1.10
+			return nil, fmt.Errorf("binary (%c) import format is no longer supported", data[0])
+
+		case 'i':
+			// indexed, produced by cmd/compile till go1.19,
+			// and also by [Write].
+			//
+			// If proposal #69491 is accepted, go/types
+			// serialization will be implemented by
+			// types.Export, to which Write would eventually
+			// delegate (explicitly dropping any pretence at
+			// inter-version Write-Read compatibility).
+			// This [Read] function would delegate to types.Import
+			// when it detects that the file was produced by Export.
+			_, pkg, err := gcimporter.IImportData(fset, imports, data[1:], path)
+			return pkg, err
+
+		case 'u':
+			// unified, produced by cmd/compile since go1.20
+			_, pkg, err := gcimporter.UImportData(fset, imports, data[1:], path)
+			return pkg, err
+
+		default:
+			l := min(len(data), 10)
+			return nil, fmt.Errorf("unexpected export data with prefix %q for path %s", string(data[:l]), path)
+		}
+	}
+	return nil, fmt.Errorf("empty export data for %s", path)
+}
+
+// Write writes encoded type information for the specified package to out.
+// The FileSet provides file position information for named objects.
+func Write(out io.Writer, fset *token.FileSet, pkg *types.Package) error {
+	if _, err := io.WriteString(out, "i"); err != nil {
+		return err
+	}
+	return gcimporter.IExportData(out, fset, pkg)
+}
+
+// ReadBundle reads an export bundle from in, decodes it, and returns type
+// information for the packages.
+// File position information is added to fset.
+//
+// ReadBundle may inspect and add to the imports map to ensure that references
+// within the export bundle to other packages are consistent.
+//
+// On return, the state of the reader is undefined.
+//
+// Experimental: This API is experimental and may change in the future.
+func ReadBundle(in io.Reader, fset *token.FileSet, imports map[string]*types.Package) ([]*types.Package, error) {
+	data, err := readAll(in)
+	if err != nil {
+		return nil, fmt.Errorf("reading export bundle: %v", err)
+	}
+	return gcimporter.IImportBundle(fset, imports, data)
+}
+
+// WriteBundle writes encoded type information for the specified packages to out.
+// The FileSet provides file position information for named objects.
+//
+// Experimental: This API is experimental and may change in the future.
+func WriteBundle(out io.Writer, fset *token.FileSet, pkgs []*types.Package) error {
+	return gcimporter.IExportBundle(out, fset, pkgs)
+}
diff --git a/vendor/golang.org/x/tools/go/gcexportdata/importer.go b/vendor/golang.org/x/tools/go/gcexportdata/importer.go
new file mode 100644
index 0000000000..37a7247e26
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/gcexportdata/importer.go
@@ -0,0 +1,75 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gcexportdata
+
+import (
+	"fmt"
+	"go/token"
+	"go/types"
+	"os"
+)
+
+// NewImporter returns a new instance of the types.Importer interface
+// that reads type information from export data files written by gc.
+// The Importer also satisfies types.ImporterFrom.
+//
+// Export data files are located using "go build" workspace conventions
+// and the build.Default context.
+//
+// Use this importer instead of go/importer.For("gc", ...) to avoid the
+// version-skew problems described in the documentation of this package,
+// or to control the FileSet or access the imports map populated during
+// package loading.
+//
+// Deprecated: Use the higher-level API in golang.org/x/tools/go/packages,
+// which is more efficient.
+func NewImporter(fset *token.FileSet, imports map[string]*types.Package) types.ImporterFrom {
+	return importer{fset, imports}
+}
+
+type importer struct {
+	fset    *token.FileSet
+	imports map[string]*types.Package
+}
+
+func (imp importer) Import(importPath string) (*types.Package, error) {
+	return imp.ImportFrom(importPath, "", 0)
+}
+
+func (imp importer) ImportFrom(importPath, srcDir string, mode types.ImportMode) (_ *types.Package, err error) {
+	filename, path := Find(importPath, srcDir)
+	if filename == "" {
+		if importPath == "unsafe" {
+			// Even for unsafe, call Find first in case
+			// the package was vendored.
+			return types.Unsafe, nil
+		}
+		return nil, fmt.Errorf("can't find import: %s", importPath)
+	}
+
+	if pkg, ok := imp.imports[path]; ok && pkg.Complete() {
+		return pkg, nil // cache hit
+	}
+
+	// open file
+	f, err := os.Open(filename)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		f.Close()
+		if err != nil {
+			// add file name to error
+			err = fmt.Errorf("reading export data: %s: %v", filename, err)
+		}
+	}()
+
+	r, err := NewReader(f)
+	if err != nil {
+		return nil, err
+	}
+
+	return Read(r, imp.fset, imp.imports, path)
+}
diff --git a/vendor/golang.org/x/tools/go/packages/doc.go b/vendor/golang.org/x/tools/go/packages/doc.go
new file mode 100644
index 0000000000..366aab6b2c
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/packages/doc.go
@@ -0,0 +1,253 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+Package packages loads Go packages for inspection and analysis.
+
+The [Load] function takes as input a list of patterns and returns a
+list of [Package] values describing individual packages matched by those
+patterns.
+A [Config] specifies configuration options, the most important of which is
+the [LoadMode], which controls the amount of detail in the loaded packages.
+
+Load passes most patterns directly to the underlying build tool.
+The default build tool is the go command.
+Its supported patterns are described at
+https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.
+Other build systems may be supported by providing a "driver";
+see [The driver protocol].
+
+All patterns with the prefix "query=", where query is a
+non-empty string of letters from [a-z], are reserved and may be
+interpreted as query operators.
+
+Two query operators are currently supported: "file" and "pattern".
+
+The query "file=path/to/file.go" matches the package or packages enclosing
+the Go source file path/to/file.go.  For example "file=~/go/src/fmt/print.go"
+might return the packages "fmt" and "fmt [fmt.test]".
+
+The query "pattern=string" causes "string" to be passed directly to
+the underlying build tool. In most cases this is unnecessary,
+but an application can use Load("pattern=" + x) as an escaping mechanism
+to ensure that x is not interpreted as a query operator if it contains '='.
+
+All other query operators are reserved for future use and currently
+cause Load to report an error.
+
+The Package struct provides basic information about the package, including
+
+  - ID, a unique identifier for the package in the returned set;
+  - GoFiles, the names of the package's Go source files;
+  - Imports, a map from source import strings to the Packages they name;
+  - Types, the type information for the package's exported symbols;
+  - Syntax, the parsed syntax trees for the package's source code; and
+  - TypesInfo, the result of a complete type-check of the package syntax trees.
+
+(See the documentation for type Package for the complete list of fields
+and more detailed descriptions.)
+
+For example,
+
+	Load(nil, "bytes", "unicode...")
+
+returns four Package structs describing the standard library packages
+bytes, unicode, unicode/utf16, and unicode/utf8. Note that one pattern
+can match multiple packages and that a package might be matched by
+multiple patterns: in general it is not possible to determine which
+packages correspond to which patterns.
+
+Note that the list returned by Load contains only the packages matched
+by the patterns. Their dependencies can be found by walking the import
+graph using the Imports fields.
+
+The Load function can be configured by passing a pointer to a Config as
+the first argument. A nil Config is equivalent to the zero Config, which
+causes Load to run in [LoadFiles] mode, collecting minimal information.
+See the documentation for type Config for details.
+
+As noted earlier, the Config.Mode controls the amount of detail
+reported about the loaded packages. See the documentation for type LoadMode
+for details.
+
+Most tools should pass their command-line arguments (after any flags)
+uninterpreted to Load, so that it can interpret them
+according to the conventions of the underlying build system.
+
+See the Example function for typical usage.
+See also [golang.org/x/tools/go/packages/internal/linecount]
+for an example application.
+
+# The driver protocol
+
+Load may be used to load Go packages even in Go projects that use
+alternative build systems, by installing an appropriate "driver"
+program for the build system and specifying its location in the
+GOPACKAGESDRIVER environment variable.
+For example,
+https://github.com/bazelbuild/rules_go/wiki/Editor-and-tool-integration
+explains how to use the driver for Bazel.
+
+The driver program is responsible for interpreting patterns in its
+preferred notation and reporting information about the packages that
+those patterns identify. Drivers must also support the special "file="
+and "pattern=" patterns described above.
+
+The patterns are provided as positional command-line arguments. A
+JSON-encoded [DriverRequest] message providing additional information
+is written to the driver's standard input. The driver must write a
+JSON-encoded [DriverResponse] message to its standard output. (This
+message differs from the JSON schema produced by 'go list'.)
+
+The value of the PWD environment variable seen by the driver process
+is the preferred name of its working directory. (The working directory
+may have other aliases due to symbolic links; see the comment on the
+Dir field of [exec.Cmd] for related information.)
+When the driver process emits in its response the name of a file
+that is a descendant of this directory, it must use an absolute path
+that has the value of PWD as a prefix, to ensure that the returned
+filenames satisfy the original query.
+*/
+package packages // import "golang.org/x/tools/go/packages"
+
+/*
+
+Motivation and design considerations
+
+The new package's design solves problems addressed by two existing
+packages: go/build, which locates and describes packages, and
+golang.org/x/tools/go/loader, which loads, parses and type-checks them.
+The go/build.Package structure encodes too much of the 'go build' way
+of organizing projects, leaving us in need of a data type that describes a
+package of Go source code independent of the underlying build system.
+We wanted something that works equally well with go build and vgo, and
+also other build systems such as Bazel and Blaze, making it possible to
+construct analysis tools that work in all these environments.
+Tools such as errcheck and staticcheck were essentially unavailable to
+the Go community at Google, and some of Google's internal tools for Go
+are unavailable externally.
+This new package provides a uniform way to obtain package metadata by
+querying each of these build systems, optionally supporting their
+preferred command-line notations for packages, so that tools integrate
+neatly with users' build environments. The Metadata query function
+executes an external query tool appropriate to the current workspace.
+
+Loading packages always returns the complete import graph "all the way down",
+even if all you want is information about a single package, because the query
+mechanisms of all the build systems we currently support ({go,vgo} list, and
+blaze/bazel aspect-based query) cannot provide detailed information
+about one package without visiting all its dependencies too, so there is
+no additional asymptotic cost to providing transitive information.
+(This property might not be true of a hypothetical 5th build system.)
+
+In calls to TypeCheck, all initial packages, and any package that
+transitively depends on one of them, must be loaded from source.
+Consider A->B->C->D->E: if A,C are initial, A,B,C must be loaded from
+source; D may be loaded from export data, and E may not be loaded at all
+(though it's possible that D's export data mentions it, so a
+types.Package may be created for it and exposed.)
+
+The old loader had a feature to suppress type-checking of function
+bodies on a per-package basis, primarily intended to reduce the work of
+obtaining type information for imported packages. Now that imports are
+satisfied by export data, the optimization no longer seems necessary.
+
+Despite some early attempts, the old loader did not exploit export data,
+instead always using the equivalent of WholeProgram mode. This was due
+to the complexity of mixing source and export data packages (now
+resolved by the upward traversal mentioned above), and because export data
+files were nearly always missing or stale. Now that 'go build' supports
+caching, all the underlying build systems can guarantee to produce
+export data in a reasonable (amortized) time.
+
+Test "main" packages synthesized by the build system are now reported as
+first-class packages, avoiding the need for clients (such as go/ssa) to
+reinvent this generation logic.
+
+One way in which go/packages is simpler than the old loader is in its
+treatment of in-package tests. In-package tests are packages that
+consist of all the files of the library under test, plus the test files.
+The old loader constructed in-package tests by a two-phase process of
+mutation called "augmentation": first it would construct and type check
+all the ordinary library packages and type-check the packages that
+depend on them; then it would add more (test) files to the package and
+type-check again. This two-phase approach had four major problems:
+1) in processing the tests, the loader modified the library package,
+   leaving no way for a client application to see both the test
+   package and the library package; one would mutate into the other.
+2) because test files can declare additional methods on types defined in
+   the library portion of the package, the dispatch of method calls in
+   the library portion was affected by the presence of the test files.
+   This should have been a clue that the packages were logically
+   different.
+3) this model of "augmentation" assumed at most one in-package test
+   per library package, which is true of projects using 'go build',
+   but not other build systems.
+4) because of the two-phase nature of test processing, all packages that
+   import the library package had to be processed before augmentation,
+   forcing a "one-shot" API and preventing the client from calling Load
+   in several times in sequence as is now possible in WholeProgram mode.
+   (TypeCheck mode has a similar one-shot restriction for a different reason.)
+
+Early drafts of this package supported "multi-shot" operation.
+Although it allowed clients to make a sequence of calls (or concurrent
+calls) to Load, building up the graph of Packages incrementally,
+it was of marginal value: it complicated the API
+(since it allowed some options to vary across calls but not others),
+it complicated the implementation,
+it cannot be made to work in Types mode, as explained above,
+and it was less efficient than making one combined call (when this is possible).
+Among the clients we have inspected, none made multiple calls to load
+but could not be easily and satisfactorily modified to make only a single call.
+However, applications changes may be required.
+For example, the ssadump command loads the user-specified packages
+and in addition the runtime package.  It is tempting to simply append
+"runtime" to the user-provided list, but that does not work if the user
+specified an ad-hoc package such as [a.go b.go].
+Instead, ssadump no longer requests the runtime package,
+but seeks it among the dependencies of the user-specified packages,
+and emits an error if it is not found.
+
+Questions & Tasks
+
+- Add GOARCH/GOOS?
+  They are not portable concepts, but could be made portable.
+  Our goal has been to allow users to express themselves using the conventions
+  of the underlying build system: if the build system honors GOARCH
+  during a build and during a metadata query, then so should
+  applications built atop that query mechanism.
+  Conversely, if the target architecture of the build is determined by
+  command-line flags, the application can pass the relevant
+  flags through to the build system using a command such as:
+    myapp -query_flag="--cpu=amd64" -query_flag="--os=darwin"
+  However, this approach is low-level, unwieldy, and non-portable.
+  GOOS and GOARCH seem important enough to warrant a dedicated option.
+
+- How should we handle partial failures such as a mixture of good and
+  malformed patterns, existing and non-existent packages, successful and
+  failed builds, import failures, import cycles, and so on, in a call to
+  Load?
+
+- Support bazel, blaze, and go1.10 list, not just go1.11 list.
+
+- Handle (and test) various partial success cases, e.g.
+  a mixture of good packages and:
+  invalid patterns
+  nonexistent packages
+  empty packages
+  packages with malformed package or import declarations
+  unreadable files
+  import cycles
+  other parse errors
+  type errors
+  Make sure we record errors at the correct place in the graph.
+
+- Missing packages among initial arguments are not reported.
+  Return bogus packages for them, like golist does.
+
+- "undeclared name" errors (for example) are reported out of source file
+  order. I suspect this is due to the breadth-first resolution now used
+  by go/types. Is that a bug? Discuss with gri.
+
+*/
diff --git a/vendor/golang.org/x/tools/go/packages/external.go b/vendor/golang.org/x/tools/go/packages/external.go
new file mode 100644
index 0000000000..f37bc65100
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/packages/external.go
@@ -0,0 +1,153 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packages
+
+// This file defines the protocol that enables an external "driver"
+// tool to supply package metadata in place of 'go list'.
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"slices"
+	"strings"
+)
+
+// DriverRequest defines the schema of a request for package metadata
+// from an external driver program. The JSON-encoded DriverRequest
+// message is provided to the driver program's standard input. The
+// query patterns are provided as command-line arguments.
+//
+// See the package documentation for an overview.
+type DriverRequest struct {
+	Mode LoadMode `json:"mode"`
+
+	// Env specifies the environment the underlying build system should be run in.
+	Env []string `json:"env"`
+
+	// BuildFlags are flags that should be passed to the underlying build system.
+	BuildFlags []string `json:"build_flags"`
+
+	// Tests specifies whether the patterns should also return test packages.
+	Tests bool `json:"tests"`
+
+	// Overlay maps file paths (relative to the driver's working directory)
+	// to the contents of overlay files (see Config.Overlay).
+	Overlay map[string][]byte `json:"overlay"`
+}
+
+// DriverResponse defines the schema of a response from an external
+// driver program, providing the results of a query for package
+// metadata. The driver program must write a JSON-encoded
+// DriverResponse message to its standard output.
+//
+// See the package documentation for an overview.
+type DriverResponse struct {
+	// NotHandled is returned if the request can't be handled by the current
+	// driver. If an external driver returns a response with NotHandled, the
+	// rest of the DriverResponse is ignored, and go/packages will fallback
+	// to the next driver. If go/packages is extended in the future to support
+	// lists of multiple drivers, go/packages will fall back to the next driver.
+	NotHandled bool
+
+	// Compiler and Arch are the arguments pass of types.SizesFor
+	// to get a types.Sizes to use when type checking.
+	Compiler string
+	Arch     string
+
+	// Roots is the set of package IDs that make up the root packages.
+	// We have to encode this separately because when we encode a single package
+	// we cannot know if it is one of the roots as that requires knowledge of the
+	// graph it is part of.
+	Roots []string `json:",omitempty"`
+
+	// Packages is the full set of packages in the graph.
+	// The packages are not connected into a graph.
+	// The Imports if populated will be stubs that only have their ID set.
+	// Imports will be connected and then type and syntax information added in a
+	// later pass (see refine).
+	Packages []*Package
+
+	// GoVersion is the minor version number used by the driver
+	// (e.g. the go command on the PATH) when selecting .go files.
+	// Zero means unknown.
+	GoVersion int
+}
+
+// driver is the type for functions that query the build system for the
+// packages named by the patterns.
+type driver func(cfg *Config, patterns []string) (*DriverResponse, error)
+
+// findExternalDriver returns the file path of a tool that supplies
+// the build system package structure, or "" if not found.
+// If GOPACKAGESDRIVER is set in the environment findExternalTool returns its
+// value, otherwise it searches for a binary named gopackagesdriver on the PATH.
+func findExternalDriver(cfg *Config) driver {
+	const toolPrefix = "GOPACKAGESDRIVER="
+	tool := ""
+	for _, env := range cfg.Env {
+		if val, ok := strings.CutPrefix(env, toolPrefix); ok {
+			tool = val
+		}
+	}
+	if tool != "" && tool == "off" {
+		return nil
+	}
+	if tool == "" {
+		var err error
+		tool, err = exec.LookPath("gopackagesdriver")
+		if err != nil {
+			return nil
+		}
+	}
+	return func(cfg *Config, patterns []string) (*DriverResponse, error) {
+		req, err := json.Marshal(DriverRequest{
+			Mode:       cfg.Mode,
+			Env:        cfg.Env,
+			BuildFlags: cfg.BuildFlags,
+			Tests:      cfg.Tests,
+			Overlay:    cfg.Overlay,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to encode message to driver tool: %v", err)
+		}
+
+		buf := new(bytes.Buffer)
+		stderr := new(bytes.Buffer)
+		cmd := exec.CommandContext(cfg.Context, tool, patterns...)
+		cmd.Dir = cfg.Dir
+		// The cwd gets resolved to the real path. On Darwin, where
+		// /tmp is a symlink, this breaks anything that expects the
+		// working directory to keep the original path, including the
+		// go command when dealing with modules.
+		//
+		// os.Getwd stdlib has a special feature where if the
+		// cwd and the PWD are the same node then it trusts
+		// the PWD, so by setting it in the env for the child
+		// process we fix up all the paths returned by the go
+		// command.
+		//
+		// (See similar trick in Invocation.run in ../../internal/gocommand/invoke.go)
+		cmd.Env = append(slices.Clip(cfg.Env), "PWD="+cfg.Dir)
+		cmd.Stdin = bytes.NewReader(req)
+		cmd.Stdout = buf
+		cmd.Stderr = stderr
+
+		if err := cmd.Run(); err != nil {
+			return nil, fmt.Errorf("%v: %v: %s", tool, err, cmd.Stderr)
+		}
+		if len(stderr.Bytes()) != 0 && os.Getenv("GOPACKAGESPRINTDRIVERERRORS") != "" {
+			fmt.Fprintf(os.Stderr, "%s stderr: <<%s>>\n", cmdDebugStr(cmd), stderr)
+		}
+
+		var response DriverResponse
+		if err := json.Unmarshal(buf.Bytes(), &response); err != nil {
+			return nil, err
+		}
+		return &response, nil
+	}
+}
diff --git a/vendor/golang.org/x/tools/go/packages/golist.go b/vendor/golang.org/x/tools/go/packages/golist.go
new file mode 100644
index 0000000000..680a70ca8f
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/packages/golist.go
@@ -0,0 +1,1086 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packages
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"reflect"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"unicode"
+
+	"golang.org/x/tools/internal/gocommand"
+	"golang.org/x/tools/internal/packagesinternal"
+)
+
+// debug controls verbose logging.
+var debug, _ = strconv.ParseBool(os.Getenv("GOPACKAGESDEBUG"))
+
+// A goTooOldError reports that the go command
+// found by exec.LookPath is too old to use the new go list behavior.
+type goTooOldError struct {
+	error
+}
+
+// responseDeduper wraps a DriverResponse, deduplicating its contents.
+type responseDeduper struct {
+	seenRoots    map[string]bool
+	seenPackages map[string]*Package
+	dr           *DriverResponse
+}
+
+func newDeduper() *responseDeduper {
+	return &responseDeduper{
+		dr:           &DriverResponse{},
+		seenRoots:    map[string]bool{},
+		seenPackages: map[string]*Package{},
+	}
+}
+
+// addAll fills in r with a DriverResponse.
+func (r *responseDeduper) addAll(dr *DriverResponse) {
+	for _, pkg := range dr.Packages {
+		r.addPackage(pkg)
+	}
+	for _, root := range dr.Roots {
+		r.addRoot(root)
+	}
+	r.dr.GoVersion = dr.GoVersion
+}
+
+func (r *responseDeduper) addPackage(p *Package) {
+	if r.seenPackages[p.ID] != nil {
+		return
+	}
+	r.seenPackages[p.ID] = p
+	r.dr.Packages = append(r.dr.Packages, p)
+}
+
+func (r *responseDeduper) addRoot(id string) {
+	if r.seenRoots[id] {
+		return
+	}
+	r.seenRoots[id] = true
+	r.dr.Roots = append(r.dr.Roots, id)
+}
+
+type golistState struct {
+	cfg *Config
+	ctx context.Context
+
+	runner *gocommand.Runner
+
+	// overlay is the JSON file that encodes the Config.Overlay
+	// mapping, used by 'go list -overlay=...'.
+	overlay string
+
+	envOnce    sync.Once
+	goEnvError error
+	goEnv      map[string]string
+
+	rootsOnce     sync.Once
+	rootDirsError error
+	rootDirs      map[string]string
+
+	goVersionOnce  sync.Once
+	goVersionError error
+	goVersion      int // The X in Go 1.X.
+
+	// vendorDirs caches the (non)existence of vendor directories.
+	vendorDirs map[string]bool
+}
+
+// getEnv returns Go environment variables. Only specific variables are
+// populated -- computing all of them is slow.
+func (state *golistState) getEnv() (map[string]string, error) {
+	state.envOnce.Do(func() {
+		var b *bytes.Buffer
+		b, state.goEnvError = state.invokeGo("env", "-json", "GOMOD", "GOPATH")
+		if state.goEnvError != nil {
+			return
+		}
+
+		state.goEnv = make(map[string]string)
+		decoder := json.NewDecoder(b)
+		if state.goEnvError = decoder.Decode(&state.goEnv); state.goEnvError != nil {
+			return
+		}
+	})
+	return state.goEnv, state.goEnvError
+}
+
+// mustGetEnv is a convenience function that can be used if getEnv has already succeeded.
+func (state *golistState) mustGetEnv() map[string]string {
+	env, err := state.getEnv()
+	if err != nil {
+		panic(fmt.Sprintf("mustGetEnv: %v", err))
+	}
+	return env
+}
+
+// goListDriver uses the go list command to interpret the patterns and produce
+// the build system package structure.
+// See driver for more details.
+//
+// overlay is the JSON file that encodes the cfg.Overlay
+// mapping, used by 'go list -overlay=...'
+func goListDriver(cfg *Config, runner *gocommand.Runner, overlay string, patterns []string) (_ *DriverResponse, err error) {
+	// Make sure that any asynchronous go commands are killed when we return.
+	parentCtx := cfg.Context
+	if parentCtx == nil {
+		parentCtx = context.Background()
+	}
+	ctx, cancel := context.WithCancel(parentCtx)
+	defer cancel()
+
+	response := newDeduper()
+
+	state := &golistState{
+		cfg:        cfg,
+		ctx:        ctx,
+		vendorDirs: map[string]bool{},
+		overlay:    overlay,
+		runner:     runner,
+	}
+
+	// Fill in response.Sizes asynchronously if necessary.
+	if cfg.Mode&NeedTypesSizes != 0 || cfg.Mode&(NeedTypes|NeedTypesInfo) != 0 {
+		errCh := make(chan error)
+		go func() {
+			compiler, arch, err := getSizesForArgs(ctx, state.cfgInvocation(), runner)
+			response.dr.Compiler = compiler
+			response.dr.Arch = arch
+			errCh <- err
+		}()
+		defer func() {
+			if sizesErr := <-errCh; sizesErr != nil {
+				err = sizesErr
+			}
+		}()
+	}
+
+	// Determine files requested in contains patterns
+	var containFiles []string
+	restPatterns := make([]string, 0, len(patterns))
+	// Extract file= and other [querytype]= patterns. Report an error if querytype
+	// doesn't exist.
+extractQueries:
+	for _, pattern := range patterns {
+		eqidx := strings.Index(pattern, "=")
+		if eqidx < 0 {
+			restPatterns = append(restPatterns, pattern)
+		} else {
+			query, value := pattern[:eqidx], pattern[eqidx+len("="):]
+			switch query {
+			case "file":
+				containFiles = append(containFiles, value)
+			case "pattern":
+				restPatterns = append(restPatterns, value)
+			case "": // not a reserved query
+				restPatterns = append(restPatterns, pattern)
+			default:
+				for _, rune := range query {
+					if rune < 'a' || rune > 'z' { // not a reserved query
+						restPatterns = append(restPatterns, pattern)
+						continue extractQueries
+					}
+				}
+				// Reject all other patterns containing "="
+				return nil, fmt.Errorf("invalid query type %q in query pattern %q", query, pattern)
+			}
+		}
+	}
+
+	// See if we have any patterns to pass through to go list. Zero initial
+	// patterns also requires a go list call, since it's the equivalent of
+	// ".".
+	if len(restPatterns) > 0 || len(patterns) == 0 {
+		dr, err := state.createDriverResponse(restPatterns...)
+		if err != nil {
+			return nil, err
+		}
+		response.addAll(dr)
+	}
+
+	if len(containFiles) != 0 {
+		if err := state.runContainsQueries(response, containFiles); err != nil {
+			return nil, err
+		}
+	}
+
+	// (We may yet return an error due to defer.)
+	return response.dr, nil
+}
+
+// abs returns an absolute representation of path, based on cfg.Dir.
+func (cfg *Config) abs(path string) (string, error) {
+	if filepath.IsAbs(path) {
+		return path, nil
+	}
+	// In case cfg.Dir is relative, pass it to filepath.Abs.
+	return filepath.Abs(filepath.Join(cfg.Dir, path))
+}
+
+func (state *golistState) runContainsQueries(response *responseDeduper, queries []string) error {
+	for _, query := range queries {
+		// TODO(matloob): Do only one query per directory.
+		fdir := filepath.Dir(query)
+		// Pass absolute path of directory to go list so that it knows to treat it as a directory,
+		// not a package path.
+		pattern, err := state.cfg.abs(fdir)
+		if err != nil {
+			return fmt.Errorf("could not determine absolute path of file= query path %q: %v", query, err)
+		}
+		dirResponse, err := state.createDriverResponse(pattern)
+
+		// If there was an error loading the package, or no packages are returned,
+		// or the package is returned with errors, try to load the file as an
+		// ad-hoc package.
+		// Usually the error will appear in a returned package, but may not if we're
+		// in module mode and the ad-hoc is located outside a module.
+		if err != nil || len(dirResponse.Packages) == 0 || len(dirResponse.Packages) == 1 && len(dirResponse.Packages[0].GoFiles) == 0 &&
+			len(dirResponse.Packages[0].Errors) == 1 {
+			var queryErr error
+			if dirResponse, queryErr = state.adhocPackage(pattern, query); queryErr != nil {
+				return err // return the original error
+			}
+		}
+		isRoot := make(map[string]bool, len(dirResponse.Roots))
+		for _, root := range dirResponse.Roots {
+			isRoot[root] = true
+		}
+		for _, pkg := range dirResponse.Packages {
+			// Add any new packages to the main set
+			// We don't bother to filter packages that will be dropped by the changes of roots,
+			// that will happen anyway during graph construction outside this function.
+			// Over-reporting packages is not a problem.
+			response.addPackage(pkg)
+			// if the package was not a root one, it cannot have the file
+			if !isRoot[pkg.ID] {
+				continue
+			}
+			for _, pkgFile := range pkg.GoFiles {
+				if filepath.Base(query) == filepath.Base(pkgFile) {
+					response.addRoot(pkg.ID)
+					break
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// adhocPackage attempts to load or construct an ad-hoc package for a given
+// query, if the original call to the driver produced inadequate results.
+func (state *golistState) adhocPackage(pattern, query string) (*DriverResponse, error) {
+	response, err := state.createDriverResponse(query)
+	if err != nil {
+		return nil, err
+	}
+	// If we get nothing back from `go list`,
+	// try to make this file into its own ad-hoc package.
+	// TODO(rstambler): Should this check against the original response?
+	if len(response.Packages) == 0 {
+		response.Packages = append(response.Packages, &Package{
+			ID:              "command-line-arguments",
+			PkgPath:         query,
+			GoFiles:         []string{query},
+			CompiledGoFiles: []string{query},
+			Imports:         make(map[string]*Package),
+		})
+		response.Roots = append(response.Roots, "command-line-arguments")
+	}
+	// Handle special cases.
+	if len(response.Packages) == 1 {
+		// golang/go#33482: If this is a file= query for ad-hoc packages where
+		// the file only exists on an overlay, and exists outside of a module,
+		// add the file to the package and remove the errors.
+		if response.Packages[0].ID == "command-line-arguments" ||
+			filepath.ToSlash(response.Packages[0].PkgPath) == filepath.ToSlash(query) {
+			if len(response.Packages[0].GoFiles) == 0 {
+				filename := filepath.Join(pattern, filepath.Base(query)) // avoid recomputing abspath
+				// TODO(matloob): check if the file is outside of a root dir?
+				for path := range state.cfg.Overlay {
+					if path == filename {
+						response.Packages[0].Errors = nil
+						response.Packages[0].GoFiles = []string{path}
+						response.Packages[0].CompiledGoFiles = []string{path}
+					}
+				}
+			}
+		}
+	}
+	return response, nil
+}
+
+// Fields must match go list;
+// see $GOROOT/src/cmd/go/internal/load/pkg.go.
+type jsonPackage struct {
+	ImportPath        string
+	Dir               string
+	Name              string
+	Target            string
+	Export            string
+	GoFiles           []string
+	CompiledGoFiles   []string
+	IgnoredGoFiles    []string
+	IgnoredOtherFiles []string
+	EmbedPatterns     []string
+	EmbedFiles        []string
+	CFiles            []string
+	CgoFiles          []string
+	CXXFiles          []string
+	MFiles            []string
+	HFiles            []string
+	FFiles            []string
+	SFiles            []string
+	SwigFiles         []string
+	SwigCXXFiles      []string
+	SysoFiles         []string
+	Imports           []string
+	ImportMap         map[string]string
+	Deps              []string
+	Module            *Module
+	TestGoFiles       []string
+	TestImports       []string
+	XTestGoFiles      []string
+	XTestImports      []string
+	ForTest           string // q in a "p [q.test]" package, else ""
+	DepOnly           bool
+
+	Error      *packagesinternal.PackageError
+	DepsErrors []*packagesinternal.PackageError
+}
+
+func otherFiles(p *jsonPackage) [][]string {
+	return [][]string{p.CFiles, p.CXXFiles, p.MFiles, p.HFiles, p.FFiles, p.SFiles, p.SwigFiles, p.SwigCXXFiles, p.SysoFiles}
+}
+
+// createDriverResponse uses the "go list" command to expand the pattern
+// words and return a response for the specified packages.
+func (state *golistState) createDriverResponse(words ...string) (*DriverResponse, error) {
+	// go list uses the following identifiers in ImportPath and Imports:
+	//
+	// 	"p"			-- importable package or main (command)
+	// 	"q.test"		-- q's test executable
+	// 	"p [q.test]"		-- variant of p as built for q's test executable
+	// 	"q_test [q.test]"	-- q's external test package
+	//
+	// The packages p that are built differently for a test q.test
+	// are q itself, plus any helpers used by the external test q_test,
+	// typically including "testing" and all its dependencies.
+
+	// Run "go list" for complete
+	// information on the specified packages.
+	goVersion, err := state.getGoVersion()
+	if err != nil {
+		return nil, err
+	}
+	buf, err := state.invokeGo("list", golistargs(state.cfg, words, goVersion)...)
+	if err != nil {
+		return nil, err
+	}
+
+	seen := make(map[string]*jsonPackage)
+	pkgs := make(map[string]*Package)
+	additionalErrors := make(map[string][]Error)
+	// Decode the JSON and convert it to Package form.
+	response := &DriverResponse{
+		GoVersion: goVersion,
+	}
+	for dec := json.NewDecoder(buf); dec.More(); {
+		p := new(jsonPackage)
+		if err := dec.Decode(p); err != nil {
+			return nil, fmt.Errorf("JSON decoding failed: %v", err)
+		}
+
+		if p.ImportPath == "" {
+			// The documentation for go list says that “[e]rroneous packages will have
+			// a non-empty ImportPath”. If for some reason it comes back empty, we
+			// prefer to error out rather than silently discarding data or handing
+			// back a package without any way to refer to it.
+			if p.Error != nil {
+				return nil, Error{
+					Pos: p.Error.Pos,
+					Msg: p.Error.Err,
+				}
+			}
+			return nil, fmt.Errorf("package missing import path: %+v", p)
+		}
+
+		// Work around https://golang.org/issue/33157:
+		// go list -e, when given an absolute path, will find the package contained at
+		// that directory. But when no package exists there, it will return a fake package
+		// with an error and the ImportPath set to the absolute path provided to go list.
+		// Try to convert that absolute path to what its package path would be if it's
+		// contained in a known module or GOPATH entry. This will allow the package to be
+		// properly "reclaimed" when overlays are processed.
+		if filepath.IsAbs(p.ImportPath) && p.Error != nil {
+			pkgPath, ok, err := state.getPkgPath(p.ImportPath)
+			if err != nil {
+				return nil, err
+			}
+			if ok {
+				p.ImportPath = pkgPath
+			}
+		}
+
+		if old, found := seen[p.ImportPath]; found {
+			// If one version of the package has an error, and the other doesn't, assume
+			// that this is a case where go list is reporting a fake dependency variant
+			// of the imported package: When a package tries to invalidly import another
+			// package, go list emits a variant of the imported package (with the same
+			// import path, but with an error on it, and the package will have a
+			// DepError set on it). An example of when this can happen is for imports of
+			// main packages: main packages can not be imported, but they may be
+			// separately matched and listed by another pattern.
+			// See golang.org/issue/36188 for more details.
+
+			// The plan is that eventually, hopefully in Go 1.15, the error will be
+			// reported on the importing package rather than the duplicate "fake"
+			// version of the imported package. Once all supported versions of Go
+			// have the new behavior this logic can be deleted.
+			// TODO(matloob): delete the workaround logic once all supported versions of
+			// Go return the errors on the proper package.
+
+			// There should be exactly one version of a package that doesn't have an
+			// error.
+			if old.Error == nil && p.Error == nil {
+				if !reflect.DeepEqual(p, old) {
+					return nil, fmt.Errorf("internal error: go list gives conflicting information for package %v", p.ImportPath)
+				}
+				continue
+			}
+
+			// Determine if this package's error needs to be bubbled up.
+			// This is a hack, and we expect for go list to eventually set the error
+			// on the package.
+			if old.Error != nil {
+				var errkind string
+				if strings.Contains(old.Error.Err, "not an importable package") {
+					errkind = "not an importable package"
+				} else if strings.Contains(old.Error.Err, "use of internal package") && strings.Contains(old.Error.Err, "not allowed") {
+					errkind = "use of internal package not allowed"
+				}
+				if errkind != "" {
+					if len(old.Error.ImportStack) < 1 {
+						return nil, fmt.Errorf(`internal error: go list gave a %q error with empty import stack`, errkind)
+					}
+					importingPkg := old.Error.ImportStack[len(old.Error.ImportStack)-1]
+					if importingPkg == old.ImportPath {
+						// Using an older version of Go which put this package itself on top of import
+						// stack, instead of the importer. Look for importer in second from top
+						// position.
+						if len(old.Error.ImportStack) < 2 {
+							return nil, fmt.Errorf(`internal error: go list gave a %q error with an import stack without importing package`, errkind)
+						}
+						importingPkg = old.Error.ImportStack[len(old.Error.ImportStack)-2]
+					}
+					additionalErrors[importingPkg] = append(additionalErrors[importingPkg], Error{
+						Pos:  old.Error.Pos,
+						Msg:  old.Error.Err,
+						Kind: ListError,
+					})
+				}
+			}
+
+			// Make sure that if there's a version of the package without an error,
+			// that's the one reported to the user.
+			if old.Error == nil {
+				continue
+			}
+
+			// This package will replace the old one at the end of the loop.
+		}
+		seen[p.ImportPath] = p
+
+		pkg := &Package{
+			Name:            p.Name,
+			ID:              p.ImportPath,
+			Dir:             p.Dir,
+			Target:          p.Target,
+			GoFiles:         absJoin(p.Dir, p.GoFiles, p.CgoFiles),
+			CompiledGoFiles: absJoin(p.Dir, p.CompiledGoFiles),
+			OtherFiles:      absJoin(p.Dir, otherFiles(p)...),
+			EmbedFiles:      absJoin(p.Dir, p.EmbedFiles),
+			EmbedPatterns:   absJoin(p.Dir, p.EmbedPatterns),
+			IgnoredFiles:    absJoin(p.Dir, p.IgnoredGoFiles, p.IgnoredOtherFiles),
+			ForTest:         p.ForTest,
+			depsErrors:      p.DepsErrors,
+			Module:          p.Module,
+		}
+
+		if (state.cfg.Mode&typecheckCgo) != 0 && len(p.CgoFiles) != 0 {
+			if len(p.CompiledGoFiles) > len(p.GoFiles) {
+				// We need the cgo definitions, which are in the first
+				// CompiledGoFile after the non-cgo ones. This is a hack but there
+				// isn't currently a better way to find it. We also need the pure
+				// Go files and unprocessed cgo files, all of which are already
+				// in pkg.GoFiles.
+				cgoTypes := p.CompiledGoFiles[len(p.GoFiles)]
+				pkg.CompiledGoFiles = append([]string{cgoTypes}, pkg.GoFiles...)
+			} else {
+				// golang/go#38990: go list silently fails to do cgo processing
+				pkg.CompiledGoFiles = nil
+				pkg.Errors = append(pkg.Errors, Error{
+					Msg:  "go list failed to return CompiledGoFiles. This may indicate failure to perform cgo processing; try building at the command line. See https://golang.org/issue/38990.",
+					Kind: ListError,
+				})
+			}
+		}
+
+		// Work around https://golang.org/issue/28749:
+		// cmd/go puts assembly, C, and C++ files in CompiledGoFiles.
+		// Remove files from CompiledGoFiles that are non-go files
+		// (or are not files that look like they are from the cache).
+		if len(pkg.CompiledGoFiles) > 0 {
+			out := pkg.CompiledGoFiles[:0]
+			for _, f := range pkg.CompiledGoFiles {
+				if ext := filepath.Ext(f); ext != ".go" && ext != "" { // ext == "" means the file is from the cache, so probably cgo-processed file
+					continue
+				}
+				out = append(out, f)
+			}
+			pkg.CompiledGoFiles = out
+		}
+
+		// Extract the PkgPath from the package's ID.
+		if i := strings.IndexByte(pkg.ID, ' '); i >= 0 {
+			pkg.PkgPath = pkg.ID[:i]
+		} else {
+			pkg.PkgPath = pkg.ID
+		}
+
+		if pkg.PkgPath == "unsafe" {
+			pkg.CompiledGoFiles = nil // ignore fake unsafe.go file (#59929)
+		} else if len(pkg.CompiledGoFiles) == 0 {
+			// Work around for pre-go.1.11 versions of go list.
+			// TODO(matloob): they should be handled by the fallback.
+			// Can we delete this?
+			pkg.CompiledGoFiles = pkg.GoFiles
+		}
+
+		// Assume go list emits only absolute paths for Dir.
+		if p.Dir != "" && !filepath.IsAbs(p.Dir) {
+			log.Fatalf("internal error: go list returned non-absolute Package.Dir: %s", p.Dir)
+		}
+
+		if p.Export != "" && !filepath.IsAbs(p.Export) {
+			pkg.ExportFile = filepath.Join(p.Dir, p.Export)
+		} else {
+			pkg.ExportFile = p.Export
+		}
+
+		// imports
+		//
+		// Imports contains the IDs of all imported packages.
+		// ImportsMap records (path, ID) only where they differ.
+		ids := make(map[string]bool)
+		for _, id := range p.Imports {
+			ids[id] = true
+		}
+		pkg.Imports = make(map[string]*Package)
+		for path, id := range p.ImportMap {
+			pkg.Imports[path] = &Package{ID: id} // non-identity import
+			delete(ids, id)
+		}
+		for id := range ids {
+			if id == "C" {
+				continue
+			}
+
+			pkg.Imports[id] = &Package{ID: id} // identity import
+		}
+		if !p.DepOnly {
+			response.Roots = append(response.Roots, pkg.ID)
+		}
+
+		// Temporary work-around for golang/go#39986. Parse filenames out of
+		// error messages. This happens if there are unrecoverable syntax
+		// errors in the source, so we can't match on a specific error message.
+		//
+		// TODO(rfindley): remove this heuristic, in favor of considering
+		// InvalidGoFiles from the list driver.
+		if err := p.Error; err != nil && state.shouldAddFilenameFromError(p) {
+			addFilenameFromPos := func(pos string) bool {
+				split := strings.Split(pos, ":")
+				if len(split) < 1 {
+					return false
+				}
+				filename := strings.TrimSpace(split[0])
+				if filename == "" {
+					return false
+				}
+				if !filepath.IsAbs(filename) {
+					filename = filepath.Join(state.cfg.Dir, filename)
+				}
+				info, _ := os.Stat(filename)
+				if info == nil {
+					return false
+				}
+				pkg.CompiledGoFiles = append(pkg.CompiledGoFiles, filename)
+				pkg.GoFiles = append(pkg.GoFiles, filename)
+				return true
+			}
+			found := addFilenameFromPos(err.Pos)
+			// In some cases, go list only reports the error position in the
+			// error text, not the error position. One such case is when the
+			// file's package name is a keyword (see golang.org/issue/39763).
+			if !found {
+				addFilenameFromPos(err.Err)
+			}
+		}
+
+		if p.Error != nil {
+			msg := strings.TrimSpace(p.Error.Err) // Trim to work around golang.org/issue/32363.
+			// Address golang.org/issue/35964 by appending import stack to error message.
+			if msg == "import cycle not allowed" && len(p.Error.ImportStack) != 0 {
+				msg += fmt.Sprintf(": import stack: %v", p.Error.ImportStack)
+			}
+			pkg.Errors = append(pkg.Errors, Error{
+				Pos:  p.Error.Pos,
+				Msg:  msg,
+				Kind: ListError,
+			})
+		}
+
+		pkgs[pkg.ID] = pkg
+	}
+
+	for id, errs := range additionalErrors {
+		if p, ok := pkgs[id]; ok {
+			p.Errors = append(p.Errors, errs...)
+		}
+	}
+	for _, pkg := range pkgs {
+		response.Packages = append(response.Packages, pkg)
+	}
+	sort.Slice(response.Packages, func(i, j int) bool { return response.Packages[i].ID < response.Packages[j].ID })
+
+	return response, nil
+}
+
+func (state *golistState) shouldAddFilenameFromError(p *jsonPackage) bool {
+	if len(p.GoFiles) > 0 || len(p.CompiledGoFiles) > 0 {
+		return false
+	}
+
+	goV, err := state.getGoVersion()
+	if err != nil {
+		return false
+	}
+
+	// On Go 1.14 and earlier, only add filenames from errors if the import stack is empty.
+	// The import stack behaves differently for these versions than newer Go versions.
+	if goV < 15 {
+		return len(p.Error.ImportStack) == 0
+	}
+
+	// On Go 1.15 and later, only parse filenames out of error if there's no import stack,
+	// or the current package is at the top of the import stack. This is not guaranteed
+	// to work perfectly, but should avoid some cases where files in errors don't belong to this
+	// package.
+	return len(p.Error.ImportStack) == 0 || p.Error.ImportStack[len(p.Error.ImportStack)-1] == p.ImportPath
+}
+
+// getGoVersion returns the effective minor version of the go command.
+func (state *golistState) getGoVersion() (int, error) {
+	state.goVersionOnce.Do(func() {
+		state.goVersion, state.goVersionError = gocommand.GoVersion(state.ctx, state.cfgInvocation(), state.runner)
+	})
+	return state.goVersion, state.goVersionError
+}
+
+// getPkgPath finds the package path of a directory if it's relative to a root
+// directory.
+func (state *golistState) getPkgPath(dir string) (string, bool, error) {
+	if !filepath.IsAbs(dir) {
+		panic("non-absolute dir passed to getPkgPath")
+	}
+	roots, err := state.determineRootDirs()
+	if err != nil {
+		return "", false, err
+	}
+
+	for rdir, rpath := range roots {
+		// Make sure that the directory is in the module,
+		// to avoid creating a path relative to another module.
+		if !strings.HasPrefix(dir, rdir) {
+			continue
+		}
+		// TODO(matloob): This doesn't properly handle symlinks.
+		r, err := filepath.Rel(rdir, dir)
+		if err != nil {
+			continue
+		}
+		if rpath != "" {
+			// We choose only one root even though the directory even it can belong in multiple modules
+			// or GOPATH entries. This is okay because we only need to work with absolute dirs when a
+			// file is missing from disk, for instance when gopls calls go/packages in an overlay.
+			// Once the file is saved, gopls, or the next invocation of the tool will get the correct
+			// result straight from golist.
+			// TODO(matloob): Implement module tiebreaking?
+			return path.Join(rpath, filepath.ToSlash(r)), true, nil
+		}
+		return filepath.ToSlash(r), true, nil
+	}
+	return "", false, nil
+}
+
+// absJoin absolutizes and flattens the lists of files.
+func absJoin(dir string, fileses ...[]string) (res []string) {
+	for _, files := range fileses {
+		for _, file := range files {
+			if !filepath.IsAbs(file) {
+				file = filepath.Join(dir, file)
+			}
+			res = append(res, file)
+		}
+	}
+	return res
+}
+
+func jsonFlag(cfg *Config, goVersion int) string {
+	if goVersion < 19 {
+		return "-json"
+	}
+	var fields []string
+	added := make(map[string]bool)
+	addFields := func(fs ...string) {
+		for _, f := range fs {
+			if !added[f] {
+				added[f] = true
+				fields = append(fields, f)
+			}
+		}
+	}
+	addFields("Name", "ImportPath", "Error") // These fields are always needed
+	if cfg.Mode&NeedFiles != 0 || cfg.Mode&(NeedTypes|NeedTypesInfo) != 0 {
+		addFields("Dir", "GoFiles", "IgnoredGoFiles", "IgnoredOtherFiles", "CFiles",
+			"CgoFiles", "CXXFiles", "MFiles", "HFiles", "FFiles", "SFiles",
+			"SwigFiles", "SwigCXXFiles", "SysoFiles")
+		if cfg.Tests {
+			addFields("TestGoFiles", "XTestGoFiles")
+		}
+	}
+	if cfg.Mode&(NeedTypes|NeedTypesInfo) != 0 {
+		// CompiledGoFiles seems to be required for the test case TestCgoNoSyntax,
+		// even when -compiled isn't passed in.
+		// TODO(#52435): Should we make the test ask for -compiled, or automatically
+		// request CompiledGoFiles in certain circumstances?
+		addFields("Dir", "CompiledGoFiles")
+	}
+	if cfg.Mode&NeedCompiledGoFiles != 0 {
+		addFields("Dir", "CompiledGoFiles", "Export")
+	}
+	if cfg.Mode&NeedImports != 0 {
+		// When imports are requested, DepOnly is used to distinguish between packages
+		// explicitly requested and transitive imports of those packages.
+		addFields("DepOnly", "Imports", "ImportMap")
+		if cfg.Tests {
+			addFields("TestImports", "XTestImports")
+		}
+	}
+	if cfg.Mode&NeedDeps != 0 {
+		addFields("DepOnly")
+	}
+	if usesExportData(cfg) {
+		// Request Dir in the unlikely case Export is not absolute.
+		addFields("Dir", "Export")
+	}
+	if cfg.Mode&NeedForTest != 0 {
+		addFields("ForTest")
+	}
+	if cfg.Mode&needInternalDepsErrors != 0 {
+		addFields("DepsErrors")
+	}
+	if cfg.Mode&NeedModule != 0 {
+		addFields("Module")
+	}
+	if cfg.Mode&NeedEmbedFiles != 0 {
+		addFields("EmbedFiles")
+	}
+	if cfg.Mode&NeedEmbedPatterns != 0 {
+		addFields("EmbedPatterns")
+	}
+	if cfg.Mode&NeedTarget != 0 {
+		addFields("Target")
+	}
+	return "-json=" + strings.Join(fields, ",")
+}
+
+func golistargs(cfg *Config, words []string, goVersion int) []string {
+	const findFlags = NeedImports | NeedTypes | NeedSyntax | NeedTypesInfo
+	fullargs := []string{
+		"-e", jsonFlag(cfg, goVersion),
+		fmt.Sprintf("-compiled=%t", cfg.Mode&(NeedCompiledGoFiles|NeedSyntax|NeedTypes|NeedTypesInfo|NeedTypesSizes) != 0),
+		fmt.Sprintf("-test=%t", cfg.Tests),
+		fmt.Sprintf("-export=%t", usesExportData(cfg)),
+		fmt.Sprintf("-deps=%t", cfg.Mode&NeedImports != 0),
+		// go list doesn't let you pass -test and -find together,
+		// probably because you'd just get the TestMain.
+		fmt.Sprintf("-find=%t", !cfg.Tests && cfg.Mode&findFlags == 0 && !usesExportData(cfg)),
+	}
+
+	// golang/go#60456: with go1.21 and later, go list serves pgo variants, which
+	// can be costly to compute and may result in redundant processing for the
+	// caller. Disable these variants. If someone wants to add e.g. a NeedPGO
+	// mode flag, that should be a separate proposal.
+	if goVersion >= 21 {
+		fullargs = append(fullargs, "-pgo=off")
+	}
+
+	fullargs = append(fullargs, cfg.BuildFlags...)
+	fullargs = append(fullargs, "--")
+	fullargs = append(fullargs, words...)
+	return fullargs
+}
+
+// cfgInvocation returns an Invocation that reflects cfg's settings.
+func (state *golistState) cfgInvocation() gocommand.Invocation {
+	cfg := state.cfg
+	return gocommand.Invocation{
+		BuildFlags: cfg.BuildFlags,
+		CleanEnv:   cfg.Env != nil,
+		Env:        cfg.Env,
+		Logf:       cfg.Logf,
+		WorkingDir: cfg.Dir,
+		Overlay:    state.overlay,
+	}
+}
+
+// invokeGo returns the stdout of a go command invocation.
+func (state *golistState) invokeGo(verb string, args ...string) (*bytes.Buffer, error) {
+	cfg := state.cfg
+
+	inv := state.cfgInvocation()
+	inv.Verb = verb
+	inv.Args = args
+
+	stdout, stderr, friendlyErr, err := state.runner.RunRaw(cfg.Context, inv)
+	if err != nil {
+		// Check for 'go' executable not being found.
+		if ee, ok := err.(*exec.Error); ok && ee.Err == exec.ErrNotFound {
+			return nil, fmt.Errorf("'go list' driver requires 'go', but %s", exec.ErrNotFound)
+		}
+
+		exitErr, ok := err.(*exec.ExitError)
+		if !ok {
+			// Catastrophic error:
+			// - context cancellation
+			return nil, fmt.Errorf("couldn't run 'go': %w", err)
+		}
+
+		// Old go version?
+		if strings.Contains(stderr.String(), "flag provided but not defined") {
+			return nil, goTooOldError{fmt.Errorf("unsupported version of go: %s: %s", exitErr, stderr)}
+		}
+
+		// Related to #24854
+		if len(stderr.String()) > 0 && strings.Contains(stderr.String(), "unexpected directory layout") {
+			return nil, friendlyErr
+		}
+
+		// Return an error if 'go list' failed due to missing tools in
+		// $GOROOT/pkg/tool/$GOOS_$GOARCH (#69606).
+		if len(stderr.String()) > 0 && strings.Contains(stderr.String(), `go: no such tool`) {
+			return nil, friendlyErr
+		}
+
+		// Is there an error running the C compiler in cgo? This will be reported in the "Error" field
+		// and should be suppressed by go list -e.
+		//
+		// This condition is not perfect yet because the error message can include other error messages than runtime/cgo.
+		isPkgPathRune := func(r rune) bool {
+			// From https://golang.org/ref/spec#Import_declarations:
+			//    Implementation restriction: A compiler may restrict ImportPaths to non-empty strings
+			//    using only characters belonging to Unicode's L, M, N, P, and S general categories
+			//    (the Graphic characters without spaces) and may also exclude the
+			//    characters !"#$%&'()*,:;<=>?[\]^`{|} and the Unicode replacement character U+FFFD.
+			return unicode.IsOneOf([]*unicode.RangeTable{unicode.L, unicode.M, unicode.N, unicode.P, unicode.S}, r) &&
+				!strings.ContainsRune("!\"#$%&'()*,:;<=>?[\\]^`{|}\uFFFD", r)
+		}
+		// golang/go#36770: Handle case where cmd/go prints module download messages before the error.
+		msg := stderr.String()
+		for strings.HasPrefix(msg, "go: downloading") {
+			msg = msg[strings.IndexRune(msg, '\n')+1:]
+		}
+		if len(stderr.String()) > 0 && strings.HasPrefix(stderr.String(), "# ") {
+			msg := msg[len("# "):]
+			if strings.HasPrefix(strings.TrimLeftFunc(msg, isPkgPathRune), "\n") {
+				return stdout, nil
+			}
+			// Treat pkg-config errors as a special case (golang.org/issue/36770).
+			if strings.HasPrefix(msg, "pkg-config") {
+				return stdout, nil
+			}
+		}
+
+		// This error only appears in stderr. See golang.org/cl/166398 for a fix in go list to show
+		// the error in the Err section of stdout in case -e option is provided.
+		// This fix is provided for backwards compatibility.
+		if len(stderr.String()) > 0 && strings.Contains(stderr.String(), "named files must be .go files") {
+			output := fmt.Sprintf(`{"ImportPath": "command-line-arguments","Incomplete": true,"Error": {"Pos": "","Err": %q}}`,
+				strings.Trim(stderr.String(), "\n"))
+			return bytes.NewBufferString(output), nil
+		}
+
+		// Similar to the previous error, but currently lacks a fix in Go.
+		if len(stderr.String()) > 0 && strings.Contains(stderr.String(), "named files must all be in one directory") {
+			output := fmt.Sprintf(`{"ImportPath": "command-line-arguments","Incomplete": true,"Error": {"Pos": "","Err": %q}}`,
+				strings.Trim(stderr.String(), "\n"))
+			return bytes.NewBufferString(output), nil
+		}
+
+		// Backwards compatibility for Go 1.11 because 1.12 and 1.13 put the directory in the ImportPath.
+		// If the package doesn't exist, put the absolute path of the directory into the error message,
+		// as Go 1.13 list does.
+		const noSuchDirectory = "no such directory"
+		if len(stderr.String()) > 0 && strings.Contains(stderr.String(), noSuchDirectory) {
+			errstr := stderr.String()
+			abspath := strings.TrimSpace(errstr[strings.Index(errstr, noSuchDirectory)+len(noSuchDirectory):])
+			output := fmt.Sprintf(`{"ImportPath": %q,"Incomplete": true,"Error": {"Pos": "","Err": %q}}`,
+				abspath, strings.Trim(stderr.String(), "\n"))
+			return bytes.NewBufferString(output), nil
+		}
+
+		// Workaround for #29280: go list -e has incorrect behavior when an ad-hoc package doesn't exist.
+		// Note that the error message we look for in this case is different that the one looked for above.
+		if len(stderr.String()) > 0 && strings.Contains(stderr.String(), "no such file or directory") {
+			output := fmt.Sprintf(`{"ImportPath": "command-line-arguments","Incomplete": true,"Error": {"Pos": "","Err": %q}}`,
+				strings.Trim(stderr.String(), "\n"))
+			return bytes.NewBufferString(output), nil
+		}
+
+		// Workaround for #34273. go list -e with GO111MODULE=on has incorrect behavior when listing a
+		// directory outside any module.
+		if len(stderr.String()) > 0 && strings.Contains(stderr.String(), "outside available modules") {
+			output := fmt.Sprintf(`{"ImportPath": %q,"Incomplete": true,"Error": {"Pos": "","Err": %q}}`,
+				// TODO(matloob): command-line-arguments isn't correct here.
+				"command-line-arguments", strings.Trim(stderr.String(), "\n"))
+			return bytes.NewBufferString(output), nil
+		}
+
+		// Another variation of the previous error
+		if len(stderr.String()) > 0 && strings.Contains(stderr.String(), "outside module root") {
+			output := fmt.Sprintf(`{"ImportPath": %q,"Incomplete": true,"Error": {"Pos": "","Err": %q}}`,
+				// TODO(matloob): command-line-arguments isn't correct here.
+				"command-line-arguments", strings.Trim(stderr.String(), "\n"))
+			return bytes.NewBufferString(output), nil
+		}
+
+		// Workaround for an instance of golang.org/issue/26755: go list -e  will return a non-zero exit
+		// status if there's a dependency on a package that doesn't exist. But it should return
+		// a zero exit status and set an error on that package.
+		if len(stderr.String()) > 0 && strings.Contains(stderr.String(), "no Go files in") {
+			// Don't clobber stdout if `go list` actually returned something.
+			if len(stdout.String()) > 0 {
+				return stdout, nil
+			}
+			// try to extract package name from string
+			stderrStr := stderr.String()
+			var importPath string
+			colon := strings.Index(stderrStr, ":")
+			if colon > 0 && strings.HasPrefix(stderrStr, "go build ") {
+				importPath = stderrStr[len("go build "):colon]
+			}
+			output := fmt.Sprintf(`{"ImportPath": %q,"Incomplete": true,"Error": {"Pos": "","Err": %q}}`,
+				importPath, strings.Trim(stderrStr, "\n"))
+			return bytes.NewBufferString(output), nil
+		}
+
+		// Export mode entails a build.
+		// If that build fails, errors appear on stderr
+		// (despite the -e flag) and the Export field is blank.
+		// Do not fail in that case.
+		// The same is true if an ad-hoc package given to go list doesn't exist.
+		// TODO(matloob): Remove these once we can depend on go list to exit with a zero status with -e even when
+		// packages don't exist or a build fails.
+		if !usesExportData(cfg) && !containsGoFile(args) {
+			return nil, friendlyErr
+		}
+	}
+	return stdout, nil
+}
+
+func containsGoFile(s []string) bool {
+	for _, f := range s {
+		if strings.HasSuffix(f, ".go") {
+			return true
+		}
+	}
+	return false
+}
+
+func cmdDebugStr(cmd *exec.Cmd) string {
+	env := make(map[string]string)
+	for _, kv := range cmd.Env {
+		split := strings.SplitN(kv, "=", 2)
+		k, v := split[0], split[1]
+		env[k] = v
+	}
+
+	var args []string
+	for _, arg := range cmd.Args {
+		quoted := strconv.Quote(arg)
+		if quoted[1:len(quoted)-1] != arg || strings.Contains(arg, " ") {
+			args = append(args, quoted)
+		} else {
+			args = append(args, arg)
+		}
+	}
+	return fmt.Sprintf("GOROOT=%v GOPATH=%v GO111MODULE=%v GOPROXY=%v PWD=%v %v", env["GOROOT"], env["GOPATH"], env["GO111MODULE"], env["GOPROXY"], env["PWD"], strings.Join(args, " "))
+}
+
+// getSizesForArgs queries 'go list' for the appropriate
+// Compiler and GOARCH arguments to pass to [types.SizesFor].
+func getSizesForArgs(ctx context.Context, inv gocommand.Invocation, gocmdRunner *gocommand.Runner) (string, string, error) {
+	inv.Verb = "list"
+	inv.Args = []string{"-f", "{{context.GOARCH}} {{context.Compiler}}", "--", "unsafe"}
+	stdout, stderr, friendlyErr, rawErr := gocmdRunner.RunRaw(ctx, inv)
+	var goarch, compiler string
+	if rawErr != nil {
+		rawErrMsg := rawErr.Error()
+		if strings.Contains(rawErrMsg, "cannot find main module") ||
+			strings.Contains(rawErrMsg, "go.mod file not found") {
+			// User's running outside of a module.
+			// All bets are off. Get GOARCH and guess compiler is gc.
+			// TODO(matloob): Is this a problem in practice?
+			inv.Verb = "env"
+			inv.Args = []string{"GOARCH"}
+			envout, enverr := gocmdRunner.Run(ctx, inv)
+			if enverr != nil {
+				return "", "", enverr
+			}
+			goarch = strings.TrimSpace(envout.String())
+			compiler = "gc"
+		} else if friendlyErr != nil {
+			return "", "", friendlyErr
+		} else {
+			// This should be unreachable, but be defensive
+			// in case RunRaw's error results are inconsistent.
+			return "", "", rawErr
+		}
+	} else {
+		fields := strings.Fields(stdout.String())
+		if len(fields) < 2 {
+			return "", "", fmt.Errorf("could not parse GOARCH and Go compiler in format \" \":\nstdout: <<%s>>\nstderr: <<%s>>",
+				stdout.String(), stderr.String())
+		}
+		goarch = fields[0]
+		compiler = fields[1]
+	}
+	return compiler, goarch, nil
+}
diff --git a/vendor/golang.org/x/tools/go/packages/golist_overlay.go b/vendor/golang.org/x/tools/go/packages/golist_overlay.go
new file mode 100644
index 0000000000..d9d5a45cd4
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/packages/golist_overlay.go
@@ -0,0 +1,83 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packages
+
+import (
+	"encoding/json"
+	"path/filepath"
+
+	"golang.org/x/tools/internal/gocommand"
+)
+
+// determineRootDirs returns a mapping from absolute directories that could
+// contain code to their corresponding import path prefixes.
+func (state *golistState) determineRootDirs() (map[string]string, error) {
+	env, err := state.getEnv()
+	if err != nil {
+		return nil, err
+	}
+	if env["GOMOD"] != "" {
+		state.rootsOnce.Do(func() {
+			state.rootDirs, state.rootDirsError = state.determineRootDirsModules()
+		})
+	} else {
+		state.rootsOnce.Do(func() {
+			state.rootDirs, state.rootDirsError = state.determineRootDirsGOPATH()
+		})
+	}
+	return state.rootDirs, state.rootDirsError
+}
+
+func (state *golistState) determineRootDirsModules() (map[string]string, error) {
+	// List all of the modules--the first will be the directory for the main
+	// module. Any replaced modules will also need to be treated as roots.
+	// Editing files in the module cache isn't a great idea, so we don't
+	// plan to ever support that.
+	out, err := state.invokeGo("list", "-m", "-json", "all")
+	if err != nil {
+		// 'go list all' will fail if we're outside of a module and
+		// GO111MODULE=on. Try falling back without 'all'.
+		var innerErr error
+		out, innerErr = state.invokeGo("list", "-m", "-json")
+		if innerErr != nil {
+			return nil, err
+		}
+	}
+	roots := map[string]string{}
+	modules := map[string]string{}
+	var i int
+	for dec := json.NewDecoder(out); dec.More(); {
+		mod := new(gocommand.ModuleJSON)
+		if err := dec.Decode(mod); err != nil {
+			return nil, err
+		}
+		if mod.Dir != "" && mod.Path != "" {
+			// This is a valid module; add it to the map.
+			absDir, err := state.cfg.abs(mod.Dir)
+			if err != nil {
+				return nil, err
+			}
+			modules[absDir] = mod.Path
+			// The first result is the main module.
+			if i == 0 || mod.Replace != nil && mod.Replace.Path != "" {
+				roots[absDir] = mod.Path
+			}
+		}
+		i++
+	}
+	return roots, nil
+}
+
+func (state *golistState) determineRootDirsGOPATH() (map[string]string, error) {
+	m := map[string]string{}
+	for _, dir := range filepath.SplitList(state.mustGetEnv()["GOPATH"]) {
+		absDir, err := filepath.Abs(dir)
+		if err != nil {
+			return nil, err
+		}
+		m[filepath.Join(absDir, "src")] = ""
+	}
+	return m, nil
+}
diff --git a/vendor/golang.org/x/tools/go/packages/loadmode_string.go b/vendor/golang.org/x/tools/go/packages/loadmode_string.go
new file mode 100644
index 0000000000..69eec9f44d
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/packages/loadmode_string.go
@@ -0,0 +1,56 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packages
+
+import (
+	"fmt"
+	"strings"
+)
+
+var modes = [...]struct {
+	mode LoadMode
+	name string
+}{
+	{NeedName, "NeedName"},
+	{NeedFiles, "NeedFiles"},
+	{NeedCompiledGoFiles, "NeedCompiledGoFiles"},
+	{NeedImports, "NeedImports"},
+	{NeedDeps, "NeedDeps"},
+	{NeedExportFile, "NeedExportFile"},
+	{NeedTypes, "NeedTypes"},
+	{NeedSyntax, "NeedSyntax"},
+	{NeedTypesInfo, "NeedTypesInfo"},
+	{NeedTypesSizes, "NeedTypesSizes"},
+	{NeedForTest, "NeedForTest"},
+	{NeedModule, "NeedModule"},
+	{NeedEmbedFiles, "NeedEmbedFiles"},
+	{NeedEmbedPatterns, "NeedEmbedPatterns"},
+	{NeedTarget, "NeedTarget"},
+}
+
+func (mode LoadMode) String() string {
+	if mode == 0 {
+		return "LoadMode(0)"
+	}
+	var out []string
+	// named bits
+	for _, item := range modes {
+		if (mode & item.mode) != 0 {
+			mode ^= item.mode
+			out = append(out, item.name)
+		}
+	}
+	// unnamed residue
+	if mode != 0 {
+		if out == nil {
+			return fmt.Sprintf("LoadMode(%#x)", int(mode))
+		}
+		out = append(out, fmt.Sprintf("%#x", int(mode)))
+	}
+	if len(out) == 1 {
+		return out[0]
+	}
+	return "(" + strings.Join(out, "|") + ")"
+}
diff --git a/vendor/golang.org/x/tools/go/packages/packages.go b/vendor/golang.org/x/tools/go/packages/packages.go
new file mode 100644
index 0000000000..ff607389da
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/packages/packages.go
@@ -0,0 +1,1568 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packages
+
+// See doc.go for package documentation and implementation notes.
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/scanner"
+	"go/token"
+	"go/types"
+	"log"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"golang.org/x/sync/errgroup"
+
+	"golang.org/x/tools/go/gcexportdata"
+	"golang.org/x/tools/internal/gocommand"
+	"golang.org/x/tools/internal/packagesinternal"
+	"golang.org/x/tools/internal/typesinternal"
+)
+
+// A LoadMode controls the amount of detail to return when loading.
+// The bits below can be combined to specify which fields should be
+// filled in the result packages.
+//
+// The zero value is a special case, equivalent to combining
+// the NeedName, NeedFiles, and NeedCompiledGoFiles bits.
+//
+// ID and Errors (if present) will always be filled.
+// [Load] may return more information than requested.
+//
+// The Mode flag is a union of several bits named NeedName,
+// NeedFiles, and so on, each of which determines whether
+// a given field of Package (Name, Files, etc) should be
+// populated.
+//
+// For convenience, we provide named constants for the most
+// common combinations of Need flags:
+//
+//	[LoadFiles]     lists of files in each package
+//	[LoadImports]   ... plus imports
+//	[LoadTypes]     ... plus type information
+//	[LoadSyntax]    ... plus type-annotated syntax
+//	[LoadAllSyntax] ... for all dependencies
+//
+// Unfortunately there are a number of open bugs related to
+// interactions among the LoadMode bits:
+//   - https://go.dev/issue/56633
+//   - https://go.dev/issue/56677
+//   - https://go.dev/issue/58726
+//   - https://go.dev/issue/63517
+type LoadMode int
+
+const (
+	// NeedName adds Name and PkgPath.
+	NeedName LoadMode = 1 << iota
+
+	// NeedFiles adds Dir, GoFiles, OtherFiles, and IgnoredFiles
+	NeedFiles
+
+	// NeedCompiledGoFiles adds CompiledGoFiles.
+	NeedCompiledGoFiles
+
+	// NeedImports adds Imports. If NeedDeps is not set, the Imports field will contain
+	// "placeholder" Packages with only the ID set.
+	NeedImports
+
+	// NeedDeps adds the fields requested by the LoadMode in the packages in Imports.
+	NeedDeps
+
+	// NeedExportFile adds ExportFile.
+	NeedExportFile
+
+	// NeedTypes adds Types, Fset, and IllTyped.
+	NeedTypes
+
+	// NeedSyntax adds Syntax and Fset.
+	NeedSyntax
+
+	// NeedTypesInfo adds TypesInfo and Fset.
+	NeedTypesInfo
+
+	// NeedTypesSizes adds TypesSizes.
+	NeedTypesSizes
+
+	// needInternalDepsErrors adds the internal deps errors field for use by gopls.
+	needInternalDepsErrors
+
+	// NeedForTest adds ForTest.
+	//
+	// Tests must also be set on the context for this field to be populated.
+	NeedForTest
+
+	// typecheckCgo enables full support for type checking cgo. Requires Go 1.15+.
+	// Modifies CompiledGoFiles and Types, and has no effect on its own.
+	typecheckCgo
+
+	// NeedModule adds Module.
+	NeedModule
+
+	// NeedEmbedFiles adds EmbedFiles.
+	NeedEmbedFiles
+
+	// NeedEmbedPatterns adds EmbedPatterns.
+	NeedEmbedPatterns
+
+	// NeedTarget adds Target.
+	NeedTarget
+
+	// Be sure to update loadmode_string.go when adding new items!
+)
+
+const (
+	// LoadFiles loads the name and file names for the initial packages.
+	LoadFiles = NeedName | NeedFiles | NeedCompiledGoFiles
+
+	// LoadImports loads the name, file names, and import mapping for the initial packages.
+	LoadImports = LoadFiles | NeedImports
+
+	// LoadTypes loads exported type information for the initial packages.
+	LoadTypes = LoadImports | NeedTypes | NeedTypesSizes
+
+	// LoadSyntax loads typed syntax for the initial packages.
+	LoadSyntax = LoadTypes | NeedSyntax | NeedTypesInfo
+
+	// LoadAllSyntax loads typed syntax for the initial packages and all dependencies.
+	LoadAllSyntax = LoadSyntax | NeedDeps
+
+	// Deprecated: NeedExportsFile is a historical misspelling of NeedExportFile.
+	//
+	//go:fix inline
+	NeedExportsFile = NeedExportFile
+)
+
+// A Config specifies details about how packages should be loaded.
+// The zero value is a valid configuration.
+//
+// Calls to [Load] do not modify this struct.
+type Config struct {
+	// Mode controls the level of information returned for each package.
+	Mode LoadMode
+
+	// Context specifies the context for the load operation.
+	// Cancelling the context may cause [Load] to abort and
+	// return an error.
+	Context context.Context
+
+	// Logf is the logger for the config.
+	// If the user provides a logger, debug logging is enabled.
+	// If the GOPACKAGESDEBUG environment variable is set to true,
+	// but the logger is nil, default to log.Printf.
+	Logf func(format string, args ...any)
+
+	// Dir is the directory in which to run the build system's query tool
+	// that provides information about the packages.
+	// If Dir is empty, the tool is run in the current directory.
+	Dir string
+
+	// Env is the environment to use when invoking the build system's query tool.
+	// If Env is nil, the current environment is used.
+	// As in os/exec's Cmd, only the last value in the slice for
+	// each environment key is used. To specify the setting of only
+	// a few variables, append to the current environment, as in:
+	//
+	//	opt.Env = append(os.Environ(), "GOOS=plan9", "GOARCH=386")
+	//
+	Env []string
+
+	// BuildFlags is a list of command-line flags to be passed through to
+	// the build system's query tool.
+	BuildFlags []string
+
+	// Fset provides source position information for syntax trees and types.
+	// If Fset is nil, Load will use a new fileset, but preserve Fset's value.
+	Fset *token.FileSet
+
+	// ParseFile is called to read and parse each file
+	// when preparing a package's type-checked syntax tree.
+	// It must be safe to call ParseFile simultaneously from multiple goroutines.
+	// If ParseFile is nil, the loader will uses parser.ParseFile.
+	//
+	// ParseFile should parse the source from src and use filename only for
+	// recording position information.
+	//
+	// An application may supply a custom implementation of ParseFile
+	// to change the effective file contents or the behavior of the parser,
+	// or to modify the syntax tree. For example, selectively eliminating
+	// unwanted function bodies can significantly accelerate type checking.
+	ParseFile func(fset *token.FileSet, filename string, src []byte) (*ast.File, error)
+
+	// If Tests is set, the loader includes not just the packages
+	// matching a particular pattern but also any related test packages,
+	// including test-only variants of the package and the test executable.
+	//
+	// For example, when using the go command, loading "fmt" with Tests=true
+	// returns four packages, with IDs "fmt" (the standard package),
+	// "fmt [fmt.test]" (the package as compiled for the test),
+	// "fmt_test" (the test functions from source files in package fmt_test),
+	// and "fmt.test" (the test binary).
+	//
+	// In build systems with explicit names for tests,
+	// setting Tests may have no effect.
+	Tests bool
+
+	// Overlay is a mapping from absolute file paths to file contents.
+	//
+	// For each map entry, [Load] uses the alternative file
+	// contents provided by the overlay mapping instead of reading
+	// from the file system. This mechanism can be used to enable
+	// editor-integrated tools to correctly analyze the contents
+	// of modified but unsaved buffers, for example.
+	//
+	// The overlay mapping is passed to the build system's driver
+	// (see "The driver protocol") so that it too can report
+	// consistent package metadata about unsaved files. However,
+	// drivers may vary in their level of support for overlays.
+	Overlay map[string][]byte
+}
+
+// Load loads and returns the Go packages named by the given patterns.
+//
+// The cfg parameter specifies loading options; nil behaves the same as an empty [Config].
+//
+// The [Config.Mode] field is a set of bits that determine what kinds
+// of information should be computed and returned. Modes that require
+// more information tend to be slower. See [LoadMode] for details
+// and important caveats. Its zero value is equivalent to
+// [NeedName] | [NeedFiles] | [NeedCompiledGoFiles].
+//
+// Each call to Load returns a new set of [Package] instances.
+// The Packages and their Imports form a directed acyclic graph.
+//
+// If the [NeedTypes] mode flag was set, each call to Load uses a new
+// [types.Importer], so [types.Object] and [types.Type] values from
+// different calls to Load must not be mixed as they will have
+// inconsistent notions of type identity.
+//
+// If any of the patterns was invalid as defined by the
+// underlying build system, Load returns an error.
+// It may return an empty list of packages without an error,
+// for instance for an empty expansion of a valid wildcard.
+// Errors associated with a particular package are recorded in the
+// corresponding Package's Errors list, and do not cause Load to
+// return an error. Clients may need to handle such errors before
+// proceeding with further analysis. The [PrintErrors] function is
+// provided for convenient display of all errors.
+func Load(cfg *Config, patterns ...string) ([]*Package, error) {
+	ld := newLoader(cfg)
+	response, external, err := defaultDriver(&ld.Config, patterns...)
+	if err != nil {
+		return nil, err
+	}
+
+	ld.sizes = types.SizesFor(response.Compiler, response.Arch)
+	if ld.sizes == nil && ld.Config.Mode&(NeedTypes|NeedTypesSizes|NeedTypesInfo) != 0 {
+		// Type size information is needed but unavailable.
+		if external {
+			// An external driver may fail to populate the Compiler/GOARCH fields,
+			// especially since they are relatively new (see #63700).
+			// Provide a sensible fallback in this case.
+			ld.sizes = types.SizesFor("gc", runtime.GOARCH)
+			if ld.sizes == nil { // gccgo-only arch
+				ld.sizes = types.SizesFor("gc", "amd64")
+			}
+		} else {
+			// Go list should never fail to deliver accurate size information.
+			// Reject the whole Load since the error is the same for every package.
+			return nil, fmt.Errorf("can't determine type sizes for compiler %q on GOARCH %q",
+				response.Compiler, response.Arch)
+		}
+	}
+
+	return ld.refine(response)
+}
+
+// defaultDriver is a driver that implements go/packages' fallback behavior.
+// It will try to request to an external driver, if one exists. If there's
+// no external driver, or the driver returns a response with NotHandled set,
+// defaultDriver will fall back to the go list driver.
+// The boolean result indicates that an external driver handled the request.
+func defaultDriver(cfg *Config, patterns ...string) (*DriverResponse, bool, error) {
+	const (
+		// windowsArgMax specifies the maximum command line length for
+		// the Windows' CreateProcess function.
+		windowsArgMax = 32767
+		// maxEnvSize is a very rough estimation of the maximum environment
+		// size of a user.
+		maxEnvSize = 16384
+		// safeArgMax specifies the maximum safe command line length to use
+		// by the underlying driver excl. the environment. We choose the Windows'
+		// ARG_MAX as the starting point because it's one of the lowest ARG_MAX
+		// constants out of the different supported platforms,
+		// e.g., https://www.in-ulm.de/~mascheck/various/argmax/#results.
+		safeArgMax = windowsArgMax - maxEnvSize
+	)
+	chunks, err := splitIntoChunks(patterns, safeArgMax)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if driver := findExternalDriver(cfg); driver != nil {
+		response, err := callDriverOnChunks(driver, cfg, chunks)
+		if err != nil {
+			return nil, false, err
+		} else if !response.NotHandled {
+			return response, true, nil
+		}
+		// not handled: fall through
+	}
+
+	// go list fallback
+
+	// Write overlays once, as there are many calls
+	// to 'go list' (one per chunk plus others too).
+	overlayFile, cleanupOverlay, err := gocommand.WriteOverlays(cfg.Overlay)
+	if err != nil {
+		return nil, false, err
+	}
+	defer cleanupOverlay()
+
+	var runner gocommand.Runner // (shared across many 'go list' calls)
+	driver := func(cfg *Config, patterns []string) (*DriverResponse, error) {
+		return goListDriver(cfg, &runner, overlayFile, patterns)
+	}
+	response, err := callDriverOnChunks(driver, cfg, chunks)
+	if err != nil {
+		return nil, false, err
+	}
+	return response, false, err
+}
+
+// splitIntoChunks chunks the slice so that the total number of characters
+// in a chunk is no longer than argMax.
+func splitIntoChunks(patterns []string, argMax int) ([][]string, error) {
+	if argMax <= 0 {
+		return nil, errors.New("failed to split patterns into chunks, negative safe argMax value")
+	}
+	var chunks [][]string
+	charsInChunk := 0
+	nextChunkStart := 0
+	for i, v := range patterns {
+		vChars := len(v)
+		if vChars > argMax {
+			// a single pattern is longer than the maximum safe ARG_MAX, hardly should happen
+			return nil, errors.New("failed to split patterns into chunks, a pattern is too long")
+		}
+		charsInChunk += vChars + 1 // +1 is for a whitespace between patterns that has to be counted too
+		if charsInChunk > argMax {
+			chunks = append(chunks, patterns[nextChunkStart:i])
+			nextChunkStart = i
+			charsInChunk = vChars
+		}
+	}
+	// add the last chunk
+	if nextChunkStart < len(patterns) {
+		chunks = append(chunks, patterns[nextChunkStart:])
+	}
+	return chunks, nil
+}
+
+func callDriverOnChunks(driver driver, cfg *Config, chunks [][]string) (*DriverResponse, error) {
+	if len(chunks) == 0 {
+		return driver(cfg, nil)
+	}
+	responses := make([]*DriverResponse, len(chunks))
+	errNotHandled := errors.New("driver returned NotHandled")
+	var g errgroup.Group
+	for i, chunk := range chunks {
+		g.Go(func() (err error) {
+			responses[i], err = driver(cfg, chunk)
+			if responses[i] != nil && responses[i].NotHandled {
+				err = errNotHandled
+			}
+			return err
+		})
+	}
+	if err := g.Wait(); err != nil {
+		if errors.Is(err, errNotHandled) {
+			return &DriverResponse{NotHandled: true}, nil
+		}
+		return nil, err
+	}
+	return mergeResponses(responses...), nil
+}
+
+func mergeResponses(responses ...*DriverResponse) *DriverResponse {
+	if len(responses) == 0 {
+		return nil
+	}
+	response := newDeduper()
+	response.dr.NotHandled = false
+	response.dr.Compiler = responses[0].Compiler
+	response.dr.Arch = responses[0].Arch
+	response.dr.GoVersion = responses[0].GoVersion
+	for _, v := range responses {
+		response.addAll(v)
+	}
+	return response.dr
+}
+
+// A Package describes a loaded Go package.
+//
+// It also defines part of the JSON schema of [DriverResponse].
+// See the package documentation for an overview.
+type Package struct {
+	// ID is a unique identifier for a package,
+	// in a syntax provided by the underlying build system.
+	//
+	// Because the syntax varies based on the build system,
+	// clients should treat IDs as opaque and not attempt to
+	// interpret them.
+	ID string
+
+	// Name is the package name as it appears in the package source code.
+	Name string
+
+	// PkgPath is the package path as used by the go/types package.
+	PkgPath string
+
+	// Dir is the directory associated with the package, if it exists.
+	//
+	// For packages listed by the go command, this is the directory containing
+	// the package files.
+	Dir string
+
+	// Errors contains any errors encountered querying the metadata
+	// of the package, or while parsing or type-checking its files.
+	Errors []Error
+
+	// TypeErrors contains the subset of errors produced during type checking.
+	TypeErrors []types.Error
+
+	// GoFiles lists the absolute file paths of the package's Go source files.
+	// It may include files that should not be compiled, for example because
+	// they contain non-matching build tags, are documentary pseudo-files such as
+	// unsafe/unsafe.go or builtin/builtin.go, or are subject to cgo preprocessing.
+	GoFiles []string
+
+	// CompiledGoFiles lists the absolute file paths of the package's source
+	// files that are suitable for type checking.
+	// This may differ from GoFiles if files are processed before compilation.
+	CompiledGoFiles []string
+
+	// OtherFiles lists the absolute file paths of the package's non-Go source files,
+	// including assembly, C, C++, Fortran, Objective-C, SWIG, and so on.
+	OtherFiles []string
+
+	// EmbedFiles lists the absolute file paths of the package's files
+	// embedded with go:embed.
+	EmbedFiles []string
+
+	// EmbedPatterns lists the absolute file patterns of the package's
+	// files embedded with go:embed.
+	EmbedPatterns []string
+
+	// IgnoredFiles lists source files that are not part of the package
+	// using the current build configuration but that might be part of
+	// the package using other build configurations.
+	IgnoredFiles []string
+
+	// ExportFile is the absolute path to a file containing type
+	// information for the package as provided by the build system.
+	ExportFile string
+
+	// Target is the absolute install path of the .a file, for libraries,
+	// and of the executable file, for binaries.
+	Target string
+
+	// Imports maps import paths appearing in the package's Go source files
+	// to corresponding loaded Packages.
+	Imports map[string]*Package
+
+	// Module is the module information for the package if it exists.
+	//
+	// Note: it may be missing for std and cmd; see Go issue #65816.
+	Module *Module
+
+	// -- The following fields are not part of the driver JSON schema. --
+
+	// Types provides type information for the package.
+	// The NeedTypes LoadMode bit sets this field for packages matching the
+	// patterns; type information for dependencies may be missing or incomplete,
+	// unless NeedDeps and NeedImports are also set.
+	//
+	// Each call to [Load] returns a consistent set of type
+	// symbols, as defined by the comment at [types.Identical].
+	// Avoid mixing type information from two or more calls to [Load].
+	Types *types.Package `json:"-"`
+
+	// Fset provides position information for Types, TypesInfo, and Syntax.
+	// It is set only when Types is set.
+	Fset *token.FileSet `json:"-"`
+
+	// IllTyped indicates whether the package or any dependency contains errors.
+	// It is set only when Types is set.
+	IllTyped bool `json:"-"`
+
+	// Syntax is the package's syntax trees, for the files listed in CompiledGoFiles.
+	//
+	// The NeedSyntax LoadMode bit populates this field for packages matching the patterns.
+	// If NeedDeps and NeedImports are also set, this field will also be populated
+	// for dependencies.
+	//
+	// Syntax is kept in the same order as CompiledGoFiles, with the caveat that nils are
+	// removed.  If parsing returned nil, Syntax may be shorter than CompiledGoFiles.
+	Syntax []*ast.File `json:"-"`
+
+	// TypesInfo provides type information about the package's syntax trees.
+	// It is set only when Syntax is set.
+	TypesInfo *types.Info `json:"-"`
+
+	// TypesSizes provides the effective size function for types in TypesInfo.
+	TypesSizes types.Sizes `json:"-"`
+
+	// -- internal --
+
+	// ForTest is the package under test, if any.
+	ForTest string
+
+	// depsErrors is the DepsErrors field from the go list response, if any.
+	depsErrors []*packagesinternal.PackageError
+}
+
+// Module provides module information for a package.
+//
+// It also defines part of the JSON schema of [DriverResponse].
+// See the package documentation for an overview.
+type Module struct {
+	Path      string       // module path
+	Version   string       // module version
+	Replace   *Module      // replaced by this module
+	Time      *time.Time   // time version was created
+	Main      bool         // is this the main module?
+	Indirect  bool         // is this module only an indirect dependency of main module?
+	Dir       string       // directory holding files for this module, if any
+	GoMod     string       // path to go.mod file used when loading this module, if any
+	GoVersion string       // go version used in module
+	Error     *ModuleError // error loading module
+}
+
+// ModuleError holds errors loading a module.
+type ModuleError struct {
+	Err string // the error itself
+}
+
+func init() {
+	packagesinternal.GetDepsErrors = func(p any) []*packagesinternal.PackageError {
+		return p.(*Package).depsErrors
+	}
+	packagesinternal.TypecheckCgo = int(typecheckCgo)
+	packagesinternal.DepsErrors = int(needInternalDepsErrors)
+}
+
+// An Error describes a problem with a package's metadata, syntax, or types.
+type Error struct {
+	Pos  string // "file:line:col" or "file:line" or "" or "-"
+	Msg  string
+	Kind ErrorKind
+}
+
+// ErrorKind describes the source of the error, allowing the user to
+// differentiate between errors generated by the driver, the parser, or the
+// type-checker.
+type ErrorKind int
+
+const (
+	UnknownError ErrorKind = iota
+	ListError
+	ParseError
+	TypeError
+)
+
+func (err Error) Error() string {
+	pos := err.Pos
+	if pos == "" {
+		pos = "-" // like token.Position{}.String()
+	}
+	return pos + ": " + err.Msg
+}
+
+// flatPackage is the JSON form of Package
+// It drops all the type and syntax fields, and transforms the Imports
+//
+// TODO(adonovan): identify this struct with Package, effectively
+// publishing the JSON protocol.
+type flatPackage struct {
+	ID              string
+	Name            string            `json:",omitempty"`
+	PkgPath         string            `json:",omitempty"`
+	Errors          []Error           `json:",omitempty"`
+	GoFiles         []string          `json:",omitempty"`
+	CompiledGoFiles []string          `json:",omitempty"`
+	OtherFiles      []string          `json:",omitempty"`
+	EmbedFiles      []string          `json:",omitempty"`
+	EmbedPatterns   []string          `json:",omitempty"`
+	IgnoredFiles    []string          `json:",omitempty"`
+	ExportFile      string            `json:",omitempty"`
+	Imports         map[string]string `json:",omitempty"`
+}
+
+// MarshalJSON returns the Package in its JSON form.
+// For the most part, the structure fields are written out unmodified, and
+// the type and syntax fields are skipped.
+// The imports are written out as just a map of path to package id.
+// The errors are written using a custom type that tries to preserve the
+// structure of error types we know about.
+//
+// This method exists to enable support for additional build systems.  It is
+// not intended for use by clients of the API and we may change the format.
+func (p *Package) MarshalJSON() ([]byte, error) {
+	flat := &flatPackage{
+		ID:              p.ID,
+		Name:            p.Name,
+		PkgPath:         p.PkgPath,
+		Errors:          p.Errors,
+		GoFiles:         p.GoFiles,
+		CompiledGoFiles: p.CompiledGoFiles,
+		OtherFiles:      p.OtherFiles,
+		EmbedFiles:      p.EmbedFiles,
+		EmbedPatterns:   p.EmbedPatterns,
+		IgnoredFiles:    p.IgnoredFiles,
+		ExportFile:      p.ExportFile,
+	}
+	if len(p.Imports) > 0 {
+		flat.Imports = make(map[string]string, len(p.Imports))
+		for path, ipkg := range p.Imports {
+			flat.Imports[path] = ipkg.ID
+		}
+	}
+	return json.Marshal(flat)
+}
+
+// UnmarshalJSON reads in a Package from its JSON format.
+// See MarshalJSON for details about the format accepted.
+func (p *Package) UnmarshalJSON(b []byte) error {
+	flat := &flatPackage{}
+	if err := json.Unmarshal(b, &flat); err != nil {
+		return err
+	}
+	*p = Package{
+		ID:              flat.ID,
+		Name:            flat.Name,
+		PkgPath:         flat.PkgPath,
+		Errors:          flat.Errors,
+		GoFiles:         flat.GoFiles,
+		CompiledGoFiles: flat.CompiledGoFiles,
+		OtherFiles:      flat.OtherFiles,
+		EmbedFiles:      flat.EmbedFiles,
+		EmbedPatterns:   flat.EmbedPatterns,
+		IgnoredFiles:    flat.IgnoredFiles,
+		ExportFile:      flat.ExportFile,
+	}
+	if len(flat.Imports) > 0 {
+		p.Imports = make(map[string]*Package, len(flat.Imports))
+		for path, id := range flat.Imports {
+			p.Imports[path] = &Package{ID: id}
+		}
+	}
+	return nil
+}
+
+func (p *Package) String() string { return p.ID }
+
+// loaderPackage augments Package with state used during the loading phase
+type loaderPackage struct {
+	*Package
+	importErrors    map[string]error // maps each bad import to its error
+	preds           []*loaderPackage // packages that import this one
+	unfinishedSuccs atomic.Int32     // number of direct imports not yet loaded
+	color           uint8            // for cycle detection
+	needsrc         bool             // load from source (Mode >= LoadTypes)
+	needtypes       bool             // type information is either requested or depended on
+	initial         bool             // package was matched by a pattern
+	goVersion       int              // minor version number of go command on PATH
+}
+
+// loader holds the working state of a single call to load.
+type loader struct {
+	pkgs map[string]*loaderPackage // keyed by Package.ID
+	Config
+	sizes        types.Sizes // non-nil if needed by mode
+	parseCache   map[string]*parseValue
+	parseCacheMu sync.Mutex
+	exportMu     sync.Mutex // enforces mutual exclusion of exportdata operations
+
+	// Config.Mode contains the implied mode (see impliedLoadMode).
+	// Implied mode contains all the fields we need the data for.
+	// In requestedMode there are the actually requested fields.
+	// We'll zero them out before returning packages to the user.
+	// This makes it easier for us to get the conditions where
+	// we need certain modes right.
+	requestedMode LoadMode
+}
+
+type parseValue struct {
+	f     *ast.File
+	err   error
+	ready chan struct{}
+}
+
+func newLoader(cfg *Config) *loader {
+	ld := &loader{
+		parseCache: map[string]*parseValue{},
+	}
+	if cfg != nil {
+		ld.Config = *cfg
+		// If the user has provided a logger, use it.
+		ld.Config.Logf = cfg.Logf
+	}
+	if ld.Config.Logf == nil {
+		// If the GOPACKAGESDEBUG environment variable is set to true,
+		// but the user has not provided a logger, default to log.Printf.
+		if debug {
+			ld.Config.Logf = log.Printf
+		} else {
+			ld.Config.Logf = func(format string, args ...any) {}
+		}
+	}
+	if ld.Config.Mode == 0 {
+		ld.Config.Mode = NeedName | NeedFiles | NeedCompiledGoFiles // Preserve zero behavior of Mode for backwards compatibility.
+	}
+	if ld.Config.Env == nil {
+		ld.Config.Env = os.Environ()
+	}
+	if ld.Context == nil {
+		ld.Context = context.Background()
+	}
+	if ld.Dir == "" {
+		if dir, err := os.Getwd(); err == nil {
+			ld.Dir = dir
+		}
+	}
+
+	// Save the actually requested fields. We'll zero them out before returning packages to the user.
+	ld.requestedMode = ld.Mode
+	ld.Mode = impliedLoadMode(ld.Mode)
+
+	if ld.Mode&(NeedSyntax|NeedTypes|NeedTypesInfo) != 0 {
+		if ld.Fset == nil {
+			ld.Fset = token.NewFileSet()
+		}
+
+		// ParseFile is required even in LoadTypes mode
+		// because we load source if export data is missing.
+		if ld.ParseFile == nil {
+			ld.ParseFile = func(fset *token.FileSet, filename string, src []byte) (*ast.File, error) {
+				// We implicitly promise to keep doing ast.Object resolution. :(
+				const mode = parser.AllErrors | parser.ParseComments
+				return parser.ParseFile(fset, filename, src, mode)
+			}
+		}
+	}
+
+	return ld
+}
+
+// refine connects the supplied packages into a graph and then adds type
+// and syntax information as requested by the LoadMode.
+func (ld *loader) refine(response *DriverResponse) ([]*Package, error) {
+	roots := response.Roots
+	rootMap := make(map[string]int, len(roots))
+	for i, root := range roots {
+		rootMap[root] = i
+	}
+	ld.pkgs = make(map[string]*loaderPackage)
+	// first pass, fixup and build the map and roots
+	var initial = make([]*loaderPackage, len(roots))
+	for _, pkg := range response.Packages {
+		rootIndex := -1
+		if i, found := rootMap[pkg.ID]; found {
+			rootIndex = i
+		}
+
+		// Overlays can invalidate export data.
+		// TODO(matloob): make this check fine-grained based on dependencies on overlaid files
+		exportDataInvalid := len(ld.Overlay) > 0 || pkg.ExportFile == "" && pkg.PkgPath != "unsafe"
+		// This package needs type information if the caller requested types and the package is
+		// either a root, or it's a non-root and the user requested dependencies ...
+		needtypes := (ld.Mode&(NeedTypes|NeedTypesInfo) != 0 && (rootIndex >= 0 || ld.Mode&NeedDeps != 0))
+		// This package needs source if the call requested source (or types info, which implies source)
+		// and the package is either a root, or itas a non- root and the user requested dependencies...
+		needsrc := ((ld.Mode&(NeedSyntax|NeedTypesInfo) != 0 && (rootIndex >= 0 || ld.Mode&NeedDeps != 0)) ||
+			// ... or if we need types and the exportData is invalid. We fall back to (incompletely)
+			// typechecking packages from source if they fail to compile.
+			(ld.Mode&(NeedTypes|NeedTypesInfo) != 0 && exportDataInvalid)) && pkg.PkgPath != "unsafe"
+		lpkg := &loaderPackage{
+			Package:   pkg,
+			needtypes: needtypes,
+			needsrc:   needsrc,
+			goVersion: response.GoVersion,
+		}
+		ld.pkgs[lpkg.ID] = lpkg
+		if rootIndex >= 0 {
+			initial[rootIndex] = lpkg
+			lpkg.initial = true
+		}
+	}
+	for i, root := range roots {
+		if initial[i] == nil {
+			return nil, fmt.Errorf("root package %v is missing", root)
+		}
+	}
+
+	// Materialize the import graph if it is needed (NeedImports),
+	// or if we'll be using loadPackages (Need{Syntax|Types|TypesInfo}).
+	var leaves []*loaderPackage // packages with no unfinished successors
+	if ld.Mode&(NeedImports|NeedSyntax|NeedTypes|NeedTypesInfo) != 0 {
+		const (
+			white = 0 // new
+			grey  = 1 // in progress
+			black = 2 // complete
+		)
+
+		// visit traverses the import graph, depth-first,
+		// and materializes the graph as Packages.Imports.
+		//
+		// Valid imports are saved in the Packages.Import map.
+		// Invalid imports (cycles and missing nodes) are saved in the importErrors map.
+		// Thus, even in the presence of both kinds of errors,
+		// the Import graph remains a DAG.
+		//
+		// visit returns whether the package needs src or has a transitive
+		// dependency on a package that does. These are the only packages
+		// for which we load source code.
+		var stack []*loaderPackage
+		var visit func(from, lpkg *loaderPackage) bool
+		visit = func(from, lpkg *loaderPackage) bool {
+			if lpkg.color == grey {
+				panic("internal error: grey node")
+			}
+			if lpkg.color == white {
+				lpkg.color = grey
+				stack = append(stack, lpkg) // push
+				stubs := lpkg.Imports       // the structure form has only stubs with the ID in the Imports
+				lpkg.Imports = make(map[string]*Package, len(stubs))
+				for importPath, ipkg := range stubs {
+					var importErr error
+					imp := ld.pkgs[ipkg.ID]
+					if imp == nil {
+						// (includes package "C" when DisableCgo)
+						importErr = fmt.Errorf("missing package: %q", ipkg.ID)
+					} else if imp.color == grey {
+						importErr = fmt.Errorf("import cycle: %s", stack)
+					}
+					if importErr != nil {
+						if lpkg.importErrors == nil {
+							lpkg.importErrors = make(map[string]error)
+						}
+						lpkg.importErrors[importPath] = importErr
+						continue
+					}
+
+					if visit(lpkg, imp) {
+						lpkg.needsrc = true
+					}
+					lpkg.Imports[importPath] = imp.Package
+				}
+
+				// -- postorder --
+
+				// Complete type information is required for the
+				// immediate dependencies of each source package.
+				if lpkg.needsrc && ld.Mode&NeedTypes != 0 {
+					for _, ipkg := range lpkg.Imports {
+						ld.pkgs[ipkg.ID].needtypes = true
+					}
+				}
+
+				// NeedTypeSizes causes TypeSizes to be set even
+				// on packages for which types aren't needed.
+				if ld.Mode&NeedTypesSizes != 0 {
+					lpkg.TypesSizes = ld.sizes
+				}
+
+				// Add packages with no imports directly to the queue of leaves.
+				if len(lpkg.Imports) == 0 {
+					leaves = append(leaves, lpkg)
+				}
+
+				stack = stack[:len(stack)-1] // pop
+				lpkg.color = black
+			}
+
+			// Add edge from predecessor.
+			if from != nil {
+				from.unfinishedSuccs.Add(+1) // incref
+				lpkg.preds = append(lpkg.preds, from)
+			}
+
+			return lpkg.needsrc
+		}
+
+		// For each initial package, create its import DAG.
+		for _, lpkg := range initial {
+			visit(nil, lpkg)
+		}
+
+	} else {
+		// !NeedImports: drop the stub (ID-only) import packages
+		// that we are not even going to try to resolve.
+		for _, lpkg := range initial {
+			lpkg.Imports = nil
+		}
+	}
+
+	// Load type data and syntax if needed, starting at
+	// the initial packages (roots of the import DAG).
+	if ld.Mode&(NeedSyntax|NeedTypes|NeedTypesInfo) != 0 {
+
+		// We avoid using g.SetLimit to limit concurrency as
+		// it makes g.Go stop accepting work, which prevents
+		// workers from enqeuing, and thus finishing, and thus
+		// allowing the group to make progress: deadlock.
+		//
+		// Instead we use the ioLimit and cpuLimit semaphores.
+		g, _ := errgroup.WithContext(ld.Context)
+
+		// enqueues adds a package to the type-checking queue.
+		// It must have no unfinished successors.
+		var enqueue func(*loaderPackage)
+		enqueue = func(lpkg *loaderPackage) {
+			g.Go(func() error {
+				// Parse and type-check.
+				ld.loadPackage(lpkg)
+
+				// Notify each waiting predecessor,
+				// and enqueue it when it becomes a leaf.
+				for _, pred := range lpkg.preds {
+					if pred.unfinishedSuccs.Add(-1) == 0 { // decref
+						enqueue(pred)
+					}
+				}
+
+				return nil
+			})
+		}
+
+		// Load leaves first, adding new packages
+		// to the queue as they become leaves.
+		for _, leaf := range leaves {
+			enqueue(leaf)
+		}
+
+		if err := g.Wait(); err != nil {
+			return nil, err // cancelled
+		}
+	}
+
+	// If the context is done, return its error and
+	// throw out [likely] incomplete packages.
+	if err := ld.Context.Err(); err != nil {
+		return nil, err
+	}
+
+	result := make([]*Package, len(initial))
+	for i, lpkg := range initial {
+		result[i] = lpkg.Package
+	}
+	for i := range ld.pkgs {
+		// Clear all unrequested fields,
+		// to catch programs that use more than they request.
+		if ld.requestedMode&NeedName == 0 {
+			ld.pkgs[i].Name = ""
+			ld.pkgs[i].PkgPath = ""
+		}
+		if ld.requestedMode&NeedFiles == 0 {
+			ld.pkgs[i].GoFiles = nil
+			ld.pkgs[i].OtherFiles = nil
+			ld.pkgs[i].IgnoredFiles = nil
+		}
+		if ld.requestedMode&NeedEmbedFiles == 0 {
+			ld.pkgs[i].EmbedFiles = nil
+		}
+		if ld.requestedMode&NeedEmbedPatterns == 0 {
+			ld.pkgs[i].EmbedPatterns = nil
+		}
+		if ld.requestedMode&NeedCompiledGoFiles == 0 {
+			ld.pkgs[i].CompiledGoFiles = nil
+		}
+		if ld.requestedMode&NeedImports == 0 {
+			ld.pkgs[i].Imports = nil
+		}
+		if ld.requestedMode&NeedExportFile == 0 {
+			ld.pkgs[i].ExportFile = ""
+		}
+		if ld.requestedMode&NeedTypes == 0 {
+			ld.pkgs[i].Types = nil
+			ld.pkgs[i].IllTyped = false
+		}
+		if ld.requestedMode&NeedSyntax == 0 {
+			ld.pkgs[i].Syntax = nil
+		}
+		if ld.requestedMode&(NeedSyntax|NeedTypes|NeedTypesInfo) == 0 {
+			ld.pkgs[i].Fset = nil
+		}
+		if ld.requestedMode&NeedTypesInfo == 0 {
+			ld.pkgs[i].TypesInfo = nil
+		}
+		if ld.requestedMode&NeedTypesSizes == 0 {
+			ld.pkgs[i].TypesSizes = nil
+		}
+		if ld.requestedMode&NeedModule == 0 {
+			ld.pkgs[i].Module = nil
+		}
+	}
+
+	return result, nil
+}
+
+// loadPackage loads/parses/typechecks the specified package.
+// It must be called only once per Package,
+// after immediate dependencies are loaded.
+// Precondition: ld.Mode&(NeedSyntax|NeedTypes|NeedTypesInfo) != 0.
+func (ld *loader) loadPackage(lpkg *loaderPackage) {
+	if lpkg.PkgPath == "unsafe" {
+		// To avoid surprises, fill in the blanks consistent
+		// with other packages. (For example, some analyzers
+		// assert that each needed types.Info map is non-nil
+		// even when there is no syntax that would cause them
+		// to consult the map.)
+		lpkg.Types = types.Unsafe
+		lpkg.Fset = ld.Fset
+		lpkg.Syntax = []*ast.File{}
+		lpkg.TypesInfo = ld.newTypesInfo()
+		lpkg.TypesSizes = ld.sizes
+		return
+	}
+
+	// Call NewPackage directly with explicit name.
+	// This avoids skew between golist and go/types when the files'
+	// package declarations are inconsistent.
+	lpkg.Types = types.NewPackage(lpkg.PkgPath, lpkg.Name)
+	lpkg.Fset = ld.Fset
+
+	// Start shutting down if the context is done and do not load
+	// source or export data files.
+	// Packages that import this one will have ld.Context.Err() != nil.
+	// ld.Context.Err() will be returned later by refine.
+	if ld.Context.Err() != nil {
+		return
+	}
+
+	// Subtle: we populate all Types fields with an empty Package
+	// before loading export data so that export data processing
+	// never has to create a types.Package for an indirect dependency,
+	// which would then require that such created packages be explicitly
+	// inserted back into the Import graph as a final step after export data loading.
+	// (Hence this return is after the Types assignment.)
+	// The Diamond test exercises this case.
+	if !lpkg.needtypes && !lpkg.needsrc {
+		return
+	}
+
+	// TODO(adonovan): this condition looks wrong:
+	// I think it should be lpkg.needtypes && !lpg.needsrc,
+	// so that NeedSyntax without NeedTypes can be satisfied by export data.
+	if !lpkg.needsrc {
+		if err := ld.loadFromExportData(lpkg); err != nil {
+			lpkg.Errors = append(lpkg.Errors, Error{
+				Pos:  "-",
+				Msg:  err.Error(),
+				Kind: UnknownError, // e.g. can't find/open/parse export data
+			})
+		}
+		return // not a source package, don't get syntax trees
+	}
+
+	appendError := func(err error) {
+		// Convert various error types into the one true Error.
+		var errs []Error
+		switch err := err.(type) {
+		case Error:
+			// from driver
+			errs = append(errs, err)
+
+		case *os.PathError:
+			// from parser
+			errs = append(errs, Error{
+				Pos:  err.Path + ":1",
+				Msg:  err.Err.Error(),
+				Kind: ParseError,
+			})
+
+		case scanner.ErrorList:
+			// from parser
+			for _, err := range err {
+				errs = append(errs, Error{
+					Pos:  err.Pos.String(),
+					Msg:  err.Msg,
+					Kind: ParseError,
+				})
+			}
+
+		case types.Error:
+			// from type checker
+			lpkg.TypeErrors = append(lpkg.TypeErrors, err)
+			errs = append(errs, Error{
+				Pos:  err.Fset.Position(err.Pos).String(),
+				Msg:  err.Msg,
+				Kind: TypeError,
+			})
+
+		default:
+			// unexpected impoverished error from parser?
+			errs = append(errs, Error{
+				Pos:  "-",
+				Msg:  err.Error(),
+				Kind: UnknownError,
+			})
+
+			// If you see this error message, please file a bug.
+			log.Printf("internal error: error %q (%T) without position", err, err)
+		}
+
+		lpkg.Errors = append(lpkg.Errors, errs...)
+	}
+
+	// If the go command on the PATH is newer than the runtime,
+	// then the go/{scanner,ast,parser,types} packages from the
+	// standard library may be unable to process the files
+	// selected by go list.
+	//
+	// There is currently no way to downgrade the effective
+	// version of the go command (see issue 52078), so we proceed
+	// with the newer go command but, in case of parse or type
+	// errors, we emit an additional diagnostic.
+	//
+	// See:
+	// - golang.org/issue/52078 (flag to set release tags)
+	// - golang.org/issue/50825 (gopls legacy version support)
+	// - golang.org/issue/55883 (go/packages confusing error)
+	//
+	// Should we assert a hard minimum of (currently) go1.16 here?
+	var runtimeVersion int
+	if _, err := fmt.Sscanf(runtime.Version(), "go1.%d", &runtimeVersion); err == nil && runtimeVersion < lpkg.goVersion {
+		defer func() {
+			if len(lpkg.Errors) > 0 {
+				appendError(Error{
+					Pos:  "-",
+					Msg:  fmt.Sprintf("This application uses version go1.%d of the source-processing packages but runs version go1.%d of 'go list'. It may fail to process source files that rely on newer language features. If so, rebuild the application using a newer version of Go.", runtimeVersion, lpkg.goVersion),
+					Kind: UnknownError,
+				})
+			}
+		}()
+	}
+
+	if ld.Config.Mode&NeedTypes != 0 && len(lpkg.CompiledGoFiles) == 0 && lpkg.ExportFile != "" {
+		// The config requested loading sources and types, but sources are missing.
+		// Add an error to the package and fall back to loading from export data.
+		appendError(Error{"-", fmt.Sprintf("sources missing for package %s", lpkg.ID), ParseError})
+		_ = ld.loadFromExportData(lpkg) // ignore any secondary errors
+
+		return // can't get syntax trees for this package
+	}
+
+	files, errs := ld.parseFiles(lpkg.CompiledGoFiles)
+	for _, err := range errs {
+		appendError(err)
+	}
+
+	lpkg.Syntax = files
+	if ld.Config.Mode&(NeedTypes|NeedTypesInfo) == 0 {
+		return
+	}
+
+	// Start shutting down if the context is done and do not type check.
+	// Packages that import this one will have ld.Context.Err() != nil.
+	// ld.Context.Err() will be returned later by refine.
+	if ld.Context.Err() != nil {
+		return
+	}
+
+	lpkg.TypesInfo = ld.newTypesInfo()
+	lpkg.TypesSizes = ld.sizes
+
+	importer := importerFunc(func(path string) (*types.Package, error) {
+		if path == "unsafe" {
+			return types.Unsafe, nil
+		}
+
+		// The imports map is keyed by import path.
+		ipkg := lpkg.Imports[path]
+		if ipkg == nil {
+			if err := lpkg.importErrors[path]; err != nil {
+				return nil, err
+			}
+			// There was skew between the metadata and the
+			// import declarations, likely due to an edit
+			// race, or because the ParseFile feature was
+			// used to supply alternative file contents.
+			return nil, fmt.Errorf("no metadata for %s", path)
+		}
+
+		if ipkg.Types != nil && ipkg.Types.Complete() {
+			return ipkg.Types, nil
+		}
+		log.Fatalf("internal error: package %q without types was imported from %q", path, lpkg)
+		panic("unreachable")
+	})
+
+	// type-check
+	tc := &types.Config{
+		Importer: importer,
+
+		// Type-check bodies of functions only in initial packages.
+		// Example: for import graph A->B->C and initial packages {A,C},
+		// we can ignore function bodies in B.
+		IgnoreFuncBodies: ld.Mode&NeedDeps == 0 && !lpkg.initial,
+
+		Error: appendError,
+		Sizes: ld.sizes, // may be nil
+	}
+	if lpkg.Module != nil && lpkg.Module.GoVersion != "" {
+		tc.GoVersion = "go" + lpkg.Module.GoVersion
+	}
+	if (ld.Mode & typecheckCgo) != 0 {
+		if !typesinternal.SetUsesCgo(tc) {
+			appendError(Error{
+				Msg:  "typecheckCgo requires Go 1.15+",
+				Kind: ListError,
+			})
+			return
+		}
+	}
+
+	// Type-checking is CPU intensive.
+	cpuLimit <- unit{}            // acquire a token
+	defer func() { <-cpuLimit }() // release a token
+
+	typErr := types.NewChecker(tc, ld.Fset, lpkg.Types, lpkg.TypesInfo).Files(lpkg.Syntax)
+	lpkg.importErrors = nil // no longer needed
+
+	// In go/types go1.21 and go1.22, Checker.Files failed fast with a
+	// a "too new" error, without calling tc.Error and without
+	// proceeding to type-check the package (#66525).
+	// We rely on the runtimeVersion error to give the suggested remedy.
+	if typErr != nil && len(lpkg.Errors) == 0 && len(lpkg.Syntax) > 0 {
+		if msg := typErr.Error(); strings.HasPrefix(msg, "package requires newer Go version") {
+			appendError(types.Error{
+				Fset: ld.Fset,
+				Pos:  lpkg.Syntax[0].Package,
+				Msg:  msg,
+			})
+		}
+	}
+
+	// If !Cgo, the type-checker uses FakeImportC mode, so
+	// it doesn't invoke the importer for import "C",
+	// nor report an error for the import,
+	// or for any undefined C.f reference.
+	// We must detect this explicitly and correctly
+	// mark the package as IllTyped (by reporting an error).
+	// TODO(adonovan): if these errors are annoying,
+	// we could just set IllTyped quietly.
+	if tc.FakeImportC {
+	outer:
+		for _, f := range lpkg.Syntax {
+			for _, imp := range f.Imports {
+				if imp.Path.Value == `"C"` {
+					err := types.Error{Fset: ld.Fset, Pos: imp.Pos(), Msg: `import "C" ignored`}
+					appendError(err)
+					break outer
+				}
+			}
+		}
+	}
+
+	// If types.Checker.Files had an error that was unreported,
+	// make sure to report the unknown error so the package is illTyped.
+	if typErr != nil && len(lpkg.Errors) == 0 {
+		appendError(typErr)
+	}
+
+	// Record accumulated errors.
+	illTyped := len(lpkg.Errors) > 0
+	if !illTyped {
+		for _, imp := range lpkg.Imports {
+			if imp.IllTyped {
+				illTyped = true
+				break
+			}
+		}
+	}
+	lpkg.IllTyped = illTyped
+}
+
+func (ld *loader) newTypesInfo() *types.Info {
+	// Populate TypesInfo only if needed, as it
+	// causes the type checker to work much harder.
+	if ld.Config.Mode&NeedTypesInfo == 0 {
+		return nil
+	}
+	return &types.Info{
+		Types:        make(map[ast.Expr]types.TypeAndValue),
+		Defs:         make(map[*ast.Ident]types.Object),
+		Uses:         make(map[*ast.Ident]types.Object),
+		Implicits:    make(map[ast.Node]types.Object),
+		Instances:    make(map[*ast.Ident]types.Instance),
+		Scopes:       make(map[ast.Node]*types.Scope),
+		Selections:   make(map[*ast.SelectorExpr]*types.Selection),
+		FileVersions: make(map[*ast.File]string),
+	}
+}
+
+// An importFunc is an implementation of the single-method
+// types.Importer interface based on a function value.
+type importerFunc func(path string) (*types.Package, error)
+
+func (f importerFunc) Import(path string) (*types.Package, error) { return f(path) }
+
+// We use a counting semaphore to limit
+// the number of parallel I/O calls or CPU threads per process.
+var (
+	ioLimit  = make(chan unit, 20)
+	cpuLimit = make(chan unit, runtime.GOMAXPROCS(0))
+)
+
+func (ld *loader) parseFile(filename string) (*ast.File, error) {
+	ld.parseCacheMu.Lock()
+	v, ok := ld.parseCache[filename]
+	if ok {
+		// cache hit
+		ld.parseCacheMu.Unlock()
+		<-v.ready
+	} else {
+		// cache miss
+		v = &parseValue{ready: make(chan struct{})}
+		ld.parseCache[filename] = v
+		ld.parseCacheMu.Unlock()
+
+		var src []byte
+		for f, contents := range ld.Config.Overlay {
+			// TODO(adonovan): Inefficient for large overlays.
+			// Do an exact name-based map lookup
+			// (for nonexistent files) followed by a
+			// FileID-based map lookup (for existing ones).
+			if sameFile(f, filename) {
+				src = contents
+				break
+			}
+		}
+		var err error
+		if src == nil {
+			ioLimit <- unit{} // acquire a token
+			src, err = os.ReadFile(filename)
+			<-ioLimit // release a token
+		}
+		if err != nil {
+			v.err = err
+		} else {
+			// Parsing is CPU intensive.
+			cpuLimit <- unit{} // acquire a token
+			v.f, v.err = ld.ParseFile(ld.Fset, filename, src)
+			<-cpuLimit // release a token
+		}
+
+		close(v.ready)
+	}
+	return v.f, v.err
+}
+
+// parseFiles reads and parses the Go source files and returns the ASTs
+// of the ones that could be at least partially parsed, along with a
+// list of I/O and parse errors encountered.
+//
+// Because files are scanned in parallel, the token.Pos
+// positions of the resulting ast.Files are not ordered.
+func (ld *loader) parseFiles(filenames []string) ([]*ast.File, []error) {
+	var (
+		n      = len(filenames)
+		parsed = make([]*ast.File, n)
+		errors = make([]error, n)
+	)
+	var g errgroup.Group
+	for i, filename := range filenames {
+		// This creates goroutines unnecessarily in the
+		// cache-hit case, but that case is uncommon.
+		g.Go(func() error {
+			parsed[i], errors[i] = ld.parseFile(filename)
+			return nil
+		})
+	}
+	g.Wait()
+
+	// Eliminate nils, preserving order.
+	var o int
+	for _, f := range parsed {
+		if f != nil {
+			parsed[o] = f
+			o++
+		}
+	}
+	parsed = parsed[:o]
+
+	o = 0
+	for _, err := range errors {
+		if err != nil {
+			errors[o] = err
+			o++
+		}
+	}
+	errors = errors[:o]
+
+	return parsed, errors
+}
+
+// sameFile returns true if x and y have the same basename and denote
+// the same file.
+func sameFile(x, y string) bool {
+	if x == y {
+		// It could be the case that y doesn't exist.
+		// For instance, it may be an overlay file that
+		// hasn't been written to disk. To handle that case
+		// let x == y through. (We added the exact absolute path
+		// string to the CompiledGoFiles list, so the unwritten
+		// overlay case implies x==y.)
+		return true
+	}
+	if strings.EqualFold(filepath.Base(x), filepath.Base(y)) { // (optimisation)
+		if xi, err := os.Stat(x); err == nil {
+			if yi, err := os.Stat(y); err == nil {
+				return os.SameFile(xi, yi)
+			}
+		}
+	}
+	return false
+}
+
+// loadFromExportData ensures that type information is present for the specified
+// package, loading it from an export data file on the first request.
+// On success it sets lpkg.Types to a new Package.
+func (ld *loader) loadFromExportData(lpkg *loaderPackage) error {
+	if lpkg.PkgPath == "" {
+		log.Fatalf("internal error: Package %s has no PkgPath", lpkg)
+	}
+
+	// Because gcexportdata.Read has the potential to create or
+	// modify the types.Package for each node in the transitive
+	// closure of dependencies of lpkg, all exportdata operations
+	// must be sequential. (Finer-grained locking would require
+	// changes to the gcexportdata API.)
+	//
+	// The exportMu lock guards the lpkg.Types field and the
+	// types.Package it points to, for each loaderPackage in the graph.
+	//
+	// Not all accesses to Package.Pkg need to be protected by exportMu:
+	// graph ordering ensures that direct dependencies of source
+	// packages are fully loaded before the importer reads their Pkg field.
+	ld.exportMu.Lock()
+	defer ld.exportMu.Unlock()
+
+	if tpkg := lpkg.Types; tpkg != nil && tpkg.Complete() {
+		return nil // cache hit
+	}
+
+	lpkg.IllTyped = true // fail safe
+
+	if lpkg.ExportFile == "" {
+		// Errors while building export data will have been printed to stderr.
+		return fmt.Errorf("no export data file")
+	}
+	f, err := os.Open(lpkg.ExportFile)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	// Read gc export data.
+	//
+	// We don't currently support gccgo export data because all
+	// underlying workspaces use the gc toolchain. (Even build
+	// systems that support gccgo don't use it for workspace
+	// queries.)
+	r, err := gcexportdata.NewReader(f)
+	if err != nil {
+		return fmt.Errorf("reading %s: %v", lpkg.ExportFile, err)
+	}
+
+	// Build the view.
+	//
+	// The gcexportdata machinery has no concept of package ID.
+	// It identifies packages by their PkgPath, which although not
+	// globally unique is unique within the scope of one invocation
+	// of the linker, type-checker, or gcexportdata.
+	//
+	// So, we must build a PkgPath-keyed view of the global
+	// (conceptually ID-keyed) cache of packages and pass it to
+	// gcexportdata. The view must contain every existing
+	// package that might possibly be mentioned by the
+	// current package---its transitive closure.
+	//
+	// In loadPackage, we unconditionally create a types.Package for
+	// each dependency so that export data loading does not
+	// create new ones.
+	//
+	// TODO(adonovan): it would be simpler and more efficient
+	// if the export data machinery invoked a callback to
+	// get-or-create a package instead of a map.
+	//
+	view := make(map[string]*types.Package) // view seen by gcexportdata
+	seen := make(map[*loaderPackage]bool)   // all visited packages
+	var visit func(pkgs map[string]*Package)
+	visit = func(pkgs map[string]*Package) {
+		for _, p := range pkgs {
+			lpkg := ld.pkgs[p.ID]
+			if !seen[lpkg] {
+				seen[lpkg] = true
+				view[lpkg.PkgPath] = lpkg.Types
+				visit(lpkg.Imports)
+			}
+		}
+	}
+	visit(lpkg.Imports)
+
+	viewLen := len(view) + 1 // adding the self package
+	// Parse the export data.
+	// (May modify incomplete packages in view but not create new ones.)
+	tpkg, err := gcexportdata.Read(r, ld.Fset, view, lpkg.PkgPath)
+	if err != nil {
+		return fmt.Errorf("reading %s: %v", lpkg.ExportFile, err)
+	}
+	if _, ok := view["go.shape"]; ok {
+		// Account for the pseudopackage "go.shape" that gets
+		// created by generic code.
+		viewLen++
+	}
+	if viewLen != len(view) {
+		log.Panicf("golang.org/x/tools/go/packages: unexpected new packages during load of %s", lpkg.PkgPath)
+	}
+
+	lpkg.Types = tpkg
+	lpkg.IllTyped = false
+	return nil
+}
+
+// impliedLoadMode returns loadMode with its dependencies.
+func impliedLoadMode(loadMode LoadMode) LoadMode {
+	if loadMode&(NeedDeps|NeedTypes|NeedTypesInfo) != 0 {
+		// All these things require knowing the import graph.
+		loadMode |= NeedImports
+	}
+	if loadMode&NeedTypes != 0 {
+		// Types require the GoVersion from Module.
+		loadMode |= NeedModule
+	}
+
+	return loadMode
+}
+
+func usesExportData(cfg *Config) bool {
+	return cfg.Mode&NeedExportFile != 0 || cfg.Mode&NeedTypes != 0 && cfg.Mode&NeedDeps == 0
+}
+
+type unit struct{}
diff --git a/vendor/golang.org/x/tools/go/packages/visit.go b/vendor/golang.org/x/tools/go/packages/visit.go
new file mode 100644
index 0000000000..c546b1b63e
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/packages/visit.go
@@ -0,0 +1,133 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packages
+
+import (
+	"cmp"
+	"fmt"
+	"iter"
+	"os"
+	"slices"
+)
+
+// Visit visits all the packages in the import graph whose roots are
+// pkgs, calling the optional pre function the first time each package
+// is encountered (preorder), and the optional post function after a
+// package's dependencies have been visited (postorder).
+// The boolean result of pre(pkg) determines whether
+// the imports of package pkg are visited.
+//
+// Example:
+//
+//	pkgs, err := Load(...)
+//	if err != nil { ... }
+//	Visit(pkgs, nil, func(pkg *Package) {
+//		log.Println(pkg)
+//	})
+//
+// In most cases, it is more convenient to use [Postorder]:
+//
+//	for pkg := range Postorder(pkgs) {
+//		log.Println(pkg)
+//	}
+func Visit(pkgs []*Package, pre func(*Package) bool, post func(*Package)) {
+	seen := make(map[*Package]bool)
+	var visit func(*Package)
+	visit = func(pkg *Package) {
+		if !seen[pkg] {
+			seen[pkg] = true
+
+			if pre == nil || pre(pkg) {
+				for _, imp := range sorted(pkg.Imports) { // for determinism
+					visit(imp)
+				}
+			}
+
+			if post != nil {
+				post(pkg)
+			}
+		}
+	}
+	for _, pkg := range pkgs {
+		visit(pkg)
+	}
+}
+
+// PrintErrors prints to os.Stderr the accumulated errors of all
+// packages in the import graph rooted at pkgs, dependencies first.
+// PrintErrors returns the number of errors printed.
+func PrintErrors(pkgs []*Package) int {
+	var n int
+	errModules := make(map[*Module]bool)
+	for pkg := range Postorder(pkgs) {
+		for _, err := range pkg.Errors {
+			fmt.Fprintln(os.Stderr, err)
+			n++
+		}
+
+		// Print pkg.Module.Error once if present.
+		mod := pkg.Module
+		if mod != nil && mod.Error != nil && !errModules[mod] {
+			errModules[mod] = true
+			fmt.Fprintln(os.Stderr, mod.Error.Err)
+			n++
+		}
+	}
+	return n
+}
+
+// Postorder returns an iterator over the packages in
+// the import graph whose roots are pkg.
+// Packages are enumerated in dependencies-first order.
+func Postorder(pkgs []*Package) iter.Seq[*Package] {
+	return func(yield func(*Package) bool) {
+		seen := make(map[*Package]bool)
+		var visit func(*Package) bool
+		visit = func(pkg *Package) bool {
+			if !seen[pkg] {
+				seen[pkg] = true
+				for _, imp := range sorted(pkg.Imports) { // for determinism
+					if !visit(imp) {
+						return false
+					}
+				}
+				if !yield(pkg) {
+					return false
+				}
+			}
+			return true
+		}
+		for _, pkg := range pkgs {
+			if !visit(pkg) {
+				break
+			}
+		}
+	}
+}
+
+// -- copied from golang.org.x/tools/gopls/internal/util/moremaps --
+
+// sorted returns an iterator over the entries of m in key order.
+func sorted[M ~map[K]V, K cmp.Ordered, V any](m M) iter.Seq2[K, V] {
+	// TODO(adonovan): use maps.Sorted if proposal #68598 is accepted.
+	return func(yield func(K, V) bool) {
+		keys := keySlice(m)
+		slices.Sort(keys)
+		for _, k := range keys {
+			if !yield(k, m[k]) {
+				break
+			}
+		}
+	}
+}
+
+// KeySlice returns the keys of the map M, like slices.Collect(maps.Keys(m)).
+func keySlice[M ~map[K]V, K comparable, V any](m M) []K {
+	r := make([]K, 0, len(m))
+	for k := range m {
+		r = append(r, k)
+	}
+	return r
+}
diff --git a/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go b/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
new file mode 100644
index 0000000000..6646bf5508
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
@@ -0,0 +1,820 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package objectpath defines a naming scheme for types.Objects
+// (that is, named entities in Go programs) relative to their enclosing
+// package.
+//
+// Type-checker objects are canonical, so they are usually identified by
+// their address in memory (a pointer), but a pointer has meaning only
+// within one address space. By contrast, objectpath names allow the
+// identity of an object to be sent from one program to another,
+// establishing a correspondence between types.Object variables that are
+// distinct but logically equivalent.
+//
+// A single object may have multiple paths. In this example,
+//
+//	type A struct{ X int }
+//	type B A
+//
+// the field X has two paths due to its membership of both A and B.
+// The For(obj) function always returns one of these paths, arbitrarily
+// but consistently.
+package objectpath
+
+import (
+	"fmt"
+	"go/types"
+	"strconv"
+	"strings"
+
+	"golang.org/x/tools/internal/aliases"
+	"golang.org/x/tools/internal/typesinternal"
+)
+
+// TODO(adonovan): think about generic aliases.
+
+// A Path is an opaque name that identifies a types.Object
+// relative to its package. Conceptually, the name consists of a
+// sequence of destructuring operations applied to the package scope
+// to obtain the original object.
+// The name does not include the package itself.
+type Path string
+
+// Encoding
+//
+// An object path is a textual and (with training) human-readable encoding
+// of a sequence of destructuring operators, starting from a types.Package.
+// The sequences represent a path through the package/object/type graph.
+// We classify these operators by their type:
+//
+//	PO package->object	Package.Scope.Lookup
+//	OT  object->type 	Object.Type
+//	TT    type->type 	Type.{Elem,Key,{,{,Recv}Type}Params,Results,Underlying,Rhs} [EKPRUTrCa]
+//	TO   type->object	Type.{At,Field,Method,Obj} [AFMO]
+//
+// All valid paths start with a package and end at an object
+// and thus may be defined by the regular language:
+//
+//	objectpath = PO (OT TT* TO)*
+//
+// The concrete encoding follows directly:
+//   - The only PO operator is Package.Scope.Lookup, which requires an identifier.
+//   - The only OT operator is Object.Type,
+//     which we encode as '.' because dot cannot appear in an identifier.
+//   - The TT operators are encoded as [EKPRUTrCa];
+//     two of these ({,Recv}TypeParams) require an integer operand,
+//     which is encoded as a string of decimal digits.
+//   - The TO operators are encoded as [AFMO];
+//     three of these (At,Field,Method) require an integer operand,
+//     which is encoded as a string of decimal digits.
+//     These indices are stable across different representations
+//     of the same package, even source and export data.
+//     The indices used are implementation specific and may not correspond to
+//     the argument to the go/types function.
+//
+// In the example below,
+//
+//	package p
+//
+//	type T interface {
+//		f() (a string, b struct{ X int })
+//	}
+//
+// field X has the path "T.UM0.RA1.F0",
+// representing the following sequence of operations:
+//
+//	p.Lookup("T")					T
+//	.Type().Underlying().Method(0).			f
+//	.Type().Results().At(1)				b
+//	.Type().Field(0)					X
+//
+// The encoding is not maximally compact---every R or P is
+// followed by an A, for example---but this simplifies the
+// encoder and decoder.
+const (
+	// object->type operators
+	opType = '.' // .Type()		  (Object)
+
+	// type->type operators
+	opElem          = 'E' // .Elem()		(Pointer, Slice, Array, Chan, Map)
+	opKey           = 'K' // .Key()			(Map)
+	opParams        = 'P' // .Params()		(Signature)
+	opResults       = 'R' // .Results()		(Signature)
+	opUnderlying    = 'U' // .Underlying()		(Named)
+	opTypeParam     = 'T' // .TypeParams.At(i)	(Named, Signature)
+	opRecvTypeParam = 'r' // .RecvTypeParams.At(i)	(Signature)
+	opConstraint    = 'C' // .Constraint()		(TypeParam)
+	opRhs           = 'a' // .Rhs()			(Alias)
+
+	// type->object operators
+	opAt     = 'A' // .At(i)	(Tuple)
+	opField  = 'F' // .Field(i)	(Struct)
+	opMethod = 'M' // .Method(i)	(Named or Interface; not Struct: "promoted" names are ignored)
+	opObj    = 'O' // .Obj()	(Named, TypeParam)
+)
+
+// For is equivalent to new(Encoder).For(obj).
+//
+// It may be more efficient to reuse a single Encoder across several calls.
+func For(obj types.Object) (Path, error) {
+	return new(Encoder).For(obj)
+}
+
+// An Encoder amortizes the cost of encoding the paths of multiple objects.
+// The zero value of an Encoder is ready to use.
+type Encoder struct {
+	scopeMemo map[*types.Scope][]types.Object // memoization of scopeObjects
+}
+
+// For returns the path to an object relative to its package,
+// or an error if the object is not accessible from the package's Scope.
+//
+// The For function guarantees to return a path only for the following objects:
+// - package-level types
+// - exported package-level non-types
+// - methods
+// - parameter and result variables
+// - struct fields
+// These objects are sufficient to define the API of their package.
+// The objects described by a package's export data are drawn from this set.
+//
+// The set of objects accessible from a package's Scope depends on
+// whether the package was produced by type-checking syntax, or
+// reading export data; the latter may have a smaller Scope since
+// export data trims objects that are not reachable from an exported
+// declaration. For example, the For function will return a path for
+// an exported method of an unexported type that is not reachable
+// from any public declaration; this path will cause the Object
+// function to fail if called on a package loaded from export data.
+// TODO(adonovan): is this a bug or feature? Should this package
+// compute accessibility in the same way?
+//
+// For does not return a path for predeclared names, imported package
+// names, local names, and unexported package-level names (except
+// types).
+//
+// Example: given this definition,
+//
+//	package p
+//
+//	type T interface {
+//		f() (a string, b struct{ X int })
+//	}
+//
+// For(X) would return a path that denotes the following sequence of operations:
+//
+//	p.Scope().Lookup("T")				(TypeName T)
+//	.Type().Underlying().Method(0).			(method Func f)
+//	.Type().Results().At(1)				(field Var b)
+//	.Type().Field(0)					(field Var X)
+//
+// where p is the package (*types.Package) to which X belongs.
+func (enc *Encoder) For(obj types.Object) (Path, error) {
+	pkg := obj.Pkg()
+
+	// This table lists the cases of interest.
+	//
+	// Object				Action
+	// ------                               ------
+	// nil					reject
+	// builtin				reject
+	// pkgname				reject
+	// label				reject
+	// var
+	//    package-level			accept
+	//    func param/result			accept
+	//    local				reject
+	//    struct field			accept
+	// const
+	//    package-level			accept
+	//    local				reject
+	// func
+	//    package-level			accept
+	//    init functions			reject
+	//    concrete method			accept
+	//    interface method			accept
+	// type
+	//    package-level			accept
+	//    local				reject
+	//
+	// The only accessible package-level objects are members of pkg itself.
+	//
+	// The cases are handled in four steps:
+	//
+	// 1. reject nil and builtin
+	// 2. accept package-level objects
+	// 3. reject obviously invalid objects
+	// 4. search the API for the path to the param/result/field/method.
+
+	// 1. reference to nil or builtin?
+	if pkg == nil {
+		return "", fmt.Errorf("predeclared %s has no path", obj)
+	}
+	scope := pkg.Scope()
+
+	// 2. package-level object?
+	if scope.Lookup(obj.Name()) == obj {
+		// Only exported objects (and non-exported types) have a path.
+		// Non-exported types may be referenced by other objects.
+		if _, ok := obj.(*types.TypeName); !ok && !obj.Exported() {
+			return "", fmt.Errorf("no path for non-exported %v", obj)
+		}
+		return Path(obj.Name()), nil
+	}
+
+	// 3. Not a package-level object.
+	//    Reject obviously non-viable cases.
+	switch obj := obj.(type) {
+	case *types.TypeName:
+		if _, ok := types.Unalias(obj.Type()).(*types.TypeParam); !ok {
+			// With the exception of type parameters, only package-level type names
+			// have a path.
+			return "", fmt.Errorf("no path for %v", obj)
+		}
+	case *types.Const, // Only package-level constants have a path.
+		*types.Label,   // Labels are function-local.
+		*types.PkgName: // PkgNames are file-local.
+		return "", fmt.Errorf("no path for %v", obj)
+
+	case *types.Var:
+		// Could be:
+		// - a field (obj.IsField())
+		// - a func parameter or result
+		// - a local var.
+		// Sadly there is no way to distinguish
+		// a param/result from a local
+		// so we must proceed to the find.
+
+	case *types.Func:
+		// A func, if not package-level, must be a method.
+		if recv := obj.Signature().Recv(); recv == nil {
+			return "", fmt.Errorf("func is not a method: %v", obj)
+		}
+
+		if path, ok := enc.concreteMethod(obj); ok {
+			// Fast path for concrete methods that avoids looping over scope.
+			return path, nil
+		}
+
+	default:
+		panic(obj)
+	}
+
+	// 4. Search the API for the path to the var (field/param/result) or method.
+
+	// First inspect package-level named types.
+	// In the presence of path aliases, these give
+	// the best paths because non-types may
+	// refer to types, but not the reverse.
+	empty := make([]byte, 0, 48) // initial space
+	objs := enc.scopeObjects(scope)
+	for _, o := range objs {
+		tname, ok := o.(*types.TypeName)
+		if !ok {
+			continue // handle non-types in second pass
+		}
+
+		path := append(empty, o.Name()...)
+		path = append(path, opType)
+
+		T := o.Type()
+		if alias, ok := T.(*types.Alias); ok {
+			if r := findTypeParam(obj, aliases.TypeParams(alias), path, opTypeParam); r != nil {
+				return Path(r), nil
+			}
+			if r := find(obj, aliases.Rhs(alias), append(path, opRhs)); r != nil {
+				return Path(r), nil
+			}
+
+		} else if tname.IsAlias() {
+			// legacy alias
+			if r := find(obj, T, path); r != nil {
+				return Path(r), nil
+			}
+
+		} else if named, ok := T.(*types.Named); ok {
+			// defined (named) type
+			if r := findTypeParam(obj, named.TypeParams(), path, opTypeParam); r != nil {
+				return Path(r), nil
+			}
+			if r := find(obj, named.Underlying(), append(path, opUnderlying)); r != nil {
+				return Path(r), nil
+			}
+		}
+	}
+
+	// Then inspect everything else:
+	// non-types, and declared methods of defined types.
+	for _, o := range objs {
+		path := append(empty, o.Name()...)
+		if _, ok := o.(*types.TypeName); !ok {
+			if o.Exported() {
+				// exported non-type (const, var, func)
+				if r := find(obj, o.Type(), append(path, opType)); r != nil {
+					return Path(r), nil
+				}
+			}
+			continue
+		}
+
+		// Inspect declared methods of defined types.
+		if T, ok := types.Unalias(o.Type()).(*types.Named); ok {
+			path = append(path, opType)
+			// The method index here is always with respect
+			// to the underlying go/types data structures,
+			// which ultimately derives from source order
+			// and must be preserved by export data.
+			for i := 0; i < T.NumMethods(); i++ {
+				m := T.Method(i)
+				path2 := appendOpArg(path, opMethod, i)
+				if m == obj {
+					return Path(path2), nil // found declared method
+				}
+				if r := find(obj, m.Type(), append(path2, opType)); r != nil {
+					return Path(r), nil
+				}
+			}
+		}
+	}
+
+	return "", fmt.Errorf("can't find path for %v in %s", obj, pkg.Path())
+}
+
+func appendOpArg(path []byte, op byte, arg int) []byte {
+	path = append(path, op)
+	path = strconv.AppendInt(path, int64(arg), 10)
+	return path
+}
+
+// concreteMethod returns the path for meth, which must have a non-nil receiver.
+// The second return value indicates success and may be false if the method is
+// an interface method or if it is an instantiated method.
+//
+// This function is just an optimization that avoids the general scope walking
+// approach. You are expected to fall back to the general approach if this
+// function fails.
+func (enc *Encoder) concreteMethod(meth *types.Func) (Path, bool) {
+	// Concrete methods can only be declared on package-scoped named types. For
+	// that reason we can skip the expensive walk over the package scope: the
+	// path will always be package -> named type -> method. We can trivially get
+	// the type name from the receiver, and only have to look over the type's
+	// methods to find the method index.
+	//
+	// Methods on generic types require special consideration, however. Consider
+	// the following package:
+	//
+	// 	L1: type S[T any] struct{}
+	// 	L2: func (recv S[A]) Foo() { recv.Bar() }
+	// 	L3: func (recv S[B]) Bar() { }
+	// 	L4: type Alias = S[int]
+	// 	L5: func _[T any]() { var s S[int]; s.Foo() }
+	//
+	// The receivers of methods on generic types are instantiations. L2 and L3
+	// instantiate S with the type-parameters A and B, which are scoped to the
+	// respective methods. L4 and L5 each instantiate S with int. Each of these
+	// instantiations has its own method set, full of methods (and thus objects)
+	// with receivers whose types are the respective instantiations. In other
+	// words, we have
+	//
+	// S[A].Foo, S[A].Bar
+	// S[B].Foo, S[B].Bar
+	// S[int].Foo, S[int].Bar
+	//
+	// We may thus be trying to produce object paths for any of these objects.
+	//
+	// S[A].Foo and S[B].Bar are the origin methods, and their paths are S.Foo
+	// and S.Bar, which are the paths that this function naturally produces.
+	//
+	// S[A].Bar, S[B].Foo, and both methods on S[int] are instantiations that
+	// don't correspond to the origin methods. For S[int], this is significant.
+	// The most precise object path for S[int].Foo, for example, is Alias.Foo,
+	// not S.Foo. Our function, however, would produce S.Foo, which would
+	// resolve to a different object.
+	//
+	// For S[A].Bar and S[B].Foo it could be argued that S.Bar and S.Foo are
+	// still the correct paths, since only the origin methods have meaningful
+	// paths. But this is likely only true for trivial cases and has edge cases.
+	// Since this function is only an optimization, we err on the side of giving
+	// up, deferring to the slower but definitely correct algorithm. Most users
+	// of objectpath will only be giving us origin methods, anyway, as referring
+	// to instantiated methods is usually not useful.
+
+	if meth.Origin() != meth {
+		return "", false
+	}
+
+	_, named := typesinternal.ReceiverNamed(meth.Signature().Recv())
+	if named == nil {
+		return "", false
+	}
+
+	if types.IsInterface(named) {
+		// Named interfaces don't have to be package-scoped
+		//
+		// TODO(dominikh): opt: if scope.Lookup(name) == named, then we can apply this optimization to interface
+		// methods, too, I think.
+		return "", false
+	}
+
+	// Preallocate space for the name, opType, opMethod, and some digits.
+	name := named.Obj().Name()
+	path := make([]byte, 0, len(name)+8)
+	path = append(path, name...)
+	path = append(path, opType)
+
+	// Method indices are w.r.t. the go/types data structures,
+	// ultimately deriving from source order,
+	// which is preserved by export data.
+	for i := 0; i < named.NumMethods(); i++ {
+		if named.Method(i) == meth {
+			path = appendOpArg(path, opMethod, i)
+			return Path(path), true
+		}
+	}
+
+	// Due to golang/go#59944, go/types fails to associate the receiver with
+	// certain methods on cgo types.
+	//
+	// TODO(rfindley): replace this panic once golang/go#59944 is fixed in all Go
+	// versions gopls supports.
+	return "", false
+	// panic(fmt.Sprintf("couldn't find method %s on type %s; methods: %#v", meth, named, enc.namedMethods(named)))
+}
+
+// find finds obj within type T, returning the path to it, or nil if not found.
+//
+// The seen map is used to short circuit cycles through type parameters. If
+// nil, it will be allocated as necessary.
+//
+// The seenMethods map is used internally to short circuit cycles through
+// interface methods, such as occur in the following example:
+//
+//	type I interface { f() interface{I} }
+//
+// See golang/go#68046 for details.
+func find(obj types.Object, T types.Type, path []byte) []byte {
+	return (&finder{obj: obj}).find(T, path)
+}
+
+// finder closes over search state for a call to find.
+type finder struct {
+	obj             types.Object             // the sought object
+	seenTParamNames map[*types.TypeName]bool // for cycle breaking through type parameters
+	seenMethods     map[*types.Func]bool     // for cycle breaking through recursive interfaces
+}
+
+func (f *finder) find(T types.Type, path []byte) []byte {
+	switch T := T.(type) {
+	case *types.Alias:
+		return f.find(types.Unalias(T), path)
+	case *types.Basic, *types.Named:
+		// Named types belonging to pkg were handled already,
+		// so T must belong to another package. No path.
+		return nil
+	case *types.Pointer:
+		return f.find(T.Elem(), append(path, opElem))
+	case *types.Slice:
+		return f.find(T.Elem(), append(path, opElem))
+	case *types.Array:
+		return f.find(T.Elem(), append(path, opElem))
+	case *types.Chan:
+		return f.find(T.Elem(), append(path, opElem))
+	case *types.Map:
+		if r := f.find(T.Key(), append(path, opKey)); r != nil {
+			return r
+		}
+		return f.find(T.Elem(), append(path, opElem))
+	case *types.Signature:
+		if r := f.findTypeParam(T.RecvTypeParams(), path, opRecvTypeParam); r != nil {
+			return r
+		}
+		if r := f.findTypeParam(T.TypeParams(), path, opTypeParam); r != nil {
+			return r
+		}
+		if r := f.find(T.Params(), append(path, opParams)); r != nil {
+			return r
+		}
+		return f.find(T.Results(), append(path, opResults))
+	case *types.Struct:
+		for i := 0; i < T.NumFields(); i++ {
+			fld := T.Field(i)
+			path2 := appendOpArg(path, opField, i)
+			if fld == f.obj {
+				return path2 // found field var
+			}
+			if r := f.find(fld.Type(), append(path2, opType)); r != nil {
+				return r
+			}
+		}
+		return nil
+	case *types.Tuple:
+		for i := 0; i < T.Len(); i++ {
+			v := T.At(i)
+			path2 := appendOpArg(path, opAt, i)
+			if v == f.obj {
+				return path2 // found param/result var
+			}
+			if r := f.find(v.Type(), append(path2, opType)); r != nil {
+				return r
+			}
+		}
+		return nil
+	case *types.Interface:
+		for i := 0; i < T.NumMethods(); i++ {
+			m := T.Method(i)
+			if f.seenMethods[m] {
+				return nil
+			}
+			path2 := appendOpArg(path, opMethod, i)
+			if m == f.obj {
+				return path2 // found interface method
+			}
+			if f.seenMethods == nil {
+				f.seenMethods = make(map[*types.Func]bool)
+			}
+			f.seenMethods[m] = true
+			if r := f.find(m.Type(), append(path2, opType)); r != nil {
+				return r
+			}
+		}
+		return nil
+	case *types.TypeParam:
+		name := T.Obj()
+		if f.seenTParamNames[name] {
+			return nil
+		}
+		if name == f.obj {
+			return append(path, opObj)
+		}
+		if f.seenTParamNames == nil {
+			f.seenTParamNames = make(map[*types.TypeName]bool)
+		}
+		f.seenTParamNames[name] = true
+		if r := f.find(T.Constraint(), append(path, opConstraint)); r != nil {
+			return r
+		}
+		return nil
+	}
+	panic(T)
+}
+
+func findTypeParam(obj types.Object, list *types.TypeParamList, path []byte, op byte) []byte {
+	return (&finder{obj: obj}).findTypeParam(list, path, op)
+}
+
+func (f *finder) findTypeParam(list *types.TypeParamList, path []byte, op byte) []byte {
+	for i := 0; i < list.Len(); i++ {
+		tparam := list.At(i)
+		path2 := appendOpArg(path, op, i)
+		if r := f.find(tparam, path2); r != nil {
+			return r
+		}
+	}
+	return nil
+}
+
+// Object returns the object denoted by path p within the package pkg.
+func Object(pkg *types.Package, p Path) (types.Object, error) {
+	pathstr := string(p)
+	if pathstr == "" {
+		return nil, fmt.Errorf("empty path")
+	}
+
+	var pkgobj, suffix string
+	if dot := strings.IndexByte(pathstr, opType); dot < 0 {
+		pkgobj = pathstr
+	} else {
+		pkgobj = pathstr[:dot]
+		suffix = pathstr[dot:] // suffix starts with "."
+	}
+
+	obj := pkg.Scope().Lookup(pkgobj)
+	if obj == nil {
+		return nil, fmt.Errorf("package %s does not contain %q", pkg.Path(), pkgobj)
+	}
+
+	// abstraction of *types.{Pointer,Slice,Array,Chan,Map}
+	type hasElem interface {
+		Elem() types.Type
+	}
+	// abstraction of *types.{Named,Signature}
+	type hasTypeParams interface {
+		TypeParams() *types.TypeParamList
+	}
+	// abstraction of *types.{Alias,Named,TypeParam}
+	type hasObj interface {
+		Obj() *types.TypeName
+	}
+
+	// The loop state is the pair (t, obj),
+	// exactly one of which is non-nil, initially obj.
+	// All suffixes start with '.' (the only object->type operation),
+	// followed by optional type->type operations,
+	// then a type->object operation.
+	// The cycle then repeats.
+	var t types.Type
+	for suffix != "" {
+		code := suffix[0]
+		suffix = suffix[1:]
+
+		// Codes [AFMTr] have an integer operand.
+		var index int
+		switch code {
+		case opAt, opField, opMethod, opTypeParam, opRecvTypeParam:
+			rest := strings.TrimLeft(suffix, "0123456789")
+			numerals := suffix[:len(suffix)-len(rest)]
+			suffix = rest
+			i, err := strconv.Atoi(numerals)
+			if err != nil {
+				return nil, fmt.Errorf("invalid path: bad numeric operand %q for code %q", numerals, code)
+			}
+			index = int(i)
+		case opObj:
+			// no operand
+		default:
+			// The suffix must end with a type->object operation.
+			if suffix == "" {
+				return nil, fmt.Errorf("invalid path: ends with %q, want [AFMO]", code)
+			}
+		}
+
+		if code == opType {
+			if t != nil {
+				return nil, fmt.Errorf("invalid path: unexpected %q in type context", opType)
+			}
+			t = obj.Type()
+			obj = nil
+			continue
+		}
+
+		if t == nil {
+			return nil, fmt.Errorf("invalid path: code %q in object context", code)
+		}
+
+		// Inv: t != nil, obj == nil
+
+		t = types.Unalias(t)
+		switch code {
+		case opElem:
+			hasElem, ok := t.(hasElem) // Pointer, Slice, Array, Chan, Map
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want pointer, slice, array, chan or map)", code, t, t)
+			}
+			t = hasElem.Elem()
+
+		case opKey:
+			mapType, ok := t.(*types.Map)
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want map)", code, t, t)
+			}
+			t = mapType.Key()
+
+		case opParams:
+			sig, ok := t.(*types.Signature)
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want signature)", code, t, t)
+			}
+			t = sig.Params()
+
+		case opResults:
+			sig, ok := t.(*types.Signature)
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want signature)", code, t, t)
+			}
+			t = sig.Results()
+
+		case opUnderlying:
+			named, ok := t.(*types.Named)
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want named)", code, t, t)
+			}
+			t = named.Underlying()
+
+		case opRhs:
+			if alias, ok := t.(*types.Alias); ok {
+				t = aliases.Rhs(alias)
+			} else if false && aliases.Enabled() {
+				// The Enabled check is too expensive, so for now we
+				// simply assume that aliases are not enabled.
+				//
+				// Now that go1.24 is assured, we should be able to
+				// replace this with "if true {", but it causes tests
+				// to fail. TODO(adonovan): investigate.
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want alias)", code, t, t)
+			}
+
+		case opTypeParam:
+			hasTypeParams, ok := t.(hasTypeParams) // Named, Signature
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want named or signature)", code, t, t)
+			}
+			tparams := hasTypeParams.TypeParams()
+			if n := tparams.Len(); index >= n {
+				return nil, fmt.Errorf("tuple index %d out of range [0-%d)", index, n)
+			}
+			t = tparams.At(index)
+
+		case opRecvTypeParam:
+			sig, ok := t.(*types.Signature) // Signature
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want signature)", code, t, t)
+			}
+			rtparams := sig.RecvTypeParams()
+			if n := rtparams.Len(); index >= n {
+				return nil, fmt.Errorf("tuple index %d out of range [0-%d)", index, n)
+			}
+			t = rtparams.At(index)
+
+		case opConstraint:
+			tparam, ok := t.(*types.TypeParam)
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want type parameter)", code, t, t)
+			}
+			t = tparam.Constraint()
+
+		case opAt:
+			tuple, ok := t.(*types.Tuple)
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want tuple)", code, t, t)
+			}
+			if n := tuple.Len(); index >= n {
+				return nil, fmt.Errorf("tuple index %d out of range [0-%d)", index, n)
+			}
+			obj = tuple.At(index)
+			t = nil
+
+		case opField:
+			structType, ok := t.(*types.Struct)
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want struct)", code, t, t)
+			}
+			if n := structType.NumFields(); index >= n {
+				return nil, fmt.Errorf("field index %d out of range [0-%d)", index, n)
+			}
+			obj = structType.Field(index)
+			t = nil
+
+		case opMethod:
+			switch t := t.(type) {
+			case *types.Interface:
+				if index >= t.NumMethods() {
+					return nil, fmt.Errorf("method index %d out of range [0-%d)", index, t.NumMethods())
+				}
+				obj = t.Method(index) // Id-ordered
+
+			case *types.Named:
+				if index >= t.NumMethods() {
+					return nil, fmt.Errorf("method index %d out of range [0-%d)", index, t.NumMethods())
+				}
+				obj = t.Method(index)
+
+			default:
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want interface or named)", code, t, t)
+			}
+			t = nil
+
+		case opObj:
+			hasObj, ok := t.(hasObj)
+			if !ok {
+				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want named or type param)", code, t, t)
+			}
+			obj = hasObj.Obj()
+			t = nil
+
+		default:
+			return nil, fmt.Errorf("invalid path: unknown code %q", code)
+		}
+	}
+
+	if obj == nil {
+		panic(p) // path does not end in an object-valued operator
+	}
+
+	if obj.Pkg() != pkg {
+		return nil, fmt.Errorf("path denotes %s, which belongs to a different package", obj)
+	}
+
+	return obj, nil // success
+}
+
+// scopeObjects is a memoization of scope objects.
+// Callers must not modify the result.
+func (enc *Encoder) scopeObjects(scope *types.Scope) []types.Object {
+	m := enc.scopeMemo
+	if m == nil {
+		m = make(map[*types.Scope][]types.Object)
+		enc.scopeMemo = m
+	}
+	objs, ok := m[scope]
+	if !ok {
+		names := scope.Names() // allocates and sorts
+		objs = make([]types.Object, len(names))
+		for i, name := range names {
+			objs[i] = scope.Lookup(name)
+		}
+		m[scope] = objs
+	}
+	return objs
+}
diff --git a/vendor/golang.org/x/tools/go/types/typeutil/callee.go b/vendor/golang.org/x/tools/go/types/typeutil/callee.go
new file mode 100644
index 0000000000..3d24a8c637
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/types/typeutil/callee.go
@@ -0,0 +1,86 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typeutil
+
+import (
+	"go/ast"
+	"go/types"
+	_ "unsafe" // for linkname
+)
+
+// Callee returns the named target of a function call, if any:
+// a function, method, builtin, or variable.
+// It returns nil for a T(x) conversion.
+//
+// Functions and methods may potentially have type parameters.
+//
+// Note: for calls of instantiated functions and methods, Callee returns
+// the corresponding generic function or method on the generic type.
+func Callee(info *types.Info, call *ast.CallExpr) types.Object {
+	obj := info.Uses[usedIdent(info, call.Fun)]
+	if obj == nil {
+		return nil
+	}
+	if _, ok := obj.(*types.TypeName); ok {
+		return nil
+	}
+	return obj
+}
+
+// StaticCallee returns the target (function or method) of a static function
+// call, if any. It returns nil for calls to builtins.
+//
+// Note: for calls of instantiated functions and methods, StaticCallee returns
+// the corresponding generic function or method on the generic type.
+func StaticCallee(info *types.Info, call *ast.CallExpr) *types.Func {
+	obj := info.Uses[usedIdent(info, call.Fun)]
+	fn, _ := obj.(*types.Func)
+	if fn == nil || interfaceMethod(fn) {
+		return nil
+	}
+	return fn
+}
+
+// usedIdent is the implementation of [internal/typesinternal.UsedIdent].
+// It returns the identifier associated with e.
+// See typesinternal.UsedIdent for a fuller description.
+// This function should live in typesinternal, but cannot because it would
+// create an import cycle.
+//
+//go:linkname usedIdent golang.org/x/tools/go/types/typeutil.usedIdent
+func usedIdent(info *types.Info, e ast.Expr) *ast.Ident {
+	if info.Types == nil || info.Uses == nil {
+		panic("one of info.Types or info.Uses is nil; both must be populated")
+	}
+	// Look through type instantiation if necessary.
+	switch d := ast.Unparen(e).(type) {
+	case *ast.IndexExpr:
+		if info.Types[d.Index].IsType() {
+			e = d.X
+		}
+	case *ast.IndexListExpr:
+		e = d.X
+	}
+
+	switch e := ast.Unparen(e).(type) {
+	// info.Uses always has the object we want, even for selector expressions.
+	// We don't need info.Selections.
+	// See go/types/recording.go:recordSelection.
+	case *ast.Ident:
+		return e
+	case *ast.SelectorExpr:
+		return e.Sel
+	}
+	return nil
+}
+
+// interfaceMethod reports whether its argument is a method of an interface.
+// This function should live in typesinternal, but cannot because it would create an import cycle.
+//
+//go:linkname interfaceMethod golang.org/x/tools/go/types/typeutil.interfaceMethod
+func interfaceMethod(f *types.Func) bool {
+	recv := f.Signature().Recv()
+	return recv != nil && types.IsInterface(recv.Type())
+}
diff --git a/vendor/golang.org/x/tools/go/types/typeutil/imports.go b/vendor/golang.org/x/tools/go/types/typeutil/imports.go
new file mode 100644
index 0000000000..b81ce0c330
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/types/typeutil/imports.go
@@ -0,0 +1,30 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typeutil
+
+import "go/types"
+
+// Dependencies returns all dependencies of the specified packages.
+//
+// Dependent packages appear in topological order: if package P imports
+// package Q, Q appears earlier than P in the result.
+// The algorithm follows import statements in the order they
+// appear in the source code, so the result is a total order.
+func Dependencies(pkgs ...*types.Package) []*types.Package {
+	var result []*types.Package
+	seen := make(map[*types.Package]bool)
+	var visit func(pkgs []*types.Package)
+	visit = func(pkgs []*types.Package) {
+		for _, p := range pkgs {
+			if !seen[p] {
+				seen[p] = true
+				visit(p.Imports())
+				result = append(result, p)
+			}
+		}
+	}
+	visit(pkgs)
+	return result
+}
diff --git a/vendor/golang.org/x/tools/go/types/typeutil/map.go b/vendor/golang.org/x/tools/go/types/typeutil/map.go
new file mode 100644
index 0000000000..36624572a6
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/types/typeutil/map.go
@@ -0,0 +1,459 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package typeutil defines various utilities for types, such as [Map],
+// a hash table that maps [types.Type] to any value.
+package typeutil
+
+import (
+	"bytes"
+	"fmt"
+	"go/types"
+	"hash/maphash"
+
+	"golang.org/x/tools/internal/typeparams"
+)
+
+// Map is a hash-table-based mapping from types (types.Type) to
+// arbitrary values.  The concrete types that implement
+// the Type interface are pointers.  Since they are not canonicalized,
+// == cannot be used to check for equivalence, and thus we cannot
+// simply use a Go map.
+//
+// Just as with map[K]V, a nil *Map is a valid empty map.
+//
+// Read-only map operations ([Map.At], [Map.Len], and so on) may
+// safely be called concurrently.
+//
+// TODO(adonovan): deprecate in favor of https://go.dev/issues/69420
+// and 69559, if the latter proposals for a generic hash-map type and
+// a types.Hash function are accepted.
+type Map struct {
+	table  map[uint32][]entry // maps hash to bucket; entry.key==nil means unused
+	length int                // number of map entries
+}
+
+// entry is an entry (key/value association) in a hash bucket.
+type entry struct {
+	key   types.Type
+	value any
+}
+
+// SetHasher has no effect.
+//
+// It is a relic of an optimization that is no longer profitable. Do
+// not use [Hasher], [MakeHasher], or [SetHasher] in new code.
+func (m *Map) SetHasher(Hasher) {}
+
+// Delete removes the entry with the given key, if any.
+// It returns true if the entry was found.
+func (m *Map) Delete(key types.Type) bool {
+	if m != nil && m.table != nil {
+		hash := hash(key)
+		bucket := m.table[hash]
+		for i, e := range bucket {
+			if e.key != nil && types.Identical(key, e.key) {
+				// We can't compact the bucket as it
+				// would disturb iterators.
+				bucket[i] = entry{}
+				m.length--
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// At returns the map entry for the given key.
+// The result is nil if the entry is not present.
+func (m *Map) At(key types.Type) any {
+	if m != nil && m.table != nil {
+		for _, e := range m.table[hash(key)] {
+			if e.key != nil && types.Identical(key, e.key) {
+				return e.value
+			}
+		}
+	}
+	return nil
+}
+
+// Set sets the map entry for key to val,
+// and returns the previous entry, if any.
+func (m *Map) Set(key types.Type, value any) (prev any) {
+	if m.table != nil {
+		hash := hash(key)
+		bucket := m.table[hash]
+		var hole *entry
+		for i, e := range bucket {
+			if e.key == nil {
+				hole = &bucket[i]
+			} else if types.Identical(key, e.key) {
+				prev = e.value
+				bucket[i].value = value
+				return
+			}
+		}
+
+		if hole != nil {
+			*hole = entry{key, value} // overwrite deleted entry
+		} else {
+			m.table[hash] = append(bucket, entry{key, value})
+		}
+	} else {
+		hash := hash(key)
+		m.table = map[uint32][]entry{hash: {entry{key, value}}}
+	}
+
+	m.length++
+	return
+}
+
+// Len returns the number of map entries.
+func (m *Map) Len() int {
+	if m != nil {
+		return m.length
+	}
+	return 0
+}
+
+// Iterate calls function f on each entry in the map in unspecified order.
+//
+// If f should mutate the map, Iterate provides the same guarantees as
+// Go maps: if f deletes a map entry that Iterate has not yet reached,
+// f will not be invoked for it, but if f inserts a map entry that
+// Iterate has not yet reached, whether or not f will be invoked for
+// it is unspecified.
+func (m *Map) Iterate(f func(key types.Type, value any)) {
+	if m != nil {
+		for _, bucket := range m.table {
+			for _, e := range bucket {
+				if e.key != nil {
+					f(e.key, e.value)
+				}
+			}
+		}
+	}
+}
+
+// Keys returns a new slice containing the set of map keys.
+// The order is unspecified.
+func (m *Map) Keys() []types.Type {
+	keys := make([]types.Type, 0, m.Len())
+	m.Iterate(func(key types.Type, _ any) {
+		keys = append(keys, key)
+	})
+	return keys
+}
+
+func (m *Map) toString(values bool) string {
+	if m == nil {
+		return "{}"
+	}
+	var buf bytes.Buffer
+	fmt.Fprint(&buf, "{")
+	sep := ""
+	m.Iterate(func(key types.Type, value any) {
+		fmt.Fprint(&buf, sep)
+		sep = ", "
+		fmt.Fprint(&buf, key)
+		if values {
+			fmt.Fprintf(&buf, ": %q", value)
+		}
+	})
+	fmt.Fprint(&buf, "}")
+	return buf.String()
+}
+
+// String returns a string representation of the map's entries.
+// Values are printed using fmt.Sprintf("%v", v).
+// Order is unspecified.
+func (m *Map) String() string {
+	return m.toString(true)
+}
+
+// KeysString returns a string representation of the map's key set.
+// Order is unspecified.
+func (m *Map) KeysString() string {
+	return m.toString(false)
+}
+
+// -- Hasher --
+
+// hash returns the hash of type t.
+// TODO(adonovan): replace by types.Hash when Go proposal #69420 is accepted.
+func hash(t types.Type) uint32 {
+	return theHasher.Hash(t)
+}
+
+// A Hasher provides a [Hasher.Hash] method to map a type to its hash value.
+// Hashers are stateless, and all are equivalent.
+type Hasher struct{}
+
+var theHasher Hasher
+
+// MakeHasher returns Hasher{}.
+// Hashers are stateless; all are equivalent.
+func MakeHasher() Hasher { return theHasher }
+
+// Hash computes a hash value for the given type t such that
+// Identical(t, t') => Hash(t) == Hash(t').
+func (h Hasher) Hash(t types.Type) uint32 {
+	return hasher{inGenericSig: false}.hash(t)
+}
+
+// hasher holds the state of a single Hash traversal: whether we are
+// inside the signature of a generic function; this is used to
+// optimize [hasher.hashTypeParam].
+type hasher struct{ inGenericSig bool }
+
+// hashString computes the Fowler–Noll–Vo hash of s.
+func hashString(s string) uint32 {
+	var h uint32
+	for i := 0; i < len(s); i++ {
+		h ^= uint32(s[i])
+		h *= 16777619
+	}
+	return h
+}
+
+// hash computes the hash of t.
+func (h hasher) hash(t types.Type) uint32 {
+	// See Identical for rationale.
+	switch t := t.(type) {
+	case *types.Basic:
+		return uint32(t.Kind())
+
+	case *types.Alias:
+		return h.hash(types.Unalias(t))
+
+	case *types.Array:
+		return 9043 + 2*uint32(t.Len()) + 3*h.hash(t.Elem())
+
+	case *types.Slice:
+		return 9049 + 2*h.hash(t.Elem())
+
+	case *types.Struct:
+		var hash uint32 = 9059
+		for i, n := 0, t.NumFields(); i < n; i++ {
+			f := t.Field(i)
+			if f.Anonymous() {
+				hash += 8861
+			}
+			hash += hashString(t.Tag(i))
+			hash += hashString(f.Name()) // (ignore f.Pkg)
+			hash += h.hash(f.Type())
+		}
+		return hash
+
+	case *types.Pointer:
+		return 9067 + 2*h.hash(t.Elem())
+
+	case *types.Signature:
+		var hash uint32 = 9091
+		if t.Variadic() {
+			hash *= 8863
+		}
+
+		tparams := t.TypeParams()
+		if n := tparams.Len(); n > 0 {
+			h.inGenericSig = true // affects constraints, params, and results
+
+			for i := range n {
+				tparam := tparams.At(i)
+				hash += 7 * h.hash(tparam.Constraint())
+			}
+		}
+
+		return hash + 3*h.hashTuple(t.Params()) + 5*h.hashTuple(t.Results())
+
+	case *types.Union:
+		return h.hashUnion(t)
+
+	case *types.Interface:
+		// Interfaces are identical if they have the same set of methods, with
+		// identical names and types, and they have the same set of type
+		// restrictions. See go/types.identical for more details.
+		var hash uint32 = 9103
+
+		// Hash methods.
+		for i, n := 0, t.NumMethods(); i < n; i++ {
+			// Method order is not significant.
+			// Ignore m.Pkg().
+			m := t.Method(i)
+			// Use shallow hash on method signature to
+			// avoid anonymous interface cycles.
+			hash += 3*hashString(m.Name()) + 5*h.shallowHash(m.Type())
+		}
+
+		// Hash type restrictions.
+		terms, err := typeparams.InterfaceTermSet(t)
+		// if err != nil t has invalid type restrictions.
+		if err == nil {
+			hash += h.hashTermSet(terms)
+		}
+
+		return hash
+
+	case *types.Map:
+		return 9109 + 2*h.hash(t.Key()) + 3*h.hash(t.Elem())
+
+	case *types.Chan:
+		return 9127 + 2*uint32(t.Dir()) + 3*h.hash(t.Elem())
+
+	case *types.Named:
+		hash := h.hashTypeName(t.Obj())
+		targs := t.TypeArgs()
+		for targ := range targs.Types() {
+			hash += 2 * h.hash(targ)
+		}
+		return hash
+
+	case *types.TypeParam:
+		return h.hashTypeParam(t)
+
+	case *types.Tuple:
+		return h.hashTuple(t)
+	}
+
+	panic(fmt.Sprintf("%T: %v", t, t))
+}
+
+func (h hasher) hashTuple(tuple *types.Tuple) uint32 {
+	// See go/types.identicalTypes for rationale.
+	n := tuple.Len()
+	hash := 9137 + 2*uint32(n)
+	for i := range n {
+		hash += 3 * h.hash(tuple.At(i).Type())
+	}
+	return hash
+}
+
+func (h hasher) hashUnion(t *types.Union) uint32 {
+	// Hash type restrictions.
+	terms, err := typeparams.UnionTermSet(t)
+	// if err != nil t has invalid type restrictions. Fall back on a non-zero
+	// hash.
+	if err != nil {
+		return 9151
+	}
+	return h.hashTermSet(terms)
+}
+
+func (h hasher) hashTermSet(terms []*types.Term) uint32 {
+	hash := 9157 + 2*uint32(len(terms))
+	for _, term := range terms {
+		// term order is not significant.
+		termHash := h.hash(term.Type())
+		if term.Tilde() {
+			termHash *= 9161
+		}
+		hash += 3 * termHash
+	}
+	return hash
+}
+
+// hashTypeParam returns the hash of a type parameter.
+func (h hasher) hashTypeParam(t *types.TypeParam) uint32 {
+	// Within the signature of a generic function, TypeParams are
+	// identical if they have the same index and constraint, so we
+	// hash them based on index.
+	//
+	// When we are outside a generic function, free TypeParams are
+	// identical iff they are the same object, so we can use a
+	// more discriminating hash consistent with object identity.
+	// This optimization saves [Map] about 4% when hashing all the
+	// types.Info.Types in the forward closure of net/http.
+	if !h.inGenericSig {
+		// Optimization: outside a generic function signature,
+		// use a more discrimating hash consistent with object identity.
+		return h.hashTypeName(t.Obj())
+	}
+	return 9173 + 3*uint32(t.Index())
+}
+
+var theSeed = maphash.MakeSeed()
+
+// hashTypeName hashes the pointer of tname.
+func (hasher) hashTypeName(tname *types.TypeName) uint32 {
+	// Since types.Identical uses == to compare TypeNames,
+	// the Hash function uses maphash.Comparable.
+	hash := maphash.Comparable(theSeed, tname)
+	return uint32(hash ^ (hash >> 32))
+}
+
+// shallowHash computes a hash of t without looking at any of its
+// element Types, to avoid potential anonymous cycles in the types of
+// interface methods.
+//
+// When an unnamed non-empty interface type appears anywhere among the
+// arguments or results of an interface method, there is a potential
+// for endless recursion. Consider:
+//
+//	type X interface { m() []*interface { X } }
+//
+// The problem is that the Methods of the interface in m's result type
+// include m itself; there is no mention of the named type X that
+// might help us break the cycle.
+// (See comment in go/types.identical, case *Interface, for more.)
+func (h hasher) shallowHash(t types.Type) uint32 {
+	// t is the type of an interface method (Signature),
+	// its params or results (Tuples), or their immediate
+	// elements (mostly Slice, Pointer, Basic, Named),
+	// so there's no need to optimize anything else.
+	switch t := t.(type) {
+	case *types.Alias:
+		return h.shallowHash(types.Unalias(t))
+
+	case *types.Signature:
+		var hash uint32 = 604171
+		if t.Variadic() {
+			hash *= 971767
+		}
+		// The Signature/Tuple recursion is always finite
+		// and invariably shallow.
+		return hash + 1062599*h.shallowHash(t.Params()) + 1282529*h.shallowHash(t.Results())
+
+	case *types.Tuple:
+		n := t.Len()
+		hash := 9137 + 2*uint32(n)
+		for i := range n {
+			hash += 53471161 * h.shallowHash(t.At(i).Type())
+		}
+		return hash
+
+	case *types.Basic:
+		return 45212177 * uint32(t.Kind())
+
+	case *types.Array:
+		return 1524181 + 2*uint32(t.Len())
+
+	case *types.Slice:
+		return 2690201
+
+	case *types.Struct:
+		return 3326489
+
+	case *types.Pointer:
+		return 4393139
+
+	case *types.Union:
+		return 562448657
+
+	case *types.Interface:
+		return 2124679 // no recursion here
+
+	case *types.Map:
+		return 9109
+
+	case *types.Chan:
+		return 9127
+
+	case *types.Named:
+		return h.hashTypeName(t.Obj())
+
+	case *types.TypeParam:
+		return h.hashTypeParam(t)
+	}
+	panic(fmt.Sprintf("shallowHash: %T: %v", t, t))
+}
diff --git a/vendor/golang.org/x/tools/go/types/typeutil/methodsetcache.go b/vendor/golang.org/x/tools/go/types/typeutil/methodsetcache.go
new file mode 100644
index 0000000000..f7666028fe
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/types/typeutil/methodsetcache.go
@@ -0,0 +1,71 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This file implements a cache of method sets.
+
+package typeutil
+
+import (
+	"go/types"
+	"sync"
+)
+
+// A MethodSetCache records the method set of each type T for which
+// MethodSet(T) is called so that repeat queries are fast.
+// The zero value is a ready-to-use cache instance.
+type MethodSetCache struct {
+	mu     sync.Mutex
+	named  map[*types.Named]struct{ value, pointer *types.MethodSet } // method sets for named N and *N
+	others map[types.Type]*types.MethodSet                            // all other types
+}
+
+// MethodSet returns the method set of type T.  It is thread-safe.
+//
+// If cache is nil, this function is equivalent to types.NewMethodSet(T).
+// Utility functions can thus expose an optional *MethodSetCache
+// parameter to clients that care about performance.
+func (cache *MethodSetCache) MethodSet(T types.Type) *types.MethodSet {
+	if cache == nil {
+		return types.NewMethodSet(T)
+	}
+	cache.mu.Lock()
+	defer cache.mu.Unlock()
+
+	switch T := types.Unalias(T).(type) {
+	case *types.Named:
+		return cache.lookupNamed(T).value
+
+	case *types.Pointer:
+		if N, ok := types.Unalias(T.Elem()).(*types.Named); ok {
+			return cache.lookupNamed(N).pointer
+		}
+	}
+
+	// all other types
+	// (The map uses pointer equivalence, not type identity.)
+	mset := cache.others[T]
+	if mset == nil {
+		mset = types.NewMethodSet(T)
+		if cache.others == nil {
+			cache.others = make(map[types.Type]*types.MethodSet)
+		}
+		cache.others[T] = mset
+	}
+	return mset
+}
+
+func (cache *MethodSetCache) lookupNamed(named *types.Named) struct{ value, pointer *types.MethodSet } {
+	if cache.named == nil {
+		cache.named = make(map[*types.Named]struct{ value, pointer *types.MethodSet })
+	}
+	// Avoid recomputing mset(*T) for each distinct Pointer
+	// instance whose underlying type is a named type.
+	msets, ok := cache.named[named]
+	if !ok {
+		msets.value = types.NewMethodSet(named)
+		msets.pointer = types.NewMethodSet(types.NewPointer(named))
+		cache.named[named] = msets
+	}
+	return msets
+}
diff --git a/vendor/golang.org/x/tools/go/types/typeutil/ui.go b/vendor/golang.org/x/tools/go/types/typeutil/ui.go
new file mode 100644
index 0000000000..9dda6a25df
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/types/typeutil/ui.go
@@ -0,0 +1,53 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typeutil
+
+// This file defines utilities for user interfaces that display types.
+
+import (
+	"go/types"
+)
+
+// IntuitiveMethodSet returns the intuitive method set of a type T,
+// which is the set of methods you can call on an addressable value of
+// that type.
+//
+// The result always contains MethodSet(T), and is exactly MethodSet(T)
+// for interface types and for pointer-to-concrete types.
+// For all other concrete types T, the result additionally
+// contains each method belonging to *T if there is no identically
+// named method on T itself.
+//
+// This corresponds to user intuition about method sets;
+// this function is intended only for user interfaces.
+//
+// The order of the result is as for types.MethodSet(T).
+func IntuitiveMethodSet(T types.Type, msets *MethodSetCache) []*types.Selection {
+	isPointerToConcrete := func(T types.Type) bool {
+		ptr, ok := types.Unalias(T).(*types.Pointer)
+		return ok && !types.IsInterface(ptr.Elem())
+	}
+
+	var result []*types.Selection
+	mset := msets.MethodSet(T)
+	if types.IsInterface(T) || isPointerToConcrete(T) {
+		for i, n := 0, mset.Len(); i < n; i++ {
+			result = append(result, mset.At(i))
+		}
+	} else {
+		// T is some other concrete type.
+		// Report methods of T and *T, preferring those of T.
+		pmset := msets.MethodSet(types.NewPointer(T))
+		for i, n := 0, pmset.Len(); i < n; i++ {
+			meth := pmset.At(i)
+			if m := mset.Lookup(meth.Obj().Pkg(), meth.Obj().Name()); m != nil {
+				meth = m
+			}
+			result = append(result, meth)
+		}
+
+	}
+	return result
+}
diff --git a/vendor/golang.org/x/tools/internal/aliases/aliases.go b/vendor/golang.org/x/tools/internal/aliases/aliases.go
new file mode 100644
index 0000000000..b9425f5a20
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/aliases/aliases.go
@@ -0,0 +1,38 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package aliases
+
+import (
+	"go/token"
+	"go/types"
+)
+
+// Package aliases defines backward compatible shims
+// for the types.Alias type representation added in 1.22.
+// This defines placeholders for x/tools until 1.26.
+
+// NewAlias creates a new TypeName in Package pkg that
+// is an alias for the type rhs.
+//
+// The enabled parameter determines whether the resulting [TypeName]'s
+// type is an [types.Alias]. Its value must be the result of a call to
+// [Enabled], which computes the effective value of
+// GODEBUG=gotypesalias=... by invoking the type checker. The Enabled
+// function is expensive and should be called once per task (e.g.
+// package import), not once per call to NewAlias.
+//
+// Precondition: enabled || len(tparams)==0.
+// If materialized aliases are disabled, there must not be any type parameters.
+func NewAlias(enabled bool, pos token.Pos, pkg *types.Package, name string, rhs types.Type, tparams []*types.TypeParam) *types.TypeName {
+	if enabled {
+		tname := types.NewTypeName(pos, pkg, name, nil)
+		SetTypeParams(types.NewAlias(tname, rhs), tparams)
+		return tname
+	}
+	if len(tparams) > 0 {
+		panic("cannot create an alias with type parameters when gotypesalias is not enabled")
+	}
+	return types.NewTypeName(pos, pkg, name, rhs)
+}
diff --git a/vendor/golang.org/x/tools/internal/aliases/aliases_go122.go b/vendor/golang.org/x/tools/internal/aliases/aliases_go122.go
new file mode 100644
index 0000000000..7716a3331d
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/aliases/aliases_go122.go
@@ -0,0 +1,80 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package aliases
+
+import (
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"go/types"
+)
+
+// Rhs returns the type on the right-hand side of the alias declaration.
+func Rhs(alias *types.Alias) types.Type {
+	if alias, ok := any(alias).(interface{ Rhs() types.Type }); ok {
+		return alias.Rhs() // go1.23+
+	}
+
+	// go1.22's Alias didn't have the Rhs method,
+	// so Unalias is the best we can do.
+	return types.Unalias(alias)
+}
+
+// TypeParams returns the type parameter list of the alias.
+func TypeParams(alias *types.Alias) *types.TypeParamList {
+	if alias, ok := any(alias).(interface{ TypeParams() *types.TypeParamList }); ok {
+		return alias.TypeParams() // go1.23+
+	}
+	return nil
+}
+
+// SetTypeParams sets the type parameters of the alias type.
+func SetTypeParams(alias *types.Alias, tparams []*types.TypeParam) {
+	if alias, ok := any(alias).(interface {
+		SetTypeParams(tparams []*types.TypeParam)
+	}); ok {
+		alias.SetTypeParams(tparams) // go1.23+
+	} else if len(tparams) > 0 {
+		panic("cannot set type parameters of an Alias type in go1.22")
+	}
+}
+
+// TypeArgs returns the type arguments used to instantiate the Alias type.
+func TypeArgs(alias *types.Alias) *types.TypeList {
+	if alias, ok := any(alias).(interface{ TypeArgs() *types.TypeList }); ok {
+		return alias.TypeArgs() // go1.23+
+	}
+	return nil // empty (go1.22)
+}
+
+// Origin returns the generic Alias type of which alias is an instance.
+// If alias is not an instance of a generic alias, Origin returns alias.
+func Origin(alias *types.Alias) *types.Alias {
+	if alias, ok := any(alias).(interface{ Origin() *types.Alias }); ok {
+		return alias.Origin() // go1.23+
+	}
+	return alias // not an instance of a generic alias (go1.22)
+}
+
+// Enabled reports whether [NewAlias] should create [types.Alias] types.
+//
+// This function is expensive! Call it sparingly.
+func Enabled() bool {
+	// The only reliable way to compute the answer is to invoke go/types.
+	// We don't parse the GODEBUG environment variable, because
+	// (a) it's tricky to do so in a manner that is consistent
+	//     with the godebug package; in particular, a simple
+	//     substring check is not good enough. The value is a
+	//     rightmost-wins list of options. But more importantly:
+	// (b) it is impossible to detect changes to the effective
+	//     setting caused by os.Setenv("GODEBUG"), as happens in
+	//     many tests. Therefore any attempt to cache the result
+	//     is just incorrect.
+	fset := token.NewFileSet()
+	f, _ := parser.ParseFile(fset, "a.go", "package p; type A = int", parser.SkipObjectResolution)
+	pkg, _ := new(types.Config).Check("p", fset, []*ast.File{f}, nil)
+	_, enabled := pkg.Scope().Lookup("A").Type().(*types.Alias)
+	return enabled
+}
diff --git a/vendor/golang.org/x/tools/internal/event/core/event.go b/vendor/golang.org/x/tools/internal/event/core/event.go
new file mode 100644
index 0000000000..ade5d1e799
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/event/core/event.go
@@ -0,0 +1,80 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package core provides support for event based telemetry.
+package core
+
+import (
+	"fmt"
+	"time"
+
+	"golang.org/x/tools/internal/event/label"
+)
+
+// Event holds the information about an event of note that occurred.
+type Event struct {
+	at time.Time
+
+	// As events are often on the stack, storing the first few labels directly
+	// in the event can avoid an allocation at all for the very common cases of
+	// simple events.
+	// The length needs to be large enough to cope with the majority of events
+	// but no so large as to cause undue stack pressure.
+	// A log message with two values will use 3 labels (one for each value and
+	// one for the message itself).
+
+	static  [3]label.Label // inline storage for the first few labels
+	dynamic []label.Label  // dynamically sized storage for remaining labels
+}
+
+func (ev Event) At() time.Time { return ev.at }
+
+func (ev Event) Format(f fmt.State, r rune) {
+	if !ev.at.IsZero() {
+		fmt.Fprint(f, ev.at.Format("2006/01/02 15:04:05 "))
+	}
+	for index := 0; ev.Valid(index); index++ {
+		if l := ev.Label(index); l.Valid() {
+			fmt.Fprintf(f, "\n\t%v", l)
+		}
+	}
+}
+
+func (ev Event) Valid(index int) bool {
+	return index >= 0 && index < len(ev.static)+len(ev.dynamic)
+}
+
+func (ev Event) Label(index int) label.Label {
+	if index < len(ev.static) {
+		return ev.static[index]
+	}
+	return ev.dynamic[index-len(ev.static)]
+}
+
+func (ev Event) Find(key label.Key) label.Label {
+	for _, l := range ev.static {
+		if l.Key() == key {
+			return l
+		}
+	}
+	for _, l := range ev.dynamic {
+		if l.Key() == key {
+			return l
+		}
+	}
+	return label.Label{}
+}
+
+func MakeEvent(static [3]label.Label, labels []label.Label) Event {
+	return Event{
+		static:  static,
+		dynamic: labels,
+	}
+}
+
+// CloneEvent event returns a copy of the event with the time adjusted to at.
+func CloneEvent(ev Event, at time.Time) Event {
+	ev.at = at
+	return ev
+}
diff --git a/vendor/golang.org/x/tools/internal/event/core/export.go b/vendor/golang.org/x/tools/internal/event/core/export.go
new file mode 100644
index 0000000000..16ae6bb021
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/event/core/export.go
@@ -0,0 +1,67 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package core
+
+import (
+	"context"
+	"sync/atomic"
+	"time"
+
+	"golang.org/x/tools/internal/event/label"
+)
+
+// Exporter is a function that handles events.
+// It may return a modified context and event.
+type Exporter func(context.Context, Event, label.Map) context.Context
+
+var exporter atomic.Pointer[Exporter]
+
+// SetExporter sets the global exporter function that handles all events.
+// The exporter is called synchronously from the event call site, so it should
+// return quickly so as not to hold up user code.
+func SetExporter(e Exporter) {
+	if e == nil {
+		// &e is always valid, and so p is always valid, but for the early abort
+		// of ProcessEvent to be efficient it needs to make the nil check on the
+		// pointer without having to dereference it, so we make the nil function
+		// also a nil pointer
+		exporter.Store(nil)
+	} else {
+		exporter.Store(&e)
+	}
+}
+
+// deliver is called to deliver an event to the supplied exporter.
+// it will fill in the time.
+func deliver(ctx context.Context, exporter Exporter, ev Event) context.Context {
+	// add the current time to the event
+	ev.at = time.Now()
+	// hand the event off to the current exporter
+	return exporter(ctx, ev, ev)
+}
+
+// Export is called to deliver an event to the global exporter if set.
+func Export(ctx context.Context, ev Event) context.Context {
+	// get the global exporter and abort early if there is not one
+	exporterPtr := exporter.Load()
+	if exporterPtr == nil {
+		return ctx
+	}
+	return deliver(ctx, *exporterPtr, ev)
+}
+
+// ExportPair is called to deliver a start event to the supplied exporter.
+// It also returns a function that will deliver the end event to the same
+// exporter.
+// It will fill in the time.
+func ExportPair(ctx context.Context, begin, end Event) (context.Context, func()) {
+	// get the global exporter and abort early if there is not one
+	exporterPtr := exporter.Load()
+	if exporterPtr == nil {
+		return ctx, func() {}
+	}
+	ctx = deliver(ctx, *exporterPtr, begin)
+	return ctx, func() { deliver(ctx, *exporterPtr, end) }
+}
diff --git a/vendor/golang.org/x/tools/internal/event/core/fast.go b/vendor/golang.org/x/tools/internal/event/core/fast.go
new file mode 100644
index 0000000000..06c1d4615e
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/event/core/fast.go
@@ -0,0 +1,77 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package core
+
+import (
+	"context"
+
+	"golang.org/x/tools/internal/event/keys"
+	"golang.org/x/tools/internal/event/label"
+)
+
+// Log1 takes a message and one label delivers a log event to the exporter.
+// It is a customized version of Print that is faster and does no allocation.
+func Log1(ctx context.Context, message string, t1 label.Label) {
+	Export(ctx, MakeEvent([3]label.Label{
+		keys.Msg.Of(message),
+		t1,
+	}, nil))
+}
+
+// Log2 takes a message and two labels and delivers a log event to the exporter.
+// It is a customized version of Print that is faster and does no allocation.
+func Log2(ctx context.Context, message string, t1 label.Label, t2 label.Label) {
+	Export(ctx, MakeEvent([3]label.Label{
+		keys.Msg.Of(message),
+		t1,
+		t2,
+	}, nil))
+}
+
+// Metric1 sends a label event to the exporter with the supplied labels.
+func Metric1(ctx context.Context, t1 label.Label) context.Context {
+	return Export(ctx, MakeEvent([3]label.Label{
+		keys.Metric.New(),
+		t1,
+	}, nil))
+}
+
+// Metric2 sends a label event to the exporter with the supplied labels.
+func Metric2(ctx context.Context, t1, t2 label.Label) context.Context {
+	return Export(ctx, MakeEvent([3]label.Label{
+		keys.Metric.New(),
+		t1,
+		t2,
+	}, nil))
+}
+
+// Start1 sends a span start event with the supplied label list to the exporter.
+// It also returns a function that will end the span, which should normally be
+// deferred.
+func Start1(ctx context.Context, name string, t1 label.Label) (context.Context, func()) {
+	return ExportPair(ctx,
+		MakeEvent([3]label.Label{
+			keys.Start.Of(name),
+			t1,
+		}, nil),
+		MakeEvent([3]label.Label{
+			keys.End.New(),
+		}, nil))
+}
+
+// Start2 sends a span start event with the supplied label list to the exporter.
+// It also returns a function that will end the span, which should normally be
+// deferred.
+func Start2(ctx context.Context, name string, t1, t2 label.Label) (context.Context, func()) {
+	return ExportPair(ctx,
+		MakeEvent([3]label.Label{
+			keys.Start.Of(name),
+			t1,
+			t2,
+		}, nil),
+		MakeEvent([3]label.Label{
+			keys.End.New(),
+		}, nil))
+}
diff --git a/vendor/golang.org/x/tools/internal/event/doc.go b/vendor/golang.org/x/tools/internal/event/doc.go
new file mode 100644
index 0000000000..5dc6e6babe
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/event/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package event provides a set of packages that cover the main
+// concepts of telemetry in an implementation agnostic way.
+package event
diff --git a/vendor/golang.org/x/tools/internal/event/event.go b/vendor/golang.org/x/tools/internal/event/event.go
new file mode 100644
index 0000000000..4d55e577d1
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/event/event.go
@@ -0,0 +1,127 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package event
+
+import (
+	"context"
+
+	"golang.org/x/tools/internal/event/core"
+	"golang.org/x/tools/internal/event/keys"
+	"golang.org/x/tools/internal/event/label"
+)
+
+// Exporter is a function that handles events.
+// It may return a modified context and event.
+type Exporter func(context.Context, core.Event, label.Map) context.Context
+
+// SetExporter sets the global exporter function that handles all events.
+// The exporter is called synchronously from the event call site, so it should
+// return quickly so as not to hold up user code.
+func SetExporter(e Exporter) {
+	core.SetExporter(core.Exporter(e))
+}
+
+// Log takes a message and a label list and combines them into a single event
+// before delivering them to the exporter.
+func Log(ctx context.Context, message string, labels ...label.Label) {
+	core.Export(ctx, core.MakeEvent([3]label.Label{
+		keys.Msg.Of(message),
+	}, labels))
+}
+
+// IsLog returns true if the event was built by the Log function.
+// It is intended to be used in exporters to identify the semantics of the
+// event when deciding what to do with it.
+func IsLog(ev core.Event) bool {
+	return ev.Label(0).Key() == keys.Msg
+}
+
+// Error takes a message and a label list and combines them into a single event
+// before delivering them to the exporter. It captures the error in the
+// delivered event.
+func Error(ctx context.Context, message string, err error, labels ...label.Label) {
+	core.Export(ctx, core.MakeEvent([3]label.Label{
+		keys.Msg.Of(message),
+		keys.Err.Of(err),
+	}, labels))
+}
+
+// IsError returns true if the event was built by the Error function.
+// It is intended to be used in exporters to identify the semantics of the
+// event when deciding what to do with it.
+func IsError(ev core.Event) bool {
+	return ev.Label(0).Key() == keys.Msg &&
+		ev.Label(1).Key() == keys.Err
+}
+
+// Metric sends a label event to the exporter with the supplied labels.
+func Metric(ctx context.Context, labels ...label.Label) {
+	core.Export(ctx, core.MakeEvent([3]label.Label{
+		keys.Metric.New(),
+	}, labels))
+}
+
+// IsMetric returns true if the event was built by the Metric function.
+// It is intended to be used in exporters to identify the semantics of the
+// event when deciding what to do with it.
+func IsMetric(ev core.Event) bool {
+	return ev.Label(0).Key() == keys.Metric
+}
+
+// Label sends a label event to the exporter with the supplied labels.
+func Label(ctx context.Context, labels ...label.Label) context.Context {
+	return core.Export(ctx, core.MakeEvent([3]label.Label{
+		keys.Label.New(),
+	}, labels))
+}
+
+// IsLabel returns true if the event was built by the Label function.
+// It is intended to be used in exporters to identify the semantics of the
+// event when deciding what to do with it.
+func IsLabel(ev core.Event) bool {
+	return ev.Label(0).Key() == keys.Label
+}
+
+// Start sends a span start event with the supplied label list to the exporter.
+// It also returns a function that will end the span, which should normally be
+// deferred.
+func Start(ctx context.Context, name string, labels ...label.Label) (context.Context, func()) {
+	return core.ExportPair(ctx,
+		core.MakeEvent([3]label.Label{
+			keys.Start.Of(name),
+		}, labels),
+		core.MakeEvent([3]label.Label{
+			keys.End.New(),
+		}, nil))
+}
+
+// IsStart returns true if the event was built by the Start function.
+// It is intended to be used in exporters to identify the semantics of the
+// event when deciding what to do with it.
+func IsStart(ev core.Event) bool {
+	return ev.Label(0).Key() == keys.Start
+}
+
+// IsEnd returns true if the event was built by the End function.
+// It is intended to be used in exporters to identify the semantics of the
+// event when deciding what to do with it.
+func IsEnd(ev core.Event) bool {
+	return ev.Label(0).Key() == keys.End
+}
+
+// Detach returns a context without an associated span.
+// This allows the creation of spans that are not children of the current span.
+func Detach(ctx context.Context) context.Context {
+	return core.Export(ctx, core.MakeEvent([3]label.Label{
+		keys.Detach.New(),
+	}, nil))
+}
+
+// IsDetach returns true if the event was built by the Detach function.
+// It is intended to be used in exporters to identify the semantics of the
+// event when deciding what to do with it.
+func IsDetach(ev core.Event) bool {
+	return ev.Label(0).Key() == keys.Detach
+}
diff --git a/vendor/golang.org/x/tools/internal/event/keys/keys.go b/vendor/golang.org/x/tools/internal/event/keys/keys.go
new file mode 100644
index 0000000000..4cfa51b612
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/event/keys/keys.go
@@ -0,0 +1,564 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package keys
+
+import (
+	"fmt"
+	"io"
+	"math"
+	"strconv"
+
+	"golang.org/x/tools/internal/event/label"
+)
+
+// Value represents a key for untyped values.
+type Value struct {
+	name        string
+	description string
+}
+
+// New creates a new Key for untyped values.
+func New(name, description string) *Value {
+	return &Value{name: name, description: description}
+}
+
+func (k *Value) Name() string        { return k.name }
+func (k *Value) Description() string { return k.description }
+
+func (k *Value) Format(w io.Writer, buf []byte, l label.Label) {
+	fmt.Fprint(w, k.From(l))
+}
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Value) Get(lm label.Map) any {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return nil
+}
+
+// From can be used to get a value from a Label.
+func (k *Value) From(t label.Label) any { return t.UnpackValue() }
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Value) Of(value any) label.Label { return label.OfValue(k, value) }
+
+// Tag represents a key for tagging labels that have no value.
+// These are used when the existence of the label is the entire information it
+// carries, such as marking events to be of a specific kind, or from a specific
+// package.
+type Tag struct {
+	name        string
+	description string
+}
+
+// NewTag creates a new Key for tagging labels.
+func NewTag(name, description string) *Tag {
+	return &Tag{name: name, description: description}
+}
+
+func (k *Tag) Name() string        { return k.name }
+func (k *Tag) Description() string { return k.description }
+
+func (k *Tag) Format(w io.Writer, buf []byte, l label.Label) {}
+
+// New creates a new Label with this key.
+func (k *Tag) New() label.Label { return label.OfValue(k, nil) }
+
+// Int represents a key
+type Int struct {
+	name        string
+	description string
+}
+
+// NewInt creates a new Key for int values.
+func NewInt(name, description string) *Int {
+	return &Int{name: name, description: description}
+}
+
+func (k *Int) Name() string        { return k.name }
+func (k *Int) Description() string { return k.description }
+
+func (k *Int) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendInt(buf, int64(k.From(l)), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Int) Of(v int) label.Label { return label.Of64(k, uint64(v)) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Int) Get(lm label.Map) int {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *Int) From(t label.Label) int { return int(t.Unpack64()) }
+
+// Int8 represents a key
+type Int8 struct {
+	name        string
+	description string
+}
+
+// NewInt8 creates a new Key for int8 values.
+func NewInt8(name, description string) *Int8 {
+	return &Int8{name: name, description: description}
+}
+
+func (k *Int8) Name() string        { return k.name }
+func (k *Int8) Description() string { return k.description }
+
+func (k *Int8) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendInt(buf, int64(k.From(l)), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Int8) Of(v int8) label.Label { return label.Of64(k, uint64(v)) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Int8) Get(lm label.Map) int8 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *Int8) From(t label.Label) int8 { return int8(t.Unpack64()) }
+
+// Int16 represents a key
+type Int16 struct {
+	name        string
+	description string
+}
+
+// NewInt16 creates a new Key for int16 values.
+func NewInt16(name, description string) *Int16 {
+	return &Int16{name: name, description: description}
+}
+
+func (k *Int16) Name() string        { return k.name }
+func (k *Int16) Description() string { return k.description }
+
+func (k *Int16) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendInt(buf, int64(k.From(l)), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Int16) Of(v int16) label.Label { return label.Of64(k, uint64(v)) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Int16) Get(lm label.Map) int16 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *Int16) From(t label.Label) int16 { return int16(t.Unpack64()) }
+
+// Int32 represents a key
+type Int32 struct {
+	name        string
+	description string
+}
+
+// NewInt32 creates a new Key for int32 values.
+func NewInt32(name, description string) *Int32 {
+	return &Int32{name: name, description: description}
+}
+
+func (k *Int32) Name() string        { return k.name }
+func (k *Int32) Description() string { return k.description }
+
+func (k *Int32) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendInt(buf, int64(k.From(l)), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Int32) Of(v int32) label.Label { return label.Of64(k, uint64(v)) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Int32) Get(lm label.Map) int32 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *Int32) From(t label.Label) int32 { return int32(t.Unpack64()) }
+
+// Int64 represents a key
+type Int64 struct {
+	name        string
+	description string
+}
+
+// NewInt64 creates a new Key for int64 values.
+func NewInt64(name, description string) *Int64 {
+	return &Int64{name: name, description: description}
+}
+
+func (k *Int64) Name() string        { return k.name }
+func (k *Int64) Description() string { return k.description }
+
+func (k *Int64) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendInt(buf, k.From(l), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Int64) Of(v int64) label.Label { return label.Of64(k, uint64(v)) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Int64) Get(lm label.Map) int64 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *Int64) From(t label.Label) int64 { return int64(t.Unpack64()) }
+
+// UInt represents a key
+type UInt struct {
+	name        string
+	description string
+}
+
+// NewUInt creates a new Key for uint values.
+func NewUInt(name, description string) *UInt {
+	return &UInt{name: name, description: description}
+}
+
+func (k *UInt) Name() string        { return k.name }
+func (k *UInt) Description() string { return k.description }
+
+func (k *UInt) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendUint(buf, uint64(k.From(l)), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *UInt) Of(v uint) label.Label { return label.Of64(k, uint64(v)) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *UInt) Get(lm label.Map) uint {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *UInt) From(t label.Label) uint { return uint(t.Unpack64()) }
+
+// UInt8 represents a key
+type UInt8 struct {
+	name        string
+	description string
+}
+
+// NewUInt8 creates a new Key for uint8 values.
+func NewUInt8(name, description string) *UInt8 {
+	return &UInt8{name: name, description: description}
+}
+
+func (k *UInt8) Name() string        { return k.name }
+func (k *UInt8) Description() string { return k.description }
+
+func (k *UInt8) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendUint(buf, uint64(k.From(l)), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *UInt8) Of(v uint8) label.Label { return label.Of64(k, uint64(v)) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *UInt8) Get(lm label.Map) uint8 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *UInt8) From(t label.Label) uint8 { return uint8(t.Unpack64()) }
+
+// UInt16 represents a key
+type UInt16 struct {
+	name        string
+	description string
+}
+
+// NewUInt16 creates a new Key for uint16 values.
+func NewUInt16(name, description string) *UInt16 {
+	return &UInt16{name: name, description: description}
+}
+
+func (k *UInt16) Name() string        { return k.name }
+func (k *UInt16) Description() string { return k.description }
+
+func (k *UInt16) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendUint(buf, uint64(k.From(l)), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *UInt16) Of(v uint16) label.Label { return label.Of64(k, uint64(v)) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *UInt16) Get(lm label.Map) uint16 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *UInt16) From(t label.Label) uint16 { return uint16(t.Unpack64()) }
+
+// UInt32 represents a key
+type UInt32 struct {
+	name        string
+	description string
+}
+
+// NewUInt32 creates a new Key for uint32 values.
+func NewUInt32(name, description string) *UInt32 {
+	return &UInt32{name: name, description: description}
+}
+
+func (k *UInt32) Name() string        { return k.name }
+func (k *UInt32) Description() string { return k.description }
+
+func (k *UInt32) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendUint(buf, uint64(k.From(l)), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *UInt32) Of(v uint32) label.Label { return label.Of64(k, uint64(v)) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *UInt32) Get(lm label.Map) uint32 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *UInt32) From(t label.Label) uint32 { return uint32(t.Unpack64()) }
+
+// UInt64 represents a key
+type UInt64 struct {
+	name        string
+	description string
+}
+
+// NewUInt64 creates a new Key for uint64 values.
+func NewUInt64(name, description string) *UInt64 {
+	return &UInt64{name: name, description: description}
+}
+
+func (k *UInt64) Name() string        { return k.name }
+func (k *UInt64) Description() string { return k.description }
+
+func (k *UInt64) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendUint(buf, k.From(l), 10))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *UInt64) Of(v uint64) label.Label { return label.Of64(k, v) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *UInt64) Get(lm label.Map) uint64 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *UInt64) From(t label.Label) uint64 { return t.Unpack64() }
+
+// Float32 represents a key
+type Float32 struct {
+	name        string
+	description string
+}
+
+// NewFloat32 creates a new Key for float32 values.
+func NewFloat32(name, description string) *Float32 {
+	return &Float32{name: name, description: description}
+}
+
+func (k *Float32) Name() string        { return k.name }
+func (k *Float32) Description() string { return k.description }
+
+func (k *Float32) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendFloat(buf, float64(k.From(l)), 'E', -1, 32))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Float32) Of(v float32) label.Label {
+	return label.Of64(k, uint64(math.Float32bits(v)))
+}
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Float32) Get(lm label.Map) float32 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *Float32) From(t label.Label) float32 {
+	return math.Float32frombits(uint32(t.Unpack64()))
+}
+
+// Float64 represents a key
+type Float64 struct {
+	name        string
+	description string
+}
+
+// NewFloat64 creates a new Key for int64 values.
+func NewFloat64(name, description string) *Float64 {
+	return &Float64{name: name, description: description}
+}
+
+func (k *Float64) Name() string        { return k.name }
+func (k *Float64) Description() string { return k.description }
+
+func (k *Float64) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendFloat(buf, k.From(l), 'E', -1, 64))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Float64) Of(v float64) label.Label {
+	return label.Of64(k, math.Float64bits(v))
+}
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Float64) Get(lm label.Map) float64 {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return 0
+}
+
+// From can be used to get a value from a Label.
+func (k *Float64) From(t label.Label) float64 {
+	return math.Float64frombits(t.Unpack64())
+}
+
+// String represents a key
+type String struct {
+	name        string
+	description string
+}
+
+// NewString creates a new Key for int64 values.
+func NewString(name, description string) *String {
+	return &String{name: name, description: description}
+}
+
+func (k *String) Name() string        { return k.name }
+func (k *String) Description() string { return k.description }
+
+func (k *String) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendQuote(buf, k.From(l)))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *String) Of(v string) label.Label { return label.OfString(k, v) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *String) Get(lm label.Map) string {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return ""
+}
+
+// From can be used to get a value from a Label.
+func (k *String) From(t label.Label) string { return t.UnpackString() }
+
+// Boolean represents a key
+type Boolean struct {
+	name        string
+	description string
+}
+
+// NewBoolean creates a new Key for bool values.
+func NewBoolean(name, description string) *Boolean {
+	return &Boolean{name: name, description: description}
+}
+
+func (k *Boolean) Name() string        { return k.name }
+func (k *Boolean) Description() string { return k.description }
+
+func (k *Boolean) Format(w io.Writer, buf []byte, l label.Label) {
+	w.Write(strconv.AppendBool(buf, k.From(l)))
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Boolean) Of(v bool) label.Label {
+	if v {
+		return label.Of64(k, 1)
+	}
+	return label.Of64(k, 0)
+}
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Boolean) Get(lm label.Map) bool {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return false
+}
+
+// From can be used to get a value from a Label.
+func (k *Boolean) From(t label.Label) bool { return t.Unpack64() > 0 }
+
+// Error represents a key
+type Error struct {
+	name        string
+	description string
+}
+
+// NewError creates a new Key for int64 values.
+func NewError(name, description string) *Error {
+	return &Error{name: name, description: description}
+}
+
+func (k *Error) Name() string        { return k.name }
+func (k *Error) Description() string { return k.description }
+
+func (k *Error) Format(w io.Writer, buf []byte, l label.Label) {
+	io.WriteString(w, k.From(l).Error())
+}
+
+// Of creates a new Label with this key and the supplied value.
+func (k *Error) Of(v error) label.Label { return label.OfValue(k, v) }
+
+// Get can be used to get a label for the key from a label.Map.
+func (k *Error) Get(lm label.Map) error {
+	if t := lm.Find(k); t.Valid() {
+		return k.From(t)
+	}
+	return nil
+}
+
+// From can be used to get a value from a Label.
+func (k *Error) From(t label.Label) error {
+	err, _ := t.UnpackValue().(error)
+	return err
+}
diff --git a/vendor/golang.org/x/tools/internal/event/keys/standard.go b/vendor/golang.org/x/tools/internal/event/keys/standard.go
new file mode 100644
index 0000000000..7e95866592
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/event/keys/standard.go
@@ -0,0 +1,22 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package keys
+
+var (
+	// Msg is a key used to add message strings to label lists.
+	Msg = NewString("message", "a readable message")
+	// Label is a key used to indicate an event adds labels to the context.
+	Label = NewTag("label", "a label context marker")
+	// Start is used for things like traces that have a name.
+	Start = NewString("start", "span start")
+	// Metric is a key used to indicate an event records metrics.
+	End = NewTag("end", "a span end marker")
+	// Metric is a key used to indicate an event records metrics.
+	Detach = NewTag("detach", "a span detach marker")
+	// Err is a key used to add error values to label lists.
+	Err = NewError("error", "an error that occurred")
+	// Metric is a key used to indicate an event records metrics.
+	Metric = NewTag("metric", "a metric event marker")
+)
diff --git a/vendor/golang.org/x/tools/internal/event/keys/util.go b/vendor/golang.org/x/tools/internal/event/keys/util.go
new file mode 100644
index 0000000000..c0e8e731c9
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/event/keys/util.go
@@ -0,0 +1,21 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package keys
+
+import (
+	"sort"
+	"strings"
+)
+
+// Join returns a canonical join of the keys in S:
+// a sorted comma-separated string list.
+func Join[S ~[]T, T ~string](s S) string {
+	strs := make([]string, 0, len(s))
+	for _, v := range s {
+		strs = append(strs, string(v))
+	}
+	sort.Strings(strs)
+	return strings.Join(strs, ",")
+}
diff --git a/vendor/golang.org/x/tools/internal/event/label/label.go b/vendor/golang.org/x/tools/internal/event/label/label.go
new file mode 100644
index 0000000000..c37584af94
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/event/label/label.go
@@ -0,0 +1,208 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package label
+
+import (
+	"fmt"
+	"io"
+	"slices"
+	"unsafe"
+)
+
+// Key is used as the identity of a Label.
+// Keys are intended to be compared by pointer only, the name should be unique
+// for communicating with external systems, but it is not required or enforced.
+type Key interface {
+	// Name returns the key name.
+	Name() string
+	// Description returns a string that can be used to describe the value.
+	Description() string
+
+	// Format is used in formatting to append the value of the label to the
+	// supplied buffer.
+	// The formatter may use the supplied buf as a scratch area to avoid
+	// allocations.
+	Format(w io.Writer, buf []byte, l Label)
+}
+
+// Label holds a key and value pair.
+// It is normally used when passing around lists of labels.
+type Label struct {
+	key     Key
+	packed  uint64
+	untyped any
+}
+
+// Map is the interface to a collection of Labels indexed by key.
+type Map interface {
+	// Find returns the label that matches the supplied key.
+	Find(key Key) Label
+}
+
+// List is the interface to something that provides an iterable
+// list of labels.
+// Iteration should start from 0 and continue until Valid returns false.
+type List interface {
+	// Valid returns true if the index is within range for the list.
+	// It does not imply the label at that index will itself be valid.
+	Valid(index int) bool
+	// Label returns the label at the given index.
+	Label(index int) Label
+}
+
+// list implements LabelList for a list of Labels.
+type list struct {
+	labels []Label
+}
+
+// filter wraps a LabelList filtering out specific labels.
+type filter struct {
+	keys       []Key
+	underlying List
+}
+
+// listMap implements LabelMap for a simple list of labels.
+type listMap struct {
+	labels []Label
+}
+
+// mapChain implements LabelMap for a list of underlying LabelMap.
+type mapChain struct {
+	maps []Map
+}
+
+// OfValue creates a new label from the key and value.
+// This method is for implementing new key types, label creation should
+// normally be done with the Of method of the key.
+func OfValue(k Key, value any) Label { return Label{key: k, untyped: value} }
+
+// UnpackValue assumes the label was built using LabelOfValue and returns the value
+// that was passed to that constructor.
+// This method is for implementing new key types, for type safety normal
+// access should be done with the From method of the key.
+func (t Label) UnpackValue() any { return t.untyped }
+
+// Of64 creates a new label from a key and a uint64. This is often
+// used for non uint64 values that can be packed into a uint64.
+// This method is for implementing new key types, label creation should
+// normally be done with the Of method of the key.
+func Of64(k Key, v uint64) Label { return Label{key: k, packed: v} }
+
+// Unpack64 assumes the label was built using LabelOf64 and returns the value that
+// was passed to that constructor.
+// This method is for implementing new key types, for type safety normal
+// access should be done with the From method of the key.
+func (t Label) Unpack64() uint64 { return t.packed }
+
+type stringptr unsafe.Pointer
+
+// OfString creates a new label from a key and a string.
+// This method is for implementing new key types, label creation should
+// normally be done with the Of method of the key.
+func OfString(k Key, v string) Label {
+	return Label{
+		key:     k,
+		packed:  uint64(len(v)),
+		untyped: stringptr(unsafe.StringData(v)),
+	}
+}
+
+// UnpackString assumes the label was built using LabelOfString and returns the
+// value that was passed to that constructor.
+// This method is for implementing new key types, for type safety normal
+// access should be done with the From method of the key.
+func (t Label) UnpackString() string {
+	return unsafe.String((*byte)(t.untyped.(stringptr)), int(t.packed))
+}
+
+// Valid returns true if the Label is a valid one (it has a key).
+func (t Label) Valid() bool { return t.key != nil }
+
+// Key returns the key of this Label.
+func (t Label) Key() Key { return t.key }
+
+// Format is used for debug printing of labels.
+func (t Label) Format(f fmt.State, r rune) {
+	if !t.Valid() {
+		io.WriteString(f, `nil`)
+		return
+	}
+	io.WriteString(f, t.Key().Name())
+	io.WriteString(f, "=")
+	var buf [128]byte
+	t.Key().Format(f, buf[:0], t)
+}
+
+func (l *list) Valid(index int) bool {
+	return index >= 0 && index < len(l.labels)
+}
+
+func (l *list) Label(index int) Label {
+	return l.labels[index]
+}
+
+func (f *filter) Valid(index int) bool {
+	return f.underlying.Valid(index)
+}
+
+func (f *filter) Label(index int) Label {
+	l := f.underlying.Label(index)
+	if slices.Contains(f.keys, l.Key()) {
+		return Label{}
+	}
+	return l
+}
+
+func (lm listMap) Find(key Key) Label {
+	for _, l := range lm.labels {
+		if l.Key() == key {
+			return l
+		}
+	}
+	return Label{}
+}
+
+func (c mapChain) Find(key Key) Label {
+	for _, src := range c.maps {
+		l := src.Find(key)
+		if l.Valid() {
+			return l
+		}
+	}
+	return Label{}
+}
+
+var emptyList = &list{}
+
+func NewList(labels ...Label) List {
+	if len(labels) == 0 {
+		return emptyList
+	}
+	return &list{labels: labels}
+}
+
+func Filter(l List, keys ...Key) List {
+	if len(keys) == 0 {
+		return l
+	}
+	return &filter{keys: keys, underlying: l}
+}
+
+func NewMap(labels ...Label) Map {
+	return listMap{labels: labels}
+}
+
+func MergeMaps(srcs ...Map) Map {
+	var nonNil []Map
+	for _, src := range srcs {
+		if src != nil {
+			nonNil = append(nonNil, src)
+		}
+	}
+	if len(nonNil) == 1 {
+		return nonNil[0]
+	}
+	return mapChain{maps: nonNil}
+}
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/bimport.go b/vendor/golang.org/x/tools/internal/gcimporter/bimport.go
new file mode 100644
index 0000000000..555ef626c0
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gcimporter/bimport.go
@@ -0,0 +1,89 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This file contains the remaining vestiges of
+// $GOROOT/src/go/internal/gcimporter/bimport.go.
+
+package gcimporter
+
+import (
+	"fmt"
+	"go/token"
+	"go/types"
+	"sync"
+)
+
+func errorf(format string, args ...any) {
+	panic(fmt.Sprintf(format, args...))
+}
+
+const deltaNewFile = -64 // see cmd/compile/internal/gc/bexport.go
+
+// Synthesize a token.Pos
+type fakeFileSet struct {
+	fset  *token.FileSet
+	files map[string]*fileInfo
+}
+
+type fileInfo struct {
+	file     *token.File
+	lastline int
+}
+
+const maxlines = 64 * 1024
+
+func (s *fakeFileSet) pos(file string, line, column int) token.Pos {
+	_ = column // TODO(mdempsky): Make use of column.
+
+	// Since we don't know the set of needed file positions, we reserve maxlines
+	// positions per file. We delay calling token.File.SetLines until all
+	// positions have been calculated (by way of fakeFileSet.setLines), so that
+	// we can avoid setting unnecessary lines. See also golang/go#46586.
+	f := s.files[file]
+	if f == nil {
+		f = &fileInfo{file: s.fset.AddFile(file, -1, maxlines)}
+		s.files[file] = f
+	}
+	if line > maxlines {
+		line = 1
+	}
+	if line > f.lastline {
+		f.lastline = line
+	}
+
+	// Return a fake position assuming that f.file consists only of newlines.
+	return token.Pos(f.file.Base() + line - 1)
+}
+
+func (s *fakeFileSet) setLines() {
+	fakeLinesOnce.Do(func() {
+		fakeLines = make([]int, maxlines)
+		for i := range fakeLines {
+			fakeLines[i] = i
+		}
+	})
+	for _, f := range s.files {
+		f.file.SetLines(fakeLines[:f.lastline])
+	}
+}
+
+var (
+	fakeLines     []int
+	fakeLinesOnce sync.Once
+)
+
+func chanDir(d int) types.ChanDir {
+	// tag values must match the constants in cmd/compile/internal/gc/go.go
+	switch d {
+	case 1 /* Crecv */ :
+		return types.RecvOnly
+	case 2 /* Csend */ :
+		return types.SendOnly
+	case 3 /* Cboth */ :
+		return types.SendRecv
+	default:
+		errorf("unexpected channel dir %d", d)
+		return 0
+	}
+}
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/exportdata.go b/vendor/golang.org/x/tools/internal/gcimporter/exportdata.go
new file mode 100644
index 0000000000..5662a311da
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gcimporter/exportdata.go
@@ -0,0 +1,421 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This file should be kept in sync with $GOROOT/src/internal/exportdata/exportdata.go.
+// This file also additionally implements FindExportData for gcexportdata.NewReader.
+
+package gcimporter
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"go/build"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"sync"
+)
+
+// FindExportData positions the reader r at the beginning of the
+// export data section of an underlying cmd/compile created archive
+// file by reading from it. The reader must be positioned at the
+// start of the file before calling this function.
+// This returns the length of the export data in bytes.
+//
+// This function is needed by [gcexportdata.Read], which must
+// accept inputs produced by the last two releases of cmd/compile,
+// plus tip.
+func FindExportData(r *bufio.Reader) (size int64, err error) {
+	arsize, err := FindPackageDefinition(r)
+	if err != nil {
+		return
+	}
+	size = int64(arsize)
+
+	objapi, headers, err := ReadObjectHeaders(r)
+	if err != nil {
+		return
+	}
+	size -= int64(len(objapi))
+	for _, h := range headers {
+		size -= int64(len(h))
+	}
+
+	// Check for the binary export data section header "$$B\n".
+	// TODO(taking): Unify with ReadExportDataHeader so that it stops at the 'u' instead of reading
+	line, err := r.ReadSlice('\n')
+	if err != nil {
+		return
+	}
+	hdr := string(line)
+	if hdr != "$$B\n" {
+		err = fmt.Errorf("unknown export data header: %q", hdr)
+		return
+	}
+	size -= int64(len(hdr))
+
+	// For files with a binary export data header "$$B\n",
+	// these are always terminated by an end-of-section marker "\n$$\n".
+	// So the last bytes must always be this constant.
+	//
+	// The end-of-section marker is not a part of the export data itself.
+	// Do not include these in size.
+	//
+	// It would be nice to have sanity check that the final bytes after
+	// the export data are indeed the end-of-section marker. The split
+	// of gcexportdata.NewReader and gcexportdata.Read make checking this
+	// ugly so gcimporter gives up enforcing this. The compiler and go/types
+	// importer do enforce this, which seems good enough.
+	const endofsection = "\n$$\n"
+	size -= int64(len(endofsection))
+
+	if size < 0 {
+		err = fmt.Errorf("invalid size (%d) in the archive file: %d bytes remain without section headers (recompile package)", arsize, size)
+		return
+	}
+
+	return
+}
+
+// ReadUnified reads the contents of the unified export data from a reader r
+// that contains the contents of a GC-created archive file.
+//
+// On success, the reader will be positioned after the end-of-section marker "\n$$\n".
+//
+// Supported GC-created archive files have 4 layers of nesting:
+//   - An archive file containing a package definition file.
+//   - The package definition file contains headers followed by a data section.
+//     Headers are lines (≤ 4kb) that do not start with "$$".
+//   - The data section starts with "$$B\n" followed by export data followed
+//     by an end of section marker "\n$$\n". (The section start "$$\n" is no
+//     longer supported.)
+//   - The export data starts with a format byte ('u') followed by the  in
+//     the given format. (See ReadExportDataHeader for older formats.)
+//
+// Putting this together, the bytes in a GC-created archive files are expected
+// to look like the following.
+// See cmd/internal/archive for more details on ar file headers.
+//
+// | \n             | ar file signature
+// | __.PKGDEF...size...\n | ar header for __.PKGDEF including size.
+// | go object <...>\n     | objabi header
+// | \n  | other headers such as build id
+// | $$B\n                 | binary format marker
+// | u\n             | unified export 
+// | $$\n                  | end-of-section marker
+// | [optional padding]    | padding byte (0x0A) if size is odd
+// | [ar file header]      | other ar files
+// | [ar file data]        |
+func ReadUnified(r *bufio.Reader) (data []byte, err error) {
+	// We historically guaranteed headers at the default buffer size (4096) work.
+	// This ensures we can use ReadSlice throughout.
+	const minBufferSize = 4096
+	r = bufio.NewReaderSize(r, minBufferSize)
+
+	size, err := FindPackageDefinition(r)
+	if err != nil {
+		return
+	}
+	n := size
+
+	objapi, headers, err := ReadObjectHeaders(r)
+	if err != nil {
+		return
+	}
+	n -= len(objapi)
+	for _, h := range headers {
+		n -= len(h)
+	}
+
+	hdrlen, err := ReadExportDataHeader(r)
+	if err != nil {
+		return
+	}
+	n -= hdrlen
+
+	// size also includes the end of section marker. Remove that many bytes from the end.
+	const marker = "\n$$\n"
+	n -= len(marker)
+
+	if n < 0 {
+		err = fmt.Errorf("invalid size (%d) in the archive file: %d bytes remain without section headers (recompile package)", size, n)
+		return
+	}
+
+	// Read n bytes from buf.
+	data = make([]byte, n)
+	_, err = io.ReadFull(r, data)
+	if err != nil {
+		return
+	}
+
+	// Check for marker at the end.
+	var suffix [len(marker)]byte
+	_, err = io.ReadFull(r, suffix[:])
+	if err != nil {
+		return
+	}
+	if s := string(suffix[:]); s != marker {
+		err = fmt.Errorf("read %q instead of end-of-section marker (%q)", s, marker)
+		return
+	}
+
+	return
+}
+
+// FindPackageDefinition positions the reader r at the beginning of a package
+// definition file ("__.PKGDEF") within a GC-created archive by reading
+// from it, and returns the size of the package definition file in the archive.
+//
+// The reader must be positioned at the start of the archive file before calling
+// this function, and "__.PKGDEF" is assumed to be the first file in the archive.
+//
+// See cmd/internal/archive for details on the archive format.
+func FindPackageDefinition(r *bufio.Reader) (size int, err error) {
+	// Uses ReadSlice to limit risk of malformed inputs.
+
+	// Read first line to make sure this is an object file.
+	line, err := r.ReadSlice('\n')
+	if err != nil {
+		err = fmt.Errorf("can't find export data (%v)", err)
+		return
+	}
+
+	// Is the first line an archive file signature?
+	if string(line) != "!\n" {
+		err = fmt.Errorf("not the start of an archive file (%q)", line)
+		return
+	}
+
+	// package export block should be first
+	size = readArchiveHeader(r, "__.PKGDEF")
+	if size <= 0 {
+		err = fmt.Errorf("not a package file")
+		return
+	}
+
+	return
+}
+
+// ReadObjectHeaders reads object headers from the reader. Object headers are
+// lines that do not start with an end-of-section marker "$$". The first header
+// is the objabi header. On success, the reader will be positioned at the beginning
+// of the end-of-section marker.
+//
+// It returns an error if any header does not fit in r.Size() bytes.
+func ReadObjectHeaders(r *bufio.Reader) (objapi string, headers []string, err error) {
+	// line is a temporary buffer for headers.
+	// Use bounded reads (ReadSlice, Peek) to limit risk of malformed inputs.
+	var line []byte
+
+	// objapi header should be the first line
+	if line, err = r.ReadSlice('\n'); err != nil {
+		err = fmt.Errorf("can't find export data (%v)", err)
+		return
+	}
+	objapi = string(line)
+
+	// objapi header begins with "go object ".
+	if !strings.HasPrefix(objapi, "go object ") {
+		err = fmt.Errorf("not a go object file: %s", objapi)
+		return
+	}
+
+	// process remaining object header lines
+	for {
+		// check for an end of section marker "$$"
+		line, err = r.Peek(2)
+		if err != nil {
+			return
+		}
+		if string(line) == "$$" {
+			return // stop
+		}
+
+		// read next header
+		line, err = r.ReadSlice('\n')
+		if err != nil {
+			return
+		}
+		headers = append(headers, string(line))
+	}
+}
+
+// ReadExportDataHeader reads the export data header and format from r.
+// It returns the number of bytes read, or an error if the format is no longer
+// supported or it failed to read.
+//
+// The only currently supported format is binary export data in the
+// unified export format.
+func ReadExportDataHeader(r *bufio.Reader) (n int, err error) {
+	// Read export data header.
+	line, err := r.ReadSlice('\n')
+	if err != nil {
+		return
+	}
+
+	hdr := string(line)
+	switch hdr {
+	case "$$\n":
+		err = fmt.Errorf("old textual export format no longer supported (recompile package)")
+		return
+
+	case "$$B\n":
+		var format byte
+		format, err = r.ReadByte()
+		if err != nil {
+			return
+		}
+		// The unified export format starts with a 'u'.
+		switch format {
+		case 'u':
+		default:
+			// Older no longer supported export formats include:
+			// indexed export format which started with an 'i'; and
+			// the older binary export format which started with a 'c',
+			// 'd', or 'v' (from "version").
+			err = fmt.Errorf("binary export format %q is no longer supported (recompile package)", format)
+			return
+		}
+
+	default:
+		err = fmt.Errorf("unknown export data header: %q", hdr)
+		return
+	}
+
+	n = len(hdr) + 1 // + 1 is for 'u'
+	return
+}
+
+// FindPkg returns the filename and unique package id for an import
+// path based on package information provided by build.Import (using
+// the build.Default build.Context). A relative srcDir is interpreted
+// relative to the current working directory.
+//
+// FindPkg is only used in tests within x/tools.
+func FindPkg(path, srcDir string) (filename, id string, err error) {
+	// TODO(taking): Move internal/exportdata.FindPkg into its own file,
+	// and then this copy into a _test package.
+	if path == "" {
+		return "", "", errors.New("path is empty")
+	}
+
+	var noext string
+	switch {
+	default:
+		// "x" -> "$GOPATH/pkg/$GOOS_$GOARCH/x.ext", "x"
+		// Don't require the source files to be present.
+		if abs, err := filepath.Abs(srcDir); err == nil { // see issue 14282
+			srcDir = abs
+		}
+		var bp *build.Package
+		bp, err = build.Import(path, srcDir, build.FindOnly|build.AllowBinary)
+		if bp.PkgObj == "" {
+			if bp.Goroot && bp.Dir != "" {
+				filename, err = lookupGorootExport(bp.Dir)
+				if err == nil {
+					_, err = os.Stat(filename)
+				}
+				if err == nil {
+					return filename, bp.ImportPath, nil
+				}
+			}
+			goto notfound
+		} else {
+			noext = strings.TrimSuffix(bp.PkgObj, ".a")
+		}
+		id = bp.ImportPath
+
+	case build.IsLocalImport(path):
+		// "./x" -> "/this/directory/x.ext", "/this/directory/x"
+		noext = filepath.Join(srcDir, path)
+		id = noext
+
+	case filepath.IsAbs(path):
+		// for completeness only - go/build.Import
+		// does not support absolute imports
+		// "/x" -> "/x.ext", "/x"
+		noext = path
+		id = path
+	}
+
+	if false { // for debugging
+		if path != id {
+			fmt.Printf("%s -> %s\n", path, id)
+		}
+	}
+
+	// try extensions
+	for _, ext := range pkgExts {
+		filename = noext + ext
+		f, statErr := os.Stat(filename)
+		if statErr == nil && !f.IsDir() {
+			return filename, id, nil
+		}
+		if err == nil {
+			err = statErr
+		}
+	}
+
+notfound:
+	if err == nil {
+		return "", path, fmt.Errorf("can't find import: %q", path)
+	}
+	return "", path, fmt.Errorf("can't find import: %q: %w", path, err)
+}
+
+var pkgExts = [...]string{".a", ".o"} // a file from the build cache will have no extension
+
+var exportMap sync.Map // package dir → func() (string, error)
+
+// lookupGorootExport returns the location of the export data
+// (normally found in the build cache, but located in GOROOT/pkg
+// in prior Go releases) for the package located in pkgDir.
+//
+// (We use the package's directory instead of its import path
+// mainly to simplify handling of the packages in src/vendor
+// and cmd/vendor.)
+//
+// lookupGorootExport is only used in tests within x/tools.
+func lookupGorootExport(pkgDir string) (string, error) {
+	f, ok := exportMap.Load(pkgDir)
+	if !ok {
+		var (
+			listOnce   sync.Once
+			exportPath string
+			err        error
+		)
+		f, _ = exportMap.LoadOrStore(pkgDir, func() (string, error) {
+			listOnce.Do(func() {
+				cmd := exec.Command(filepath.Join(build.Default.GOROOT, "bin", "go"), "list", "-export", "-f", "{{.Export}}", pkgDir)
+				cmd.Dir = build.Default.GOROOT
+				cmd.Env = append(os.Environ(), "PWD="+cmd.Dir, "GOROOT="+build.Default.GOROOT)
+				var output []byte
+				output, err = cmd.Output()
+				if err != nil {
+					if ee, ok := err.(*exec.ExitError); ok && len(ee.Stderr) > 0 {
+						err = errors.New(string(ee.Stderr))
+					}
+					return
+				}
+
+				exports := strings.Split(string(bytes.TrimSpace(output)), "\n")
+				if len(exports) != 1 {
+					err = fmt.Errorf("go list reported %d exports; expected 1", len(exports))
+					return
+				}
+
+				exportPath = exports[0]
+			})
+
+			return exportPath, err
+		})
+	}
+
+	return f.(func() (string, error))()
+}
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/gcimporter.go b/vendor/golang.org/x/tools/internal/gcimporter/gcimporter.go
new file mode 100644
index 0000000000..3dbd21d1b9
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gcimporter/gcimporter.go
@@ -0,0 +1,108 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This file is a reduced copy of $GOROOT/src/go/internal/gcimporter/gcimporter.go.
+
+// Package gcimporter provides various functions for reading
+// gc-generated object files that can be used to implement the
+// Importer interface defined by the Go 1.5 standard library package.
+//
+// The encoding is deterministic: if the encoder is applied twice to
+// the same types.Package data structure, both encodings are equal.
+// This property may be important to avoid spurious changes in
+// applications such as build systems.
+//
+// However, the encoder is not necessarily idempotent. Importing an
+// exported package may yield a types.Package that, while it
+// represents the same set of Go types as the original, may differ in
+// the details of its internal representation. Because of these
+// differences, re-encoding the imported package may yield a
+// different, but equally valid, encoding of the package.
+package gcimporter // import "golang.org/x/tools/internal/gcimporter"
+
+import (
+	"bufio"
+	"fmt"
+	"go/token"
+	"go/types"
+	"io"
+	"os"
+)
+
+const (
+	// Enable debug during development: it adds some additional checks, and
+	// prevents errors from being recovered.
+	debug = false
+
+	// If trace is set, debugging output is printed to std out.
+	trace = false
+)
+
+// Import imports a gc-generated package given its import path and srcDir, adds
+// the corresponding package object to the packages map, and returns the object.
+// The packages map must contain all packages already imported.
+//
+// Import is only used in tests.
+func Import(fset *token.FileSet, packages map[string]*types.Package, path, srcDir string, lookup func(path string) (io.ReadCloser, error)) (pkg *types.Package, err error) {
+	var rc io.ReadCloser
+	var id string
+	if lookup != nil {
+		// With custom lookup specified, assume that caller has
+		// converted path to a canonical import path for use in the map.
+		if path == "unsafe" {
+			return types.Unsafe, nil
+		}
+		id = path
+
+		// No need to re-import if the package was imported completely before.
+		if pkg = packages[id]; pkg != nil && pkg.Complete() {
+			return
+		}
+		f, err := lookup(path)
+		if err != nil {
+			return nil, err
+		}
+		rc = f
+	} else {
+		var filename string
+		filename, id, err = FindPkg(path, srcDir)
+		if filename == "" {
+			if path == "unsafe" {
+				return types.Unsafe, nil
+			}
+			return nil, err
+		}
+
+		// no need to re-import if the package was imported completely before
+		if pkg = packages[id]; pkg != nil && pkg.Complete() {
+			return
+		}
+
+		// open file
+		f, err := os.Open(filename)
+		if err != nil {
+			return nil, err
+		}
+		defer func() {
+			if err != nil {
+				// add file name to error
+				err = fmt.Errorf("%s: %v", filename, err)
+			}
+		}()
+		rc = f
+	}
+	defer rc.Close()
+
+	buf := bufio.NewReader(rc)
+	data, err := ReadUnified(buf)
+	if err != nil {
+		err = fmt.Errorf("import %q: %v", path, err)
+		return
+	}
+
+	// unified: emitted by cmd/compile since go1.20.
+	_, pkg, err = UImportData(fset, packages, data, id)
+
+	return
+}
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/iexport.go b/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
new file mode 100644
index 0000000000..2bef2b058b
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
@@ -0,0 +1,1603 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Indexed package export.
+//
+// The indexed export data format is an evolution of the previous
+// binary export data format. Its chief contribution is introducing an
+// index table, which allows efficient random access of individual
+// declarations and inline function bodies. In turn, this allows
+// avoiding unnecessary work for compilation units that import large
+// packages.
+//
+//
+// The top-level data format is structured as:
+//
+//     Header struct {
+//         Tag        byte   // 'i'
+//         Version    uvarint
+//         StringSize uvarint
+//         DataSize   uvarint
+//     }
+//
+//     Strings [StringSize]byte
+//     Data    [DataSize]byte
+//
+//     MainIndex []struct{
+//         PkgPath   stringOff
+//         PkgName   stringOff
+//         PkgHeight uvarint
+//
+//         Decls []struct{
+//             Name   stringOff
+//             Offset declOff
+//         }
+//     }
+//
+//     Fingerprint [8]byte
+//
+// uvarint means a uint64 written out using uvarint encoding.
+//
+// []T means a uvarint followed by that many T objects. In other
+// words:
+//
+//     Len   uvarint
+//     Elems [Len]T
+//
+// stringOff means a uvarint that indicates an offset within the
+// Strings section. At that offset is another uvarint, followed by
+// that many bytes, which form the string value.
+//
+// declOff means a uvarint that indicates an offset within the Data
+// section where the associated declaration can be found.
+//
+//
+// There are five kinds of declarations, distinguished by their first
+// byte:
+//
+//     type Var struct {
+//         Tag  byte // 'V'
+//         Pos  Pos
+//         Type typeOff
+//     }
+//
+//     type Func struct {
+//         Tag       byte // 'F' or 'G'
+//         Pos       Pos
+//         TypeParams []typeOff  // only present if Tag == 'G'
+//         Signature Signature
+//     }
+//
+//     type Const struct {
+//         Tag   byte // 'C'
+//         Pos   Pos
+//         Value Value
+//     }
+//
+//     type Type struct {
+//         Tag        byte // 'T' or 'U'
+//         Pos        Pos
+//         TypeParams []typeOff  // only present if Tag == 'U'
+//         Underlying typeOff
+//
+//         Methods []struct{  // omitted if Underlying is an interface type
+//             Pos       Pos
+//             Name      stringOff
+//             Recv      Param
+//             Signature Signature
+//         }
+//     }
+//
+//     type Alias struct {
+//         Tag  byte // 'A' or 'B'
+//         Pos  Pos
+//         TypeParams []typeOff  // only present if Tag == 'B'
+//         Type typeOff
+//     }
+//
+//     // "Automatic" declaration of each typeparam
+//     type TypeParam struct {
+//         Tag        byte // 'P'
+//         Pos        Pos
+//         Implicit   bool
+//         Constraint typeOff
+//     }
+//
+// typeOff means a uvarint that either indicates a predeclared type,
+// or an offset into the Data section. If the uvarint is less than
+// predeclReserved, then it indicates the index into the predeclared
+// types list (see predeclared in bexport.go for order). Otherwise,
+// subtracting predeclReserved yields the offset of a type descriptor.
+//
+// Value means a type, kind, and type-specific value. See
+// (*exportWriter).value for details.
+//
+//
+// There are twelve kinds of type descriptors, distinguished by an itag:
+//
+//     type DefinedType struct {
+//         Tag     itag // definedType
+//         Name    stringOff
+//         PkgPath stringOff
+//     }
+//
+//     type PointerType struct {
+//         Tag  itag // pointerType
+//         Elem typeOff
+//     }
+//
+//     type SliceType struct {
+//         Tag  itag // sliceType
+//         Elem typeOff
+//     }
+//
+//     type ArrayType struct {
+//         Tag  itag // arrayType
+//         Len  uint64
+//         Elem typeOff
+//     }
+//
+//     type ChanType struct {
+//         Tag  itag   // chanType
+//         Dir  uint64 // 1 RecvOnly; 2 SendOnly; 3 SendRecv
+//         Elem typeOff
+//     }
+//
+//     type MapType struct {
+//         Tag  itag // mapType
+//         Key  typeOff
+//         Elem typeOff
+//     }
+//
+//     type FuncType struct {
+//         Tag       itag // signatureType
+//         PkgPath   stringOff
+//         Signature Signature
+//     }
+//
+//     type StructType struct {
+//         Tag     itag // structType
+//         PkgPath stringOff
+//         Fields []struct {
+//             Pos      Pos
+//             Name     stringOff
+//             Type     typeOff
+//             Embedded bool
+//             Note     stringOff
+//         }
+//     }
+//
+//     type InterfaceType struct {
+//         Tag     itag // interfaceType
+//         PkgPath stringOff
+//         Embeddeds []struct {
+//             Pos  Pos
+//             Type typeOff
+//         }
+//         Methods []struct {
+//             Pos       Pos
+//             Name      stringOff
+//             Signature Signature
+//         }
+//     }
+//
+//     // Reference to a type param declaration
+//     type TypeParamType struct {
+//         Tag     itag // typeParamType
+//         Name    stringOff
+//         PkgPath stringOff
+//     }
+//
+//     // Instantiation of a generic type (like List[T2] or List[int])
+//     type InstanceType struct {
+//         Tag     itag // instanceType
+//         Pos     pos
+//         TypeArgs []typeOff
+//         BaseType typeOff
+//     }
+//
+//     type UnionType struct {
+//         Tag     itag // interfaceType
+//         Terms   []struct {
+//             tilde bool
+//             Type  typeOff
+//         }
+//     }
+//
+//
+//
+//     type Signature struct {
+//         Params   []Param
+//         Results  []Param
+//         Variadic bool  // omitted if Results is empty
+//     }
+//
+//     type Param struct {
+//         Pos  Pos
+//         Name stringOff
+//         Type typOff
+//     }
+//
+//
+// Pos encodes a file:line:column triple, incorporating a simple delta
+// encoding scheme within a data object. See exportWriter.pos for
+// details.
+
+package gcimporter
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"go/constant"
+	"go/token"
+	"go/types"
+	"io"
+	"math/big"
+	"reflect"
+	"slices"
+	"sort"
+	"strconv"
+	"strings"
+
+	"golang.org/x/tools/go/types/objectpath"
+	"golang.org/x/tools/internal/aliases"
+)
+
+// IExportShallow encodes "shallow" export data for the specified package.
+//
+// For types, we use "shallow" export data. Historically, the Go
+// compiler always produced a summary of the types for a given package
+// that included types from other packages that it indirectly
+// referenced: "deep" export data. This had the advantage that the
+// compiler (and analogous tools such as gopls) need only load one
+// file per direct import.  However, it meant that the files tended to
+// get larger based on the level of the package in the import
+// graph. For example, higher-level packages in the kubernetes module
+// have over 1MB of "deep" export data, even when they have almost no
+// content of their own, merely because they mention a major type that
+// references many others. In pathological cases the export data was
+// 300x larger than the source for a package due to this quadratic
+// growth.
+//
+// "Shallow" export data means that the serialized types describe only
+// a single package. If those types mention types from other packages,
+// the type checker may need to request additional packages beyond
+// just the direct imports. Type information for the entire transitive
+// closure of imports is provided (lazily) by the DAG.
+//
+// No promises are made about the encoding other than that it can be decoded by
+// the same version of IIExportShallow. If you plan to save export data in the
+// file system, be sure to include a cryptographic digest of the executable in
+// the key to avoid version skew.
+//
+// If the provided reportf func is non-nil, it is used for reporting
+// bugs (e.g. recovered panics) encountered during export, enabling us
+// to obtain via telemetry the stack that would otherwise be lost by
+// merely returning an error.
+func IExportShallow(fset *token.FileSet, pkg *types.Package, reportf ReportFunc) ([]byte, error) {
+	// In principle this operation can only fail if out.Write fails,
+	// but that's impossible for bytes.Buffer---and as a matter of
+	// fact iexportCommon doesn't even check for I/O errors.
+	// TODO(adonovan): handle I/O errors properly.
+	// TODO(adonovan): use byte slices throughout, avoiding copying.
+	const bundle, shallow = false, true
+	var out bytes.Buffer
+	err := iexportCommon(&out, fset, bundle, shallow, iexportVersion, []*types.Package{pkg}, reportf)
+	return out.Bytes(), err
+}
+
+// IImportShallow decodes "shallow" types.Package data encoded by
+// [IExportShallow] in the same executable. This function cannot import data
+// from cmd/compile or gcexportdata.Write.
+//
+// The importer calls getPackages to obtain package symbols for all
+// packages mentioned in the export data, including the one being
+// decoded.
+//
+// If the provided reportf func is non-nil, it will be used for reporting bugs
+// encountered during import.
+// TODO(rfindley): remove reportf when we are confident enough in the new
+// objectpath encoding.
+func IImportShallow(fset *token.FileSet, getPackages GetPackagesFunc, data []byte, path string, reportf ReportFunc) (*types.Package, error) {
+	const bundle = false
+	const shallow = true
+	pkgs, err := iimportCommon(fset, getPackages, data, bundle, path, shallow, reportf)
+	if err != nil {
+		return nil, err
+	}
+	return pkgs[0], nil
+}
+
+// ReportFunc is the type of a function used to report formatted bugs.
+type ReportFunc = func(string, ...any)
+
+// Current bundled export format version. Increase with each format change.
+// 0: initial implementation
+const bundleVersion = 0
+
+// IExportData writes indexed export data for pkg to out.
+//
+// If no file set is provided, position info will be missing.
+// The package path of the top-level package will not be recorded,
+// so that calls to IImportData can override with a provided package path.
+func IExportData(out io.Writer, fset *token.FileSet, pkg *types.Package) error {
+	const bundle, shallow = false, false
+	return iexportCommon(out, fset, bundle, shallow, iexportVersion, []*types.Package{pkg}, nil)
+}
+
+// IExportBundle writes an indexed export bundle for pkgs to out.
+func IExportBundle(out io.Writer, fset *token.FileSet, pkgs []*types.Package) error {
+	const bundle, shallow = true, false
+	return iexportCommon(out, fset, bundle, shallow, iexportVersion, pkgs, nil)
+}
+
+func iexportCommon(out io.Writer, fset *token.FileSet, bundle, shallow bool, version int, pkgs []*types.Package, reportf ReportFunc) (err error) {
+	if !debug {
+		defer func() {
+			if e := recover(); e != nil {
+				// Report the stack via telemetry (see #71067).
+				if reportf != nil {
+					reportf("panic in exporter")
+				}
+				if ierr, ok := e.(internalError); ok {
+					// internalError usually means we exported a
+					// bad go/types data structure: a violation
+					// of an implicit precondition of Export.
+					err = ierr
+					return
+				}
+				// Not an internal error; panic again.
+				panic(e)
+			}
+		}()
+	}
+
+	p := iexporter{
+		fset:        fset,
+		version:     version,
+		shallow:     shallow,
+		allPkgs:     map[*types.Package]bool{},
+		stringIndex: map[string]uint64{},
+		declIndex:   map[types.Object]uint64{},
+		tparamNames: map[types.Object]string{},
+		typIndex:    map[types.Type]uint64{},
+	}
+	if !bundle {
+		p.localpkg = pkgs[0]
+	}
+
+	for i, pt := range predeclared() {
+		p.typIndex[pt] = uint64(i)
+	}
+	if len(p.typIndex) > predeclReserved {
+		panic(internalErrorf("too many predeclared types: %d > %d", len(p.typIndex), predeclReserved))
+	}
+
+	// Initialize work queue with exported declarations.
+	for _, pkg := range pkgs {
+		scope := pkg.Scope()
+		for _, name := range scope.Names() {
+			if token.IsExported(name) {
+				p.pushDecl(scope.Lookup(name))
+			}
+		}
+
+		if bundle {
+			// Ensure pkg and its imports are included in the index.
+			p.allPkgs[pkg] = true
+			for _, imp := range pkg.Imports() {
+				p.allPkgs[imp] = true
+			}
+		}
+	}
+
+	// Loop until no more work.
+	for !p.declTodo.empty() {
+		p.doDecl(p.declTodo.popHead())
+	}
+
+	// Produce index of offset of each file record in files.
+	var files intWriter
+	var fileOffset []uint64 // fileOffset[i] is offset in files of file encoded as i
+	if p.shallow {
+		fileOffset = make([]uint64, len(p.fileInfos))
+		for i, info := range p.fileInfos {
+			fileOffset[i] = uint64(files.Len())
+			p.encodeFile(&files, info.file, info.needed)
+		}
+	}
+
+	// Append indices to data0 section.
+	dataLen := uint64(p.data0.Len())
+	w := p.newWriter()
+	w.writeIndex(p.declIndex)
+
+	if bundle {
+		w.uint64(uint64(len(pkgs)))
+		for _, pkg := range pkgs {
+			w.pkg(pkg)
+			imps := pkg.Imports()
+			w.uint64(uint64(len(imps)))
+			for _, imp := range imps {
+				w.pkg(imp)
+			}
+		}
+	}
+	w.flush()
+
+	// Assemble header.
+	var hdr intWriter
+	if bundle {
+		hdr.uint64(bundleVersion)
+	}
+	hdr.uint64(uint64(p.version))
+	hdr.uint64(uint64(p.strings.Len()))
+	if p.shallow {
+		hdr.uint64(uint64(files.Len()))
+		hdr.uint64(uint64(len(fileOffset)))
+		for _, offset := range fileOffset {
+			hdr.uint64(offset)
+		}
+	}
+	hdr.uint64(dataLen)
+
+	// Flush output.
+	io.Copy(out, &hdr)
+	io.Copy(out, &p.strings)
+	if p.shallow {
+		io.Copy(out, &files)
+	}
+	io.Copy(out, &p.data0)
+
+	return nil
+}
+
+// encodeFile writes to w a representation of the file sufficient to
+// faithfully restore position information about all needed offsets.
+// Mutates the needed array.
+func (p *iexporter) encodeFile(w *intWriter, file *token.File, needed []uint64) {
+	_ = needed[0] // precondition: needed is non-empty
+
+	w.uint64(p.stringOff(file.Name()))
+
+	size := uint64(file.Size())
+	w.uint64(size)
+
+	// Sort the set of needed offsets. Duplicates are harmless.
+	slices.Sort(needed)
+
+	lines := file.Lines() // byte offset of each line start
+	w.uint64(uint64(len(lines)))
+
+	// Rather than record the entire array of line start offsets,
+	// we save only a sparse list of (index, offset) pairs for
+	// the start of each line that contains a needed position.
+	var sparse [][2]int // (index, offset) pairs
+outer:
+	for i, lineStart := range lines {
+		lineEnd := size
+		if i < len(lines)-1 {
+			lineEnd = uint64(lines[i+1])
+		}
+		// Does this line contains a needed offset?
+		if needed[0] < lineEnd {
+			sparse = append(sparse, [2]int{i, lineStart})
+			for needed[0] < lineEnd {
+				needed = needed[1:]
+				if len(needed) == 0 {
+					break outer
+				}
+			}
+		}
+	}
+
+	// Delta-encode the columns.
+	w.uint64(uint64(len(sparse)))
+	var prev [2]int
+	for _, pair := range sparse {
+		w.uint64(uint64(pair[0] - prev[0]))
+		w.uint64(uint64(pair[1] - prev[1]))
+		prev = pair
+	}
+}
+
+// writeIndex writes out an object index. mainIndex indicates whether
+// we're writing out the main index, which is also read by
+// non-compiler tools and includes a complete package description
+// (i.e., name and height).
+func (w *exportWriter) writeIndex(index map[types.Object]uint64) {
+	type pkgObj struct {
+		obj  types.Object
+		name string // qualified name; differs from obj.Name for type params
+	}
+	// Build a map from packages to objects from that package.
+	pkgObjs := map[*types.Package][]pkgObj{}
+
+	// For the main index, make sure to include every package that
+	// we reference, even if we're not exporting (or reexporting)
+	// any symbols from it.
+	if w.p.localpkg != nil {
+		pkgObjs[w.p.localpkg] = nil
+	}
+	for pkg := range w.p.allPkgs {
+		pkgObjs[pkg] = nil
+	}
+
+	for obj := range index {
+		name := w.p.exportName(obj)
+		pkgObjs[obj.Pkg()] = append(pkgObjs[obj.Pkg()], pkgObj{obj, name})
+	}
+
+	var pkgs []*types.Package
+	for pkg, objs := range pkgObjs {
+		pkgs = append(pkgs, pkg)
+
+		sort.Slice(objs, func(i, j int) bool {
+			return objs[i].name < objs[j].name
+		})
+	}
+
+	sort.Slice(pkgs, func(i, j int) bool {
+		return w.exportPath(pkgs[i]) < w.exportPath(pkgs[j])
+	})
+
+	w.uint64(uint64(len(pkgs)))
+	for _, pkg := range pkgs {
+		w.string(w.exportPath(pkg))
+		w.string(pkg.Name())
+		w.uint64(uint64(0)) // package height is not needed for go/types
+
+		objs := pkgObjs[pkg]
+		w.uint64(uint64(len(objs)))
+		for _, obj := range objs {
+			w.string(obj.name)
+			w.uint64(index[obj.obj])
+		}
+	}
+}
+
+// exportName returns the 'exported' name of an object. It differs from
+// obj.Name() only for type parameters (see tparamExportName for details).
+func (p *iexporter) exportName(obj types.Object) (res string) {
+	if name := p.tparamNames[obj]; name != "" {
+		return name
+	}
+	return obj.Name()
+}
+
+type iexporter struct {
+	fset    *token.FileSet
+	version int
+
+	shallow    bool                // don't put types from other packages in the index
+	objEncoder *objectpath.Encoder // encodes objects from other packages in shallow mode; lazily allocated
+	localpkg   *types.Package      // (nil in bundle mode)
+
+	// allPkgs tracks all packages that have been referenced by
+	// the export data, so we can ensure to include them in the
+	// main index.
+	allPkgs map[*types.Package]bool
+
+	declTodo objQueue
+
+	strings     intWriter
+	stringIndex map[string]uint64
+
+	// In shallow mode, object positions are encoded as (file, offset).
+	// Each file is recorded as a line-number table.
+	// Only the lines of needed positions are saved faithfully.
+	fileInfo  map[*token.File]uint64 // value is index in fileInfos
+	fileInfos []*filePositions
+
+	data0       intWriter
+	declIndex   map[types.Object]uint64
+	tparamNames map[types.Object]string // typeparam->exported name
+	typIndex    map[types.Type]uint64
+
+	indent int // for tracing support
+}
+
+type filePositions struct {
+	file   *token.File
+	needed []uint64 // unordered list of needed file offsets
+}
+
+func (p *iexporter) trace(format string, args ...any) {
+	if !trace {
+		// Call sites should also be guarded, but having this check here allows
+		// easily enabling/disabling debug trace statements.
+		return
+	}
+	fmt.Printf(strings.Repeat("..", p.indent)+format+"\n", args...)
+}
+
+// objectpathEncoder returns the lazily allocated objectpath.Encoder to use
+// when encoding objects in other packages during shallow export.
+//
+// Using a shared Encoder amortizes some of cost of objectpath search.
+func (p *iexporter) objectpathEncoder() *objectpath.Encoder {
+	if p.objEncoder == nil {
+		p.objEncoder = new(objectpath.Encoder)
+	}
+	return p.objEncoder
+}
+
+// stringOff returns the offset of s within the string section.
+// If not already present, it's added to the end.
+func (p *iexporter) stringOff(s string) uint64 {
+	off, ok := p.stringIndex[s]
+	if !ok {
+		off = uint64(p.strings.Len())
+		p.stringIndex[s] = off
+
+		p.strings.uint64(uint64(len(s)))
+		p.strings.WriteString(s)
+	}
+	return off
+}
+
+// fileIndexAndOffset returns the index of the token.File and the byte offset of pos within it.
+func (p *iexporter) fileIndexAndOffset(file *token.File, pos token.Pos) (uint64, uint64) {
+	index, ok := p.fileInfo[file]
+	if !ok {
+		index = uint64(len(p.fileInfo))
+		p.fileInfos = append(p.fileInfos, &filePositions{file: file})
+		if p.fileInfo == nil {
+			p.fileInfo = make(map[*token.File]uint64)
+		}
+		p.fileInfo[file] = index
+	}
+	// Record each needed offset.
+	info := p.fileInfos[index]
+	offset := uint64(file.Offset(pos))
+	info.needed = append(info.needed, offset)
+
+	return index, offset
+}
+
+// pushDecl adds n to the declaration work queue, if not already present.
+func (p *iexporter) pushDecl(obj types.Object) {
+	// Package unsafe is known to the compiler and predeclared.
+	// Caller should not ask us to do export it.
+	if obj.Pkg() == types.Unsafe {
+		panic("cannot export package unsafe")
+	}
+
+	// Shallow export data: don't index decls from other packages.
+	if p.shallow && obj.Pkg() != p.localpkg {
+		return
+	}
+
+	if _, ok := p.declIndex[obj]; ok {
+		return
+	}
+
+	p.declIndex[obj] = ^uint64(0) // mark obj present in work queue
+	p.declTodo.pushTail(obj)
+}
+
+// exportWriter handles writing out individual data section chunks.
+type exportWriter struct {
+	p *iexporter
+
+	data       intWriter
+	prevFile   string
+	prevLine   int64
+	prevColumn int64
+}
+
+func (w *exportWriter) exportPath(pkg *types.Package) string {
+	if pkg == w.p.localpkg {
+		return ""
+	}
+	return pkg.Path()
+}
+
+func (p *iexporter) doDecl(obj types.Object) {
+	if trace {
+		p.trace("exporting decl %v (%T)", obj, obj)
+		p.indent++
+		defer func() {
+			p.indent--
+			p.trace("=> %s", obj)
+		}()
+	}
+	w := p.newWriter()
+
+	switch obj := obj.(type) {
+	case *types.Var:
+		w.tag(varTag)
+		w.pos(obj.Pos())
+		w.typ(obj.Type(), obj.Pkg())
+
+	case *types.Func:
+		sig, _ := obj.Type().(*types.Signature)
+		if sig.Recv() != nil {
+			// We shouldn't see methods in the package scope,
+			// but the type checker may repair "func () F() {}"
+			// to "func (Invalid) F()" and then treat it like "func F()",
+			// so allow that. See golang/go#57729.
+			if sig.Recv().Type() != types.Typ[types.Invalid] {
+				panic(internalErrorf("unexpected method: %v", sig))
+			}
+		}
+
+		// Function.
+		if sig.TypeParams().Len() == 0 {
+			w.tag(funcTag)
+		} else {
+			w.tag(genericFuncTag)
+		}
+		w.pos(obj.Pos())
+		// The tparam list of the function type is the declaration of the type
+		// params. So, write out the type params right now. Then those type params
+		// will be referenced via their type offset (via typOff) in all other
+		// places in the signature and function where they are used.
+		//
+		// While importing the type parameters, tparamList computes and records
+		// their export name, so that it can be later used when writing the index.
+		if tparams := sig.TypeParams(); tparams.Len() > 0 {
+			w.tparamList(obj.Name(), tparams, obj.Pkg())
+		}
+		w.signature(sig)
+
+	case *types.Const:
+		w.tag(constTag)
+		w.pos(obj.Pos())
+		w.value(obj.Type(), obj.Val())
+
+	case *types.TypeName:
+		t := obj.Type()
+
+		if tparam, ok := types.Unalias(t).(*types.TypeParam); ok {
+			w.tag(typeParamTag)
+			w.pos(obj.Pos())
+			constraint := tparam.Constraint()
+			if p.version >= iexportVersionGo1_18 {
+				implicit := false
+				if iface, _ := types.Unalias(constraint).(*types.Interface); iface != nil {
+					implicit = iface.IsImplicit()
+				}
+				w.bool(implicit)
+			}
+			w.typ(constraint, obj.Pkg())
+			break
+		}
+
+		if obj.IsAlias() {
+			alias, materialized := t.(*types.Alias) // may fail when aliases are not enabled
+
+			var tparams *types.TypeParamList
+			if materialized {
+				tparams = aliases.TypeParams(alias)
+			}
+			if tparams.Len() == 0 {
+				w.tag(aliasTag)
+			} else {
+				w.tag(genericAliasTag)
+			}
+			w.pos(obj.Pos())
+			if tparams.Len() > 0 {
+				w.tparamList(obj.Name(), tparams, obj.Pkg())
+			}
+			if materialized {
+				// Preserve materialized aliases,
+				// even of non-exported types.
+				t = aliases.Rhs(alias)
+			}
+			w.typ(t, obj.Pkg())
+			break
+		}
+
+		// Defined type.
+		named, ok := t.(*types.Named)
+		if !ok {
+			panic(internalErrorf("%s is not a defined type", t))
+		}
+
+		if named.TypeParams().Len() == 0 {
+			w.tag(typeTag)
+		} else {
+			w.tag(genericTypeTag)
+		}
+		w.pos(obj.Pos())
+
+		if named.TypeParams().Len() > 0 {
+			// While importing the type parameters, tparamList computes and records
+			// their export name, so that it can be later used when writing the index.
+			w.tparamList(obj.Name(), named.TypeParams(), obj.Pkg())
+		}
+
+		underlying := named.Underlying()
+		w.typ(underlying, obj.Pkg())
+
+		if types.IsInterface(t) {
+			break
+		}
+
+		n := named.NumMethods()
+		w.uint64(uint64(n))
+		for i := range n {
+			m := named.Method(i)
+			w.pos(m.Pos())
+			w.string(m.Name())
+			sig, _ := m.Type().(*types.Signature)
+
+			// Receiver type parameters are type arguments of the receiver type, so
+			// their name must be qualified before exporting recv.
+			if rparams := sig.RecvTypeParams(); rparams.Len() > 0 {
+				prefix := obj.Name() + "." + m.Name()
+				for rparam := range rparams.TypeParams() {
+					name := tparamExportName(prefix, rparam)
+					w.p.tparamNames[rparam.Obj()] = name
+				}
+			}
+			w.param(sig.Recv())
+			w.signature(sig)
+		}
+
+	default:
+		panic(internalErrorf("unexpected object: %v", obj))
+	}
+
+	p.declIndex[obj] = w.flush()
+}
+
+func (w *exportWriter) tag(tag byte) {
+	w.data.WriteByte(tag)
+}
+
+func (w *exportWriter) pos(pos token.Pos) {
+	if w.p.shallow {
+		w.posV2(pos)
+	} else if w.p.version >= iexportVersionPosCol {
+		w.posV1(pos)
+	} else {
+		w.posV0(pos)
+	}
+}
+
+// posV2 encoding (used only in shallow mode) records positions as
+// (file, offset), where file is the index in the token.File table
+// (which records the file name and newline offsets) and offset is a
+// byte offset. It effectively ignores //line directives.
+func (w *exportWriter) posV2(pos token.Pos) {
+	if pos == token.NoPos {
+		w.uint64(0)
+		return
+	}
+	file := w.p.fset.File(pos) // fset must be non-nil
+	index, offset := w.p.fileIndexAndOffset(file, pos)
+	w.uint64(1 + index)
+	w.uint64(offset)
+}
+
+func (w *exportWriter) posV1(pos token.Pos) {
+	if w.p.fset == nil {
+		w.int64(0)
+		return
+	}
+
+	p := w.p.fset.Position(pos)
+	file := p.Filename
+	line := int64(p.Line)
+	column := int64(p.Column)
+
+	deltaColumn := (column - w.prevColumn) << 1
+	deltaLine := (line - w.prevLine) << 1
+
+	if file != w.prevFile {
+		deltaLine |= 1
+	}
+	if deltaLine != 0 {
+		deltaColumn |= 1
+	}
+
+	w.int64(deltaColumn)
+	if deltaColumn&1 != 0 {
+		w.int64(deltaLine)
+		if deltaLine&1 != 0 {
+			w.string(file)
+		}
+	}
+
+	w.prevFile = file
+	w.prevLine = line
+	w.prevColumn = column
+}
+
+func (w *exportWriter) posV0(pos token.Pos) {
+	if w.p.fset == nil {
+		w.int64(0)
+		return
+	}
+
+	p := w.p.fset.Position(pos)
+	file := p.Filename
+	line := int64(p.Line)
+
+	// When file is the same as the last position (common case),
+	// we can save a few bytes by delta encoding just the line
+	// number.
+	//
+	// Note: Because data objects may be read out of order (or not
+	// at all), we can only apply delta encoding within a single
+	// object. This is handled implicitly by tracking prevFile and
+	// prevLine as fields of exportWriter.
+
+	if file == w.prevFile {
+		delta := line - w.prevLine
+		w.int64(delta)
+		if delta == deltaNewFile {
+			w.int64(-1)
+		}
+	} else {
+		w.int64(deltaNewFile)
+		w.int64(line) // line >= 0
+		w.string(file)
+		w.prevFile = file
+	}
+	w.prevLine = line
+}
+
+func (w *exportWriter) pkg(pkg *types.Package) {
+	if pkg == nil {
+		// [exportWriter.typ] accepts a nil pkg only for types
+		// of constants, which cannot contain named objects
+		// such as fields or methods and thus should never
+		// reach this method (#76222).
+		panic("nil package")
+	}
+	// Ensure any referenced packages are declared in the main index.
+	w.p.allPkgs[pkg] = true
+
+	w.string(w.exportPath(pkg))
+}
+
+func (w *exportWriter) qualifiedType(obj *types.TypeName) {
+	name := w.p.exportName(obj)
+
+	// Ensure any referenced declarations are written out too.
+	w.p.pushDecl(obj)
+	w.string(name)
+	w.pkg(obj.Pkg())
+}
+
+// typ emits the specified type.
+//
+// Objects within the type (struct fields and interface methods) are
+// qualified by pkg. It may be nil if the type cannot contain objects,
+// such as the type of a constant.
+func (w *exportWriter) typ(t types.Type, pkg *types.Package) {
+	w.data.uint64(w.p.typOff(t, pkg))
+}
+
+func (p *iexporter) newWriter() *exportWriter {
+	return &exportWriter{p: p}
+}
+
+func (w *exportWriter) flush() uint64 {
+	off := uint64(w.p.data0.Len())
+	io.Copy(&w.p.data0, &w.data)
+	return off
+}
+
+func (p *iexporter) typOff(t types.Type, pkg *types.Package) uint64 {
+	off, ok := p.typIndex[t]
+	if !ok {
+		w := p.newWriter()
+		w.doTyp(t, pkg)
+		off = predeclReserved + w.flush()
+		p.typIndex[t] = off
+	}
+	return off
+}
+
+func (w *exportWriter) startType(k itag) {
+	w.data.uint64(uint64(k))
+}
+
+// doTyp is the implementation of [exportWriter.typ].
+func (w *exportWriter) doTyp(t types.Type, pkg *types.Package) {
+	if trace {
+		w.p.trace("exporting type %s (%T)", t, t)
+		w.p.indent++
+		defer func() {
+			w.p.indent--
+			w.p.trace("=> %s", t)
+		}()
+	}
+	switch t := t.(type) {
+	case *types.Alias:
+		if targs := aliases.TypeArgs(t); targs.Len() > 0 {
+			w.startType(instanceType)
+			w.pos(t.Obj().Pos())
+			w.typeList(targs, pkg)
+			w.typ(aliases.Origin(t), pkg)
+			return
+		}
+		w.startType(aliasType)
+		w.qualifiedType(t.Obj())
+
+	case *types.Named:
+		if targs := t.TypeArgs(); targs.Len() > 0 {
+			w.startType(instanceType)
+			// TODO(rfindley): investigate if this position is correct, and if it
+			// matters.
+			w.pos(t.Obj().Pos())
+			w.typeList(targs, pkg)
+			w.typ(t.Origin(), pkg)
+			return
+		}
+		w.startType(definedType)
+		w.qualifiedType(t.Obj())
+
+	case *types.TypeParam:
+		w.startType(typeParamType)
+		w.qualifiedType(t.Obj())
+
+	case *types.Pointer:
+		w.startType(pointerType)
+		w.typ(t.Elem(), pkg)
+
+	case *types.Slice:
+		w.startType(sliceType)
+		w.typ(t.Elem(), pkg)
+
+	case *types.Array:
+		w.startType(arrayType)
+		w.uint64(uint64(t.Len()))
+		w.typ(t.Elem(), pkg)
+
+	case *types.Chan:
+		w.startType(chanType)
+		// 1 RecvOnly; 2 SendOnly; 3 SendRecv
+		var dir uint64
+		switch t.Dir() {
+		case types.RecvOnly:
+			dir = 1
+		case types.SendOnly:
+			dir = 2
+		case types.SendRecv:
+			dir = 3
+		}
+		w.uint64(dir)
+		w.typ(t.Elem(), pkg)
+
+	case *types.Map:
+		w.startType(mapType)
+		w.typ(t.Key(), pkg)
+		w.typ(t.Elem(), pkg)
+
+	case *types.Signature:
+		w.startType(signatureType)
+		w.pkg(pkg) // qualifies param/result vars
+		w.signature(t)
+
+	case *types.Struct:
+		w.startType(structType)
+		n := t.NumFields()
+		// Even for struct{} we must emit some qualifying package, because that's
+		// what the compiler does, and thus that's what the importer expects.
+		fieldPkg := pkg
+		if n > 0 {
+			fieldPkg = t.Field(0).Pkg()
+		}
+		if fieldPkg == nil {
+			// TODO(rfindley): improve this very hacky logic.
+			//
+			// The importer expects a package to be set for all struct types, even
+			// those with no fields. A better encoding might be to set NumFields
+			// before pkg. setPkg panics with a nil package, which may be possible
+			// to reach with invalid packages (and perhaps valid packages, too?), so
+			// (arbitrarily) set the localpkg if available.
+			//
+			// Alternatively, we may be able to simply guarantee that pkg != nil, by
+			// reconsidering the encoding of constant values.
+			if w.p.shallow {
+				fieldPkg = w.p.localpkg
+			} else {
+				panic(internalErrorf("no package to set for empty struct"))
+			}
+		}
+		w.pkg(fieldPkg)
+		w.uint64(uint64(n))
+
+		for i := range n {
+			f := t.Field(i)
+			if w.p.shallow {
+				w.objectPath(f)
+			}
+			w.pos(f.Pos())
+			w.string(f.Name()) // unexported fields implicitly qualified by prior setPkg
+			w.typ(f.Type(), fieldPkg)
+			w.bool(f.Anonymous())
+			w.string(t.Tag(i)) // note (or tag)
+		}
+
+	case *types.Interface:
+		w.startType(interfaceType)
+		w.pkg(pkg) // qualifies unexported method funcs
+
+		n := t.NumEmbeddeds()
+		w.uint64(uint64(n))
+		for i := 0; i < n; i++ {
+			ft := t.EmbeddedType(i)
+			if named, _ := types.Unalias(ft).(*types.Named); named != nil {
+				w.pos(named.Obj().Pos())
+			} else {
+				// e.g. ~int
+				w.pos(token.NoPos)
+			}
+			w.typ(ft, pkg)
+		}
+
+		// See comment for struct fields. In shallow mode we change the encoding
+		// for interface methods that are promoted from other packages.
+
+		n = t.NumExplicitMethods()
+		w.uint64(uint64(n))
+		for i := 0; i < n; i++ {
+			m := t.ExplicitMethod(i)
+			if w.p.shallow {
+				w.objectPath(m)
+			}
+			w.pos(m.Pos())
+			w.string(m.Name())
+			sig, _ := m.Type().(*types.Signature)
+			w.signature(sig)
+		}
+
+	case *types.Union:
+		w.startType(unionType)
+		nt := t.Len()
+		w.uint64(uint64(nt))
+		for i := range nt {
+			term := t.Term(i)
+			w.bool(term.Tilde())
+			w.typ(term.Type(), pkg)
+		}
+
+	default:
+		panic(internalErrorf("unexpected type: %v, %v", t, reflect.TypeOf(t)))
+	}
+}
+
+// objectPath writes the package and objectPath to use to look up obj in a
+// different package, when encoding in "shallow" mode.
+//
+// When doing a shallow import, the importer creates only the local package,
+// and requests package symbols for dependencies from the client.
+// However, certain types defined in the local package may hold objects defined
+// (perhaps deeply) within another package.
+//
+// For example, consider the following:
+//
+//	package a
+//	func F() chan * map[string] struct { X int }
+//
+//	package b
+//	import "a"
+//	var B = a.F()
+//
+// In this example, the type of b.B holds fields defined in package a.
+// In order to have the correct canonical objects for the field defined in the
+// type of B, they are encoded as objectPaths and later looked up in the
+// importer. The same problem applies to interface methods.
+func (w *exportWriter) objectPath(obj types.Object) {
+	if obj.Pkg() == nil || obj.Pkg() == w.p.localpkg {
+		// obj.Pkg() may be nil for the builtin error.Error.
+		// In this case, or if obj is declared in the local package, no need to
+		// encode.
+		w.string("")
+		return
+	}
+	objectPath, err := w.p.objectpathEncoder().For(obj)
+	if err != nil {
+		// Fall back to the empty string, which will cause the importer to create a
+		// new object, which matches earlier behavior. Creating a new object is
+		// sufficient for many purposes (such as type checking), but causes certain
+		// references algorithms to fail (golang/go#60819). However, we didn't
+		// notice this problem during months of gopls@v0.12.0 testing.
+		//
+		// TODO(golang/go#61674): this workaround is insufficient, as in the case
+		// where the field forwarded from an instantiated type that may not appear
+		// in the export data of the original package:
+		//
+		//  // package a
+		//  type A[P any] struct{ F P }
+		//
+		//  // package b
+		//  type B a.A[int]
+		//
+		// We need to update references algorithms not to depend on this
+		// de-duplication, at which point we may want to simply remove the
+		// workaround here.
+		w.string("")
+		return
+	}
+	w.string(string(objectPath))
+	w.pkg(obj.Pkg())
+}
+
+func (w *exportWriter) signature(sig *types.Signature) {
+	w.paramList(sig.Params())
+	w.paramList(sig.Results())
+	if sig.Params().Len() > 0 {
+		w.bool(sig.Variadic())
+	}
+}
+
+func (w *exportWriter) typeList(ts *types.TypeList, pkg *types.Package) {
+	w.uint64(uint64(ts.Len()))
+	for t := range ts.Types() {
+		w.typ(t, pkg)
+	}
+}
+
+func (w *exportWriter) tparamList(prefix string, list *types.TypeParamList, pkg *types.Package) {
+	ll := uint64(list.Len())
+	w.uint64(ll)
+	for tparam := range list.TypeParams() {
+		// Set the type parameter exportName before exporting its type.
+		exportName := tparamExportName(prefix, tparam)
+		w.p.tparamNames[tparam.Obj()] = exportName
+		w.typ(tparam, pkg)
+	}
+}
+
+const blankMarker = "$"
+
+// tparamExportName returns the 'exported' name of a type parameter, which
+// differs from its actual object name: it is prefixed with a qualifier, and
+// blank type parameter names are disambiguated by their index in the type
+// parameter list.
+func tparamExportName(prefix string, tparam *types.TypeParam) string {
+	assert(prefix != "")
+	name := tparam.Obj().Name()
+	if name == "_" {
+		name = blankMarker + strconv.Itoa(tparam.Index())
+	}
+	return prefix + "." + name
+}
+
+// tparamName returns the real name of a type parameter, after stripping its
+// qualifying prefix and reverting blank-name encoding. See tparamExportName
+// for details.
+func tparamName(exportName string) string {
+	// Remove the "path" from the type param name that makes it unique.
+	ix := strings.LastIndex(exportName, ".")
+	if ix < 0 {
+		errorf("malformed type parameter export name %s: missing prefix", exportName)
+	}
+	name := exportName[ix+1:]
+	if strings.HasPrefix(name, blankMarker) {
+		return "_"
+	}
+	return name
+}
+
+func (w *exportWriter) paramList(tup *types.Tuple) {
+	n := tup.Len()
+	w.uint64(uint64(n))
+	for i := range n {
+		w.param(tup.At(i))
+	}
+}
+
+func (w *exportWriter) param(obj types.Object) {
+	w.pos(obj.Pos())
+	w.localIdent(obj)
+	w.typ(obj.Type(), obj.Pkg())
+}
+
+func (w *exportWriter) value(typ types.Type, v constant.Value) {
+	w.typ(typ, nil)
+	if w.p.version >= iexportVersionGo1_18 {
+		w.int64(int64(v.Kind()))
+	}
+
+	if v.Kind() == constant.Unknown {
+		// golang/go#60605: treat unknown constant values as if they have invalid type
+		//
+		// This loses some fidelity over the package type-checked from source, but that
+		// is acceptable.
+		//
+		// TODO(rfindley): we should switch on the recorded constant kind rather
+		// than the constant type
+		return
+	}
+
+	switch b := typ.Underlying().(*types.Basic); b.Info() & types.IsConstType {
+	case types.IsBoolean:
+		w.bool(constant.BoolVal(v))
+	case types.IsInteger:
+		var i big.Int
+		if i64, exact := constant.Int64Val(v); exact {
+			i.SetInt64(i64)
+		} else if ui64, exact := constant.Uint64Val(v); exact {
+			i.SetUint64(ui64)
+		} else {
+			i.SetString(v.ExactString(), 10)
+		}
+		w.mpint(&i, typ)
+	case types.IsFloat:
+		f := constantToFloat(v)
+		w.mpfloat(f, typ)
+	case types.IsComplex:
+		w.mpfloat(constantToFloat(constant.Real(v)), typ)
+		w.mpfloat(constantToFloat(constant.Imag(v)), typ)
+	case types.IsString:
+		w.string(constant.StringVal(v))
+	default:
+		if b.Kind() == types.Invalid {
+			// package contains type errors
+			break
+		}
+		panic(internalErrorf("unexpected type %v (%v)", typ, typ.Underlying()))
+	}
+}
+
+// constantToFloat converts a constant.Value with kind constant.Float to a
+// big.Float.
+func constantToFloat(x constant.Value) *big.Float {
+	x = constant.ToFloat(x)
+	// Use the same floating-point precision (512) as cmd/compile
+	// (see Mpprec in cmd/compile/internal/gc/mpfloat.go).
+	const mpprec = 512
+	var f big.Float
+	f.SetPrec(mpprec)
+	if v, exact := constant.Float64Val(x); exact {
+		// float64
+		f.SetFloat64(v)
+	} else if num, denom := constant.Num(x), constant.Denom(x); num.Kind() == constant.Int {
+		// TODO(gri): add big.Rat accessor to constant.Value.
+		n := valueToRat(num)
+		d := valueToRat(denom)
+		f.SetRat(n.Quo(n, d))
+	} else {
+		// Value too large to represent as a fraction => inaccessible.
+		// TODO(gri): add big.Float accessor to constant.Value.
+		_, ok := f.SetString(x.ExactString())
+		assert(ok)
+	}
+	return &f
+}
+
+func valueToRat(x constant.Value) *big.Rat {
+	// Convert little-endian to big-endian.
+	// I can't believe this is necessary.
+	bytes := constant.Bytes(x)
+	for i := 0; i < len(bytes)/2; i++ {
+		bytes[i], bytes[len(bytes)-1-i] = bytes[len(bytes)-1-i], bytes[i]
+	}
+	return new(big.Rat).SetInt(new(big.Int).SetBytes(bytes))
+}
+
+// mpint exports a multi-precision integer.
+//
+// For unsigned types, small values are written out as a single
+// byte. Larger values are written out as a length-prefixed big-endian
+// byte string, where the length prefix is encoded as its complement.
+// For example, bytes 0, 1, and 2 directly represent the integer
+// values 0, 1, and 2; while bytes 255, 254, and 253 indicate a 1-,
+// 2-, and 3-byte big-endian string follow.
+//
+// Encoding for signed types use the same general approach as for
+// unsigned types, except small values use zig-zag encoding and the
+// bottom bit of length prefix byte for large values is reserved as a
+// sign bit.
+//
+// The exact boundary between small and large encodings varies
+// according to the maximum number of bytes needed to encode a value
+// of type typ. As a special case, 8-bit types are always encoded as a
+// single byte.
+//
+// TODO(mdempsky): Is this level of complexity really worthwhile?
+func (w *exportWriter) mpint(x *big.Int, typ types.Type) {
+	basic, ok := typ.Underlying().(*types.Basic)
+	if !ok {
+		panic(internalErrorf("unexpected type %v (%T)", typ.Underlying(), typ.Underlying()))
+	}
+
+	signed, maxBytes := intSize(basic)
+
+	negative := x.Sign() < 0
+	if !signed && negative {
+		panic(internalErrorf("negative unsigned integer; type %v, value %v", typ, x))
+	}
+
+	b := x.Bytes()
+	if len(b) > 0 && b[0] == 0 {
+		panic(internalErrorf("leading zeros"))
+	}
+	if uint(len(b)) > maxBytes {
+		panic(internalErrorf("bad mpint length: %d > %d (type %v, value %v)", len(b), maxBytes, typ, x))
+	}
+
+	maxSmall := 256 - maxBytes
+	if signed {
+		maxSmall = 256 - 2*maxBytes
+	}
+	if maxBytes == 1 {
+		maxSmall = 256
+	}
+
+	// Check if x can use small value encoding.
+	if len(b) <= 1 {
+		var ux uint
+		if len(b) == 1 {
+			ux = uint(b[0])
+		}
+		if signed {
+			ux <<= 1
+			if negative {
+				ux--
+			}
+		}
+		if ux < maxSmall {
+			w.data.WriteByte(byte(ux))
+			return
+		}
+	}
+
+	n := 256 - uint(len(b))
+	if signed {
+		n = 256 - 2*uint(len(b))
+		if negative {
+			n |= 1
+		}
+	}
+	if n < maxSmall || n >= 256 {
+		panic(internalErrorf("encoding mistake: %d, %v, %v => %d", len(b), signed, negative, n))
+	}
+
+	w.data.WriteByte(byte(n))
+	w.data.Write(b)
+}
+
+// mpfloat exports a multi-precision floating point number.
+//
+// The number's value is decomposed into mantissa × 2**exponent, where
+// mantissa is an integer. The value is written out as mantissa (as a
+// multi-precision integer) and then the exponent, except exponent is
+// omitted if mantissa is zero.
+func (w *exportWriter) mpfloat(f *big.Float, typ types.Type) {
+	if f.IsInf() {
+		panic("infinite constant")
+	}
+
+	// Break into f = mant × 2**exp, with 0.5 <= mant < 1.
+	var mant big.Float
+	exp := int64(f.MantExp(&mant))
+
+	// Scale so that mant is an integer.
+	prec := mant.MinPrec()
+	mant.SetMantExp(&mant, int(prec))
+	exp -= int64(prec)
+
+	manti, acc := mant.Int(nil)
+	if acc != big.Exact {
+		panic(internalErrorf("mantissa scaling failed for %f (%s)", f, acc))
+	}
+	w.mpint(manti, typ)
+	if manti.Sign() != 0 {
+		w.int64(exp)
+	}
+}
+
+func (w *exportWriter) bool(b bool) bool {
+	var x uint64
+	if b {
+		x = 1
+	}
+	w.uint64(x)
+	return b
+}
+
+func (w *exportWriter) int64(x int64)   { w.data.int64(x) }
+func (w *exportWriter) uint64(x uint64) { w.data.uint64(x) }
+func (w *exportWriter) string(s string) { w.uint64(w.p.stringOff(s)) }
+
+func (w *exportWriter) localIdent(obj types.Object) {
+	// Anonymous parameters.
+	if obj == nil {
+		w.string("")
+		return
+	}
+
+	name := obj.Name()
+	if name == "_" {
+		w.string("_")
+		return
+	}
+
+	w.string(name)
+}
+
+type intWriter struct {
+	bytes.Buffer
+}
+
+func (w *intWriter) int64(x int64) {
+	var buf [binary.MaxVarintLen64]byte
+	n := binary.PutVarint(buf[:], x)
+	w.Write(buf[:n])
+}
+
+func (w *intWriter) uint64(x uint64) {
+	var buf [binary.MaxVarintLen64]byte
+	n := binary.PutUvarint(buf[:], x)
+	w.Write(buf[:n])
+}
+
+func assert(cond bool) {
+	if !cond {
+		panic("internal error: assertion failed")
+	}
+}
+
+// The below is copied from go/src/cmd/compile/internal/gc/syntax.go.
+
+// objQueue is a FIFO queue of types.Object. The zero value of objQueue is
+// a ready-to-use empty queue.
+type objQueue struct {
+	ring       []types.Object
+	head, tail int
+}
+
+// empty returns true if q contains no Nodes.
+func (q *objQueue) empty() bool {
+	return q.head == q.tail
+}
+
+// pushTail appends n to the tail of the queue.
+func (q *objQueue) pushTail(obj types.Object) {
+	if len(q.ring) == 0 {
+		q.ring = make([]types.Object, 16)
+	} else if q.head+len(q.ring) == q.tail {
+		// Grow the ring.
+		nring := make([]types.Object, len(q.ring)*2)
+		// Copy the old elements.
+		part := q.ring[q.head%len(q.ring):]
+		if q.tail-q.head <= len(part) {
+			part = part[:q.tail-q.head]
+			copy(nring, part)
+		} else {
+			pos := copy(nring, part)
+			copy(nring[pos:], q.ring[:q.tail%len(q.ring)])
+		}
+		q.ring, q.head, q.tail = nring, 0, q.tail-q.head
+	}
+
+	q.ring[q.tail%len(q.ring)] = obj
+	q.tail++
+}
+
+// popHead pops a node from the head of the queue. It panics if q is empty.
+func (q *objQueue) popHead() types.Object {
+	if q.empty() {
+		panic("dequeue empty")
+	}
+	obj := q.ring[q.head%len(q.ring)]
+	q.head++
+	return obj
+}
+
+// internalError represents an error generated inside this package.
+type internalError string
+
+func (e internalError) Error() string { return "gcimporter: " + string(e) }
+
+// TODO(adonovan): make this call panic, so that it's symmetric with errorf.
+// Otherwise it's easy to forget to do anything with the error.
+//
+// TODO(adonovan): also, consider switching the names "errorf" and
+// "internalErrorf" as the former is used for bugs, whose cause is
+// internal inconsistency, whereas the latter is used for ordinary
+// situations like bad input, whose cause is external.
+func internalErrorf(format string, args ...any) error {
+	return internalError(fmt.Sprintf(format, args...))
+}
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/iimport.go b/vendor/golang.org/x/tools/internal/gcimporter/iimport.go
new file mode 100644
index 0000000000..4d6d50094a
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gcimporter/iimport.go
@@ -0,0 +1,1120 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Indexed package import.
+// See iexport.go for the export data format.
+
+package gcimporter
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"go/constant"
+	"go/token"
+	"go/types"
+	"io"
+	"math/big"
+	"slices"
+	"sort"
+	"strings"
+
+	"golang.org/x/tools/go/types/objectpath"
+	"golang.org/x/tools/internal/aliases"
+	"golang.org/x/tools/internal/typesinternal"
+)
+
+type intReader struct {
+	*bytes.Reader
+	path string
+}
+
+func (r *intReader) int64() int64 {
+	i, err := binary.ReadVarint(r.Reader)
+	if err != nil {
+		errorf("import %q: read varint error: %v", r.path, err)
+	}
+	return i
+}
+
+func (r *intReader) uint64() uint64 {
+	i, err := binary.ReadUvarint(r.Reader)
+	if err != nil {
+		errorf("import %q: read varint error: %v", r.path, err)
+	}
+	return i
+}
+
+// Keep this in sync with constants in iexport.go.
+const (
+	iexportVersionGo1_11   = 0
+	iexportVersionPosCol   = 1
+	iexportVersionGo1_18   = 2
+	iexportVersionGenerics = 2
+	iexportVersion         = iexportVersionGenerics
+
+	iexportVersionCurrent = 2
+)
+
+type ident struct {
+	pkg  *types.Package
+	name string
+}
+
+const predeclReserved = 32
+
+type itag uint64
+
+const (
+	// Types
+	definedType itag = iota
+	pointerType
+	sliceType
+	arrayType
+	chanType
+	mapType
+	signatureType
+	structType
+	interfaceType
+	typeParamType
+	instanceType
+	unionType
+	aliasType
+)
+
+// Object tags
+const (
+	varTag          = 'V'
+	funcTag         = 'F'
+	genericFuncTag  = 'G'
+	constTag        = 'C'
+	aliasTag        = 'A'
+	genericAliasTag = 'B'
+	typeParamTag    = 'P'
+	typeTag         = 'T'
+	genericTypeTag  = 'U'
+)
+
+// IImportData imports a package from the serialized package data
+// and returns 0 and a reference to the package.
+// If the export data version is not recognized or the format is otherwise
+// compromised, an error is returned.
+func IImportData(fset *token.FileSet, imports map[string]*types.Package, data []byte, path string) (int, *types.Package, error) {
+	pkgs, err := iimportCommon(fset, GetPackagesFromMap(imports), data, false, path, false, nil)
+	if err != nil {
+		return 0, nil, err
+	}
+	return 0, pkgs[0], nil
+}
+
+// IImportBundle imports a set of packages from the serialized package bundle.
+func IImportBundle(fset *token.FileSet, imports map[string]*types.Package, data []byte) ([]*types.Package, error) {
+	return iimportCommon(fset, GetPackagesFromMap(imports), data, true, "", false, nil)
+}
+
+// A GetPackagesFunc function obtains the non-nil symbols for a set of
+// packages, creating and recursively importing them as needed. An
+// implementation should store each package symbol is in the Pkg
+// field of the items array.
+//
+// Any error causes importing to fail. This can be used to quickly read
+// the import manifest of an export data file without fully decoding it.
+type GetPackagesFunc = func(items []GetPackagesItem) error
+
+// A GetPackagesItem is a request from the importer for the package
+// symbol of the specified name and path.
+type GetPackagesItem struct {
+	Name, Path string
+	Pkg        *types.Package // to be filled in by GetPackagesFunc call
+
+	// private importer state
+	pathOffset uint64
+	nameIndex  map[string]uint64
+}
+
+// GetPackagesFromMap returns a GetPackagesFunc that retrieves
+// packages from the given map of package path to package.
+//
+// The returned function may mutate m: each requested package that is not
+// found is created with types.NewPackage and inserted into m.
+func GetPackagesFromMap(m map[string]*types.Package) GetPackagesFunc {
+	return func(items []GetPackagesItem) error {
+		for i, item := range items {
+			pkg, ok := m[item.Path]
+			if !ok {
+				pkg = types.NewPackage(item.Path, item.Name)
+				m[item.Path] = pkg
+			}
+			items[i].Pkg = pkg
+		}
+		return nil
+	}
+}
+
+func iimportCommon(fset *token.FileSet, getPackages GetPackagesFunc, data []byte, bundle bool, path string, shallow bool, reportf ReportFunc) (pkgs []*types.Package, err error) {
+	const currentVersion = iexportVersionCurrent
+	version := int64(-1)
+	if !debug {
+		defer func() {
+			if e := recover(); e != nil {
+				if bundle {
+					err = fmt.Errorf("%v", e)
+				} else if version > currentVersion {
+					err = fmt.Errorf("cannot import %q (%v), export data is newer version - update tool", path, e)
+				} else {
+					err = fmt.Errorf("internal error while importing %q (%v); please report an issue", path, e)
+				}
+			}
+		}()
+	}
+
+	r := &intReader{bytes.NewReader(data), path}
+
+	if bundle {
+		if v := r.uint64(); v != bundleVersion {
+			errorf("unknown bundle format version %d", v)
+		}
+	}
+
+	version = int64(r.uint64())
+	switch version {
+	case iexportVersionGo1_18, iexportVersionPosCol, iexportVersionGo1_11:
+	default:
+		if version > iexportVersionGo1_18 {
+			errorf("unstable iexport format version %d, just rebuild compiler and std library", version)
+		} else {
+			errorf("unknown iexport format version %d", version)
+		}
+	}
+
+	sLen := int64(r.uint64())
+	var fLen int64
+	var fileOffset []uint64
+	if shallow {
+		// Shallow mode uses a different position encoding.
+		fLen = int64(r.uint64())
+		fileOffset = make([]uint64, r.uint64())
+		for i := range fileOffset {
+			fileOffset[i] = r.uint64()
+		}
+	}
+	dLen := int64(r.uint64())
+
+	whence, _ := r.Seek(0, io.SeekCurrent)
+	stringData := data[whence : whence+sLen]
+	fileData := data[whence+sLen : whence+sLen+fLen]
+	declData := data[whence+sLen+fLen : whence+sLen+fLen+dLen]
+	r.Seek(sLen+fLen+dLen, io.SeekCurrent)
+
+	p := iimporter{
+		version: int(version),
+		ipath:   path,
+		aliases: aliases.Enabled(),
+		shallow: shallow,
+		reportf: reportf,
+
+		stringData:  stringData,
+		stringCache: make(map[uint64]string),
+		fileOffset:  fileOffset,
+		fileData:    fileData,
+		fileCache:   make([]*token.File, len(fileOffset)),
+		pkgCache:    make(map[uint64]*types.Package),
+
+		declData: declData,
+		pkgIndex: make(map[*types.Package]map[string]uint64),
+		typCache: make(map[uint64]types.Type),
+		// Separate map for typeparams, keyed by their package and unique
+		// name.
+		tparamIndex: make(map[ident]types.Type),
+
+		fake: fakeFileSet{
+			fset:  fset,
+			files: make(map[string]*fileInfo),
+		},
+	}
+	defer p.fake.setLines() // set lines for files in fset
+
+	for i, pt := range predeclared() {
+		p.typCache[uint64(i)] = pt
+	}
+
+	// Gather the relevant packages from the manifest.
+	items := make([]GetPackagesItem, r.uint64())
+	uniquePkgPaths := make(map[string]bool)
+	for i := range items {
+		pkgPathOff := r.uint64()
+		pkgPath := p.stringAt(pkgPathOff)
+		pkgName := p.stringAt(r.uint64())
+		_ = r.uint64() // package height; unused by go/types
+
+		if pkgPath == "" {
+			pkgPath = path
+		}
+		items[i].Name = pkgName
+		items[i].Path = pkgPath
+		items[i].pathOffset = pkgPathOff
+
+		// Read index for package.
+		nameIndex := make(map[string]uint64)
+		nSyms := r.uint64()
+		// In shallow mode, only the current package (i=0) has an index.
+		assert(!(shallow && i > 0 && nSyms != 0))
+		for ; nSyms > 0; nSyms-- {
+			name := p.stringAt(r.uint64())
+			nameIndex[name] = r.uint64()
+		}
+
+		items[i].nameIndex = nameIndex
+
+		uniquePkgPaths[pkgPath] = true
+	}
+	// Debugging #63822; hypothesis: there are duplicate PkgPaths.
+	if len(uniquePkgPaths) != len(items) {
+		reportf("found duplicate PkgPaths while reading export data manifest: %v", items)
+	}
+
+	// Request packages all at once from the client,
+	// enabling a parallel implementation.
+	if err := getPackages(items); err != nil {
+		return nil, err // don't wrap this error
+	}
+
+	// Check the results and complete the index.
+	pkgList := make([]*types.Package, len(items))
+	for i, item := range items {
+		pkg := item.Pkg
+		if pkg == nil {
+			errorf("internal error: getPackages returned nil package for %q", item.Path)
+		} else if pkg.Path() != item.Path {
+			errorf("internal error: getPackages returned wrong path %q, want %q", pkg.Path(), item.Path)
+		} else if pkg.Name() != item.Name {
+			errorf("internal error: getPackages returned wrong name %s for package %q, want %s", pkg.Name(), item.Path, item.Name)
+		}
+		p.pkgCache[item.pathOffset] = pkg
+		p.pkgIndex[pkg] = item.nameIndex
+		pkgList[i] = pkg
+	}
+
+	if bundle {
+		pkgs = make([]*types.Package, r.uint64())
+		for i := range pkgs {
+			pkg := p.pkgAt(r.uint64())
+			imps := make([]*types.Package, r.uint64())
+			for j := range imps {
+				imps[j] = p.pkgAt(r.uint64())
+			}
+			pkg.SetImports(imps)
+			pkgs[i] = pkg
+		}
+	} else {
+		if len(pkgList) == 0 {
+			errorf("no packages found for %s", path)
+			panic("unreachable")
+		}
+		pkgs = pkgList[:1]
+
+		// record all referenced packages as imports
+		list := slices.Clone(pkgList[1:])
+		sort.Sort(byPath(list))
+		pkgs[0].SetImports(list)
+	}
+
+	for _, pkg := range pkgs {
+		if pkg.Complete() {
+			continue
+		}
+
+		names := make([]string, 0, len(p.pkgIndex[pkg]))
+		for name := range p.pkgIndex[pkg] {
+			names = append(names, name)
+		}
+		sort.Strings(names)
+		for _, name := range names {
+			p.doDecl(pkg, name)
+		}
+
+		// package was imported completely and without errors
+		pkg.MarkComplete()
+	}
+
+	// SetConstraint can't be called if the constraint type is not yet complete.
+	// When type params are created in the typeParamTag case of (*importReader).obj(),
+	// the associated constraint type may not be complete due to recursion.
+	// Therefore, we defer calling SetConstraint there, and call it here instead
+	// after all types are complete.
+	for _, d := range p.later {
+		d.t.SetConstraint(d.constraint)
+	}
+
+	for _, typ := range p.interfaceList {
+		typ.Complete()
+	}
+
+	// Workaround for golang/go#61561. See the doc for instanceList for details.
+	for _, typ := range p.instanceList {
+		if iface, _ := typ.Underlying().(*types.Interface); iface != nil {
+			iface.Complete()
+		}
+	}
+
+	return pkgs, nil
+}
+
+type setConstraintArgs struct {
+	t          *types.TypeParam
+	constraint types.Type
+}
+
+type iimporter struct {
+	version int
+	ipath   string
+
+	aliases bool
+	shallow bool
+	reportf ReportFunc // if non-nil, used to report bugs
+
+	stringData  []byte
+	stringCache map[uint64]string
+	fileOffset  []uint64 // fileOffset[i] is offset in fileData for info about file encoded as i
+	fileData    []byte
+	fileCache   []*token.File // memoized decoding of file encoded as i
+	pkgCache    map[uint64]*types.Package
+
+	declData    []byte
+	pkgIndex    map[*types.Package]map[string]uint64
+	typCache    map[uint64]types.Type
+	tparamIndex map[ident]types.Type
+
+	fake          fakeFileSet
+	interfaceList []*types.Interface
+
+	// Workaround for the go/types bug golang/go#61561: instances produced during
+	// instantiation may contain incomplete interfaces. Here we only complete the
+	// underlying type of the instance, which is the most common case but doesn't
+	// handle parameterized interface literals defined deeper in the type.
+	instanceList []types.Type // instances for later completion (see golang/go#61561)
+
+	// Arguments for calls to SetConstraint that are deferred due to recursive types
+	later []setConstraintArgs
+
+	indent int // for tracing support
+}
+
+func (p *iimporter) trace(format string, args ...any) {
+	if !trace {
+		// Call sites should also be guarded, but having this check here allows
+		// easily enabling/disabling debug trace statements.
+		return
+	}
+	fmt.Printf(strings.Repeat("..", p.indent)+format+"\n", args...)
+}
+
+func (p *iimporter) doDecl(pkg *types.Package, name string) {
+	if debug {
+		p.trace("import decl %s", name)
+		p.indent++
+		defer func() {
+			p.indent--
+			p.trace("=> %s", name)
+		}()
+	}
+	// See if we've already imported this declaration.
+	if obj := pkg.Scope().Lookup(name); obj != nil {
+		return
+	}
+
+	off, ok := p.pkgIndex[pkg][name]
+	if !ok {
+		// In deep mode, the index should be complete. In shallow
+		// mode, we should have already recursively loaded necessary
+		// dependencies so the above Lookup succeeds.
+		errorf("%v.%v not in index", pkg, name)
+	}
+
+	r := &importReader{p: p}
+	r.declReader.Reset(p.declData[off:])
+
+	r.obj(pkg, name)
+}
+
+func (p *iimporter) stringAt(off uint64) string {
+	if s, ok := p.stringCache[off]; ok {
+		return s
+	}
+
+	slen, n := binary.Uvarint(p.stringData[off:])
+	if n <= 0 {
+		errorf("varint failed")
+	}
+	spos := off + uint64(n)
+	s := string(p.stringData[spos : spos+slen])
+	p.stringCache[off] = s
+	return s
+}
+
+func (p *iimporter) fileAt(index uint64) *token.File {
+	file := p.fileCache[index]
+	if file == nil {
+		off := p.fileOffset[index]
+		file = p.decodeFile(intReader{bytes.NewReader(p.fileData[off:]), p.ipath})
+		p.fileCache[index] = file
+	}
+	return file
+}
+
+func (p *iimporter) decodeFile(rd intReader) *token.File {
+	filename := p.stringAt(rd.uint64())
+	size := int(rd.uint64())
+	file := p.fake.fset.AddFile(filename, -1, size)
+
+	// SetLines requires a nondecreasing sequence.
+	// Because it is common for clients to derive the interval
+	// [start, start+len(name)] from a start position, and we
+	// want to ensure that the end offset is on the same line,
+	// we fill in the gaps of the sparse encoding with values
+	// that strictly increase by the largest possible amount.
+	// This allows us to avoid having to record the actual end
+	// offset of each needed line.
+
+	lines := make([]int, int(rd.uint64()))
+	var index, offset int
+	for i, n := 0, int(rd.uint64()); i < n; i++ {
+		index += int(rd.uint64())
+		offset += int(rd.uint64())
+		lines[index] = offset
+
+		// Ensure monotonicity between points.
+		for j := index - 1; j > 0 && lines[j] == 0; j-- {
+			lines[j] = lines[j+1] - 1
+		}
+	}
+
+	// Ensure monotonicity after last point.
+	for j := len(lines) - 1; j > 0 && lines[j] == 0; j-- {
+		size--
+		lines[j] = size
+	}
+
+	if !file.SetLines(lines) {
+		errorf("SetLines failed: %d", lines) // can't happen
+	}
+	return file
+}
+
+func (p *iimporter) pkgAt(off uint64) *types.Package {
+	if pkg, ok := p.pkgCache[off]; ok {
+		return pkg
+	}
+	path := p.stringAt(off)
+	errorf("missing package %q in %q", path, p.ipath)
+	return nil
+}
+
+func (p *iimporter) typAt(off uint64, base *types.Named) types.Type {
+	if t, ok := p.typCache[off]; ok && canReuse(base, t) {
+		return t
+	}
+
+	if off < predeclReserved {
+		errorf("predeclared type missing from cache: %v", off)
+	}
+
+	r := &importReader{p: p}
+	r.declReader.Reset(p.declData[off-predeclReserved:])
+	t := r.doType(base)
+
+	if canReuse(base, t) {
+		p.typCache[off] = t
+	}
+	return t
+}
+
+// canReuse reports whether the type rhs on the RHS of the declaration for def
+// may be re-used.
+//
+// Specifically, if def is non-nil and rhs is an interface type with methods, it
+// may not be re-used because we have a convention of setting the receiver type
+// for interface methods to def.
+func canReuse(def *types.Named, rhs types.Type) bool {
+	if def == nil {
+		return true
+	}
+	iface, _ := types.Unalias(rhs).(*types.Interface)
+	if iface == nil {
+		return true
+	}
+	// Don't use iface.Empty() here as iface may not be complete.
+	return iface.NumEmbeddeds() == 0 && iface.NumExplicitMethods() == 0
+}
+
+type importReader struct {
+	p          *iimporter
+	declReader bytes.Reader
+	prevFile   string
+	prevLine   int64
+	prevColumn int64
+}
+
+// markBlack is redefined in iimport_go123.go, to work around golang/go#69912.
+//
+// If TypeNames are not marked black (in the sense of go/types cycle
+// detection), they may be mutated when dot-imported. Fix this by punching a
+// hole through the type, when compiling with Go 1.23. (The bug has been fixed
+// for 1.24, but the fix was not worth back-porting).
+var markBlack = func(name *types.TypeName) {}
+
+// obj decodes and declares the package-level object denoted by (pkg, name).
+func (r *importReader) obj(pkg *types.Package, name string) {
+	tag := r.byte()
+	pos := r.pos()
+
+	switch tag {
+	case aliasTag, genericAliasTag:
+		var tparams []*types.TypeParam
+		if tag == genericAliasTag {
+			tparams = r.tparamList()
+		}
+		typ := r.typ()
+		obj := aliases.NewAlias(r.p.aliases, pos, pkg, name, typ, tparams)
+		markBlack(obj) // workaround for golang/go#69912
+		r.declare(obj)
+
+	case constTag:
+		typ, val := r.value()
+
+		r.declare(types.NewConst(pos, pkg, name, typ, val))
+
+	case funcTag, genericFuncTag:
+		var tparams []*types.TypeParam
+		if tag == genericFuncTag {
+			tparams = r.tparamList()
+		}
+		sig := r.signature(pkg, nil, nil, tparams)
+		r.declare(types.NewFunc(pos, pkg, name, sig))
+
+	case typeTag, genericTypeTag:
+		// Types can be recursive. We need to setup a stub
+		// declaration before recursing.
+		obj := types.NewTypeName(pos, pkg, name, nil)
+		named := types.NewNamed(obj, nil, nil)
+
+		markBlack(obj) // workaround for golang/go#69912
+
+		// Declare obj before calling r.tparamList, so the new type name is recognized
+		// if used in the constraint of one of its own typeparams (see #48280).
+		r.declare(obj)
+		if tag == genericTypeTag {
+			tparams := r.tparamList()
+			named.SetTypeParams(tparams)
+		}
+
+		underlying := r.p.typAt(r.uint64(), named).Underlying()
+		named.SetUnderlying(underlying)
+
+		if !isInterface(underlying) {
+			for n := r.uint64(); n > 0; n-- {
+				mpos := r.pos()
+				mname := r.ident()
+				recv := r.param(pkg)
+
+				// If the receiver has any targs, set those as the
+				// rparams of the method (since those are the
+				// typeparams being used in the method sig/body).
+				_, recvNamed := typesinternal.ReceiverNamed(recv)
+				targs := recvNamed.TypeArgs()
+				var rparams []*types.TypeParam
+				if targs.Len() > 0 {
+					rparams = make([]*types.TypeParam, targs.Len())
+					for i := range rparams {
+						rparams[i] = types.Unalias(targs.At(i)).(*types.TypeParam)
+					}
+				}
+				msig := r.signature(pkg, recv, rparams, nil)
+
+				named.AddMethod(types.NewFunc(mpos, pkg, mname, msig))
+			}
+		}
+
+	case typeParamTag:
+		// We need to "declare" a typeparam in order to have a name that
+		// can be referenced recursively (if needed) in the type param's
+		// bound.
+		if r.p.version < iexportVersionGenerics {
+			errorf("unexpected type param type")
+		}
+		name0 := tparamName(name)
+		tn := types.NewTypeName(pos, pkg, name0, nil)
+		t := types.NewTypeParam(tn, nil)
+
+		// To handle recursive references to the typeparam within its
+		// bound, save the partial type in tparamIndex before reading the bounds.
+		id := ident{pkg, name}
+		r.p.tparamIndex[id] = t
+		var implicit bool
+		if r.p.version >= iexportVersionGo1_18 {
+			implicit = r.bool()
+		}
+		constraint := r.typ()
+		if implicit {
+			iface, _ := types.Unalias(constraint).(*types.Interface)
+			if iface == nil {
+				errorf("non-interface constraint marked implicit")
+			}
+			iface.MarkImplicit()
+		}
+		// The constraint type may not be complete, if we
+		// are in the middle of a type recursion involving type
+		// constraints. So, we defer SetConstraint until we have
+		// completely set up all types in ImportData.
+		r.p.later = append(r.p.later, setConstraintArgs{t: t, constraint: constraint})
+
+	case varTag:
+		typ := r.typ()
+
+		v := types.NewVar(pos, pkg, name, typ)
+		typesinternal.SetVarKind(v, typesinternal.PackageVar)
+		r.declare(v)
+
+	default:
+		errorf("unexpected tag: %v", tag)
+	}
+}
+
+func (r *importReader) declare(obj types.Object) {
+	obj.Pkg().Scope().Insert(obj)
+}
+
+func (r *importReader) value() (typ types.Type, val constant.Value) {
+	typ = r.typ()
+	if r.p.version >= iexportVersionGo1_18 {
+		// TODO: add support for using the kind.
+		_ = constant.Kind(r.int64())
+	}
+
+	switch b := typ.Underlying().(*types.Basic); b.Info() & types.IsConstType {
+	case types.IsBoolean:
+		val = constant.MakeBool(r.bool())
+
+	case types.IsString:
+		val = constant.MakeString(r.string())
+
+	case types.IsInteger:
+		var x big.Int
+		r.mpint(&x, b)
+		val = constant.Make(&x)
+
+	case types.IsFloat:
+		val = r.mpfloat(b)
+
+	case types.IsComplex:
+		re := r.mpfloat(b)
+		im := r.mpfloat(b)
+		val = constant.BinaryOp(re, token.ADD, constant.MakeImag(im))
+
+	default:
+		if b.Kind() == types.Invalid {
+			val = constant.MakeUnknown()
+			return
+		}
+		errorf("unexpected type %v", typ) // panics
+		panic("unreachable")
+	}
+
+	return
+}
+
+func intSize(b *types.Basic) (signed bool, maxBytes uint) {
+	if (b.Info() & types.IsUntyped) != 0 {
+		return true, 64
+	}
+
+	switch b.Kind() {
+	case types.Float32, types.Complex64:
+		return true, 3
+	case types.Float64, types.Complex128:
+		return true, 7
+	}
+
+	signed = (b.Info() & types.IsUnsigned) == 0
+	switch b.Kind() {
+	case types.Int8, types.Uint8:
+		maxBytes = 1
+	case types.Int16, types.Uint16:
+		maxBytes = 2
+	case types.Int32, types.Uint32:
+		maxBytes = 4
+	default:
+		maxBytes = 8
+	}
+
+	return
+}
+
+func (r *importReader) mpint(x *big.Int, typ *types.Basic) {
+	signed, maxBytes := intSize(typ)
+
+	maxSmall := 256 - maxBytes
+	if signed {
+		maxSmall = 256 - 2*maxBytes
+	}
+	if maxBytes == 1 {
+		maxSmall = 256
+	}
+
+	n, _ := r.declReader.ReadByte()
+	if uint(n) < maxSmall {
+		v := int64(n)
+		if signed {
+			v >>= 1
+			if n&1 != 0 {
+				v = ^v
+			}
+		}
+		x.SetInt64(v)
+		return
+	}
+
+	v := -n
+	if signed {
+		v = -(n &^ 1) >> 1
+	}
+	if v < 1 || uint(v) > maxBytes {
+		errorf("weird decoding: %v, %v => %v", n, signed, v)
+	}
+	b := make([]byte, v)
+	io.ReadFull(&r.declReader, b)
+	x.SetBytes(b)
+	if signed && n&1 != 0 {
+		x.Neg(x)
+	}
+}
+
+func (r *importReader) mpfloat(typ *types.Basic) constant.Value {
+	var mant big.Int
+	r.mpint(&mant, typ)
+	var f big.Float
+	f.SetInt(&mant)
+	if f.Sign() != 0 {
+		f.SetMantExp(&f, int(r.int64()))
+	}
+	return constant.Make(&f)
+}
+
+func (r *importReader) ident() string {
+	return r.string()
+}
+
+func (r *importReader) qualifiedIdent() (*types.Package, string) {
+	name := r.string()
+	pkg := r.pkg()
+	return pkg, name
+}
+
+func (r *importReader) pos() token.Pos {
+	if r.p.shallow {
+		// precise offsets are encoded only in shallow mode
+		return r.posv2()
+	}
+	if r.p.version >= iexportVersionPosCol {
+		r.posv1()
+	} else {
+		r.posv0()
+	}
+
+	if r.prevFile == "" && r.prevLine == 0 && r.prevColumn == 0 {
+		return token.NoPos
+	}
+	return r.p.fake.pos(r.prevFile, int(r.prevLine), int(r.prevColumn))
+}
+
+func (r *importReader) posv0() {
+	delta := r.int64()
+	if delta != deltaNewFile {
+		r.prevLine += delta
+	} else if l := r.int64(); l == -1 {
+		r.prevLine += deltaNewFile
+	} else {
+		r.prevFile = r.string()
+		r.prevLine = l
+	}
+}
+
+func (r *importReader) posv1() {
+	delta := r.int64()
+	r.prevColumn += delta >> 1
+	if delta&1 != 0 {
+		delta = r.int64()
+		r.prevLine += delta >> 1
+		if delta&1 != 0 {
+			r.prevFile = r.string()
+		}
+	}
+}
+
+func (r *importReader) posv2() token.Pos {
+	file := r.uint64()
+	if file == 0 {
+		return token.NoPos
+	}
+	tf := r.p.fileAt(file - 1)
+	return tf.Pos(int(r.uint64()))
+}
+
+func (r *importReader) typ() types.Type {
+	return r.p.typAt(r.uint64(), nil)
+}
+
+func isInterface(t types.Type) bool {
+	_, ok := types.Unalias(t).(*types.Interface)
+	return ok
+}
+
+func (r *importReader) pkg() *types.Package { return r.p.pkgAt(r.uint64()) }
+func (r *importReader) string() string      { return r.p.stringAt(r.uint64()) }
+
+func (r *importReader) doType(base *types.Named) (res types.Type) {
+	k := r.kind()
+	if debug {
+		r.p.trace("importing type %d (base: %v)", k, base)
+		r.p.indent++
+		defer func() {
+			r.p.indent--
+			r.p.trace("=> %s", res)
+		}()
+	}
+	switch k {
+	default:
+		errorf("unexpected kind tag in %q: %v", r.p.ipath, k)
+		return nil
+
+	case aliasType, definedType:
+		pkg, name := r.qualifiedIdent()
+		r.p.doDecl(pkg, name)
+		return pkg.Scope().Lookup(name).(*types.TypeName).Type()
+	case pointerType:
+		return types.NewPointer(r.typ())
+	case sliceType:
+		return types.NewSlice(r.typ())
+	case arrayType:
+		n := r.uint64()
+		return types.NewArray(r.typ(), int64(n))
+	case chanType:
+		dir := chanDir(int(r.uint64()))
+		return types.NewChan(dir, r.typ())
+	case mapType:
+		return types.NewMap(r.typ(), r.typ())
+	case signatureType:
+		paramPkg := r.pkg()
+		return r.signature(paramPkg, nil, nil, nil)
+
+	case structType:
+		fieldPkg := r.pkg()
+
+		fields := make([]*types.Var, r.uint64())
+		tags := make([]string, len(fields))
+		for i := range fields {
+			var field *types.Var
+			if r.p.shallow {
+				field, _ = r.objectPathObject().(*types.Var)
+			}
+
+			fpos := r.pos()
+			fname := r.ident()
+			ftyp := r.typ()
+			emb := r.bool()
+			tag := r.string()
+
+			// Either this is not a shallow import, the field is local, or the
+			// encoded objectPath failed to produce an object (a bug).
+			//
+			// Even in this last, buggy case, fall back on creating a new field. As
+			// discussed in iexport.go, this is not correct, but mostly works and is
+			// preferable to failing (for now at least).
+			if field == nil {
+				field = types.NewField(fpos, fieldPkg, fname, ftyp, emb)
+			}
+
+			fields[i] = field
+			tags[i] = tag
+		}
+		return types.NewStruct(fields, tags)
+
+	case interfaceType:
+		methodPkg := r.pkg() // qualifies methods and their param/result vars
+
+		embeddeds := make([]types.Type, r.uint64())
+		for i := range embeddeds {
+			_ = r.pos()
+			embeddeds[i] = r.typ()
+		}
+
+		methods := make([]*types.Func, r.uint64())
+		for i := range methods {
+			var method *types.Func
+			if r.p.shallow {
+				method, _ = r.objectPathObject().(*types.Func)
+			}
+
+			mpos := r.pos()
+			mname := r.ident()
+
+			// TODO(mdempsky): Matches bimport.go, but I
+			// don't agree with this.
+			var recv *types.Var
+			if base != nil {
+				recv = types.NewVar(token.NoPos, methodPkg, "", base)
+			}
+			msig := r.signature(methodPkg, recv, nil, nil)
+
+			if method == nil {
+				method = types.NewFunc(mpos, methodPkg, mname, msig)
+			}
+			methods[i] = method
+		}
+
+		typ := types.NewInterfaceType(methods, embeddeds)
+		r.p.interfaceList = append(r.p.interfaceList, typ)
+		return typ
+
+	case typeParamType:
+		if r.p.version < iexportVersionGenerics {
+			errorf("unexpected type param type")
+		}
+		pkg, name := r.qualifiedIdent()
+		id := ident{pkg, name}
+		if t, ok := r.p.tparamIndex[id]; ok {
+			// We're already in the process of importing this typeparam.
+			return t
+		}
+		// Otherwise, import the definition of the typeparam now.
+		r.p.doDecl(pkg, name)
+		return r.p.tparamIndex[id]
+
+	case instanceType:
+		if r.p.version < iexportVersionGenerics {
+			errorf("unexpected instantiation type")
+		}
+		// pos does not matter for instances: they are positioned on the original
+		// type.
+		_ = r.pos()
+		len := r.uint64()
+		targs := make([]types.Type, len)
+		for i := range targs {
+			targs[i] = r.typ()
+		}
+		baseType := r.typ()
+		// The imported instantiated type doesn't include any methods, so
+		// we must always use the methods of the base (orig) type.
+		// TODO provide a non-nil *Environment
+		t, _ := types.Instantiate(nil, baseType, targs, false)
+
+		// Workaround for golang/go#61561. See the doc for instanceList for details.
+		r.p.instanceList = append(r.p.instanceList, t)
+		return t
+
+	case unionType:
+		if r.p.version < iexportVersionGenerics {
+			errorf("unexpected instantiation type")
+		}
+		terms := make([]*types.Term, r.uint64())
+		for i := range terms {
+			terms[i] = types.NewTerm(r.bool(), r.typ())
+		}
+		return types.NewUnion(terms)
+	}
+}
+
+func (r *importReader) kind() itag {
+	return itag(r.uint64())
+}
+
+// objectPathObject is the inverse of exportWriter.objectPath.
+//
+// In shallow mode, certain fields and methods may need to be looked up in an
+// imported package. See the doc for exportWriter.objectPath for a full
+// explanation.
+func (r *importReader) objectPathObject() types.Object {
+	objPath := objectpath.Path(r.string())
+	if objPath == "" {
+		return nil
+	}
+	pkg := r.pkg()
+	obj, err := objectpath.Object(pkg, objPath)
+	if err != nil {
+		if r.p.reportf != nil {
+			r.p.reportf("failed to find object for objectPath %q: %v", objPath, err)
+		}
+	}
+	return obj
+}
+
+func (r *importReader) signature(paramPkg *types.Package, recv *types.Var, rparams []*types.TypeParam, tparams []*types.TypeParam) *types.Signature {
+	params := r.paramList(paramPkg)
+	results := r.paramList(paramPkg)
+	variadic := params.Len() > 0 && r.bool()
+	return types.NewSignatureType(recv, rparams, tparams, params, results, variadic)
+}
+
+func (r *importReader) tparamList() []*types.TypeParam {
+	n := r.uint64()
+	if n == 0 {
+		return nil
+	}
+	xs := make([]*types.TypeParam, n)
+	for i := range xs {
+		// Note: the standard library importer is tolerant of nil types here,
+		// though would panic in SetTypeParams.
+		xs[i] = types.Unalias(r.typ()).(*types.TypeParam)
+	}
+	return xs
+}
+
+func (r *importReader) paramList(pkg *types.Package) *types.Tuple {
+	xs := make([]*types.Var, r.uint64())
+	for i := range xs {
+		xs[i] = r.param(pkg)
+	}
+	return types.NewTuple(xs...)
+}
+
+func (r *importReader) param(pkg *types.Package) *types.Var {
+	pos := r.pos()
+	name := r.ident()
+	typ := r.typ()
+	return types.NewParam(pos, pkg, name, typ)
+}
+
+func (r *importReader) bool() bool {
+	return r.uint64() != 0
+}
+
+func (r *importReader) int64() int64 {
+	n, err := binary.ReadVarint(&r.declReader)
+	if err != nil {
+		errorf("readVarint: %v", err)
+	}
+	return n
+}
+
+func (r *importReader) uint64() uint64 {
+	n, err := binary.ReadUvarint(&r.declReader)
+	if err != nil {
+		errorf("readUvarint: %v", err)
+	}
+	return n
+}
+
+func (r *importReader) byte() byte {
+	x, err := r.declReader.ReadByte()
+	if err != nil {
+		errorf("declReader.ReadByte: %v", err)
+	}
+	return x
+}
+
+type byPath []*types.Package
+
+func (a byPath) Len() int           { return len(a) }
+func (a byPath) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a byPath) Less(i, j int) bool { return a[i].Path() < a[j].Path() }
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/predeclared.go b/vendor/golang.org/x/tools/internal/gcimporter/predeclared.go
new file mode 100644
index 0000000000..907c8557a5
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gcimporter/predeclared.go
@@ -0,0 +1,91 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gcimporter
+
+import (
+	"go/types"
+	"sync"
+)
+
+// predecl is a cache for the predeclared types in types.Universe.
+//
+// Cache a distinct result based on the runtime value of any.
+// The pointer value of the any type varies based on GODEBUG settings.
+var predeclMu sync.Mutex
+var predecl map[types.Type][]types.Type
+
+func predeclared() []types.Type {
+	anyt := types.Universe.Lookup("any").Type()
+
+	predeclMu.Lock()
+	defer predeclMu.Unlock()
+
+	if pre, ok := predecl[anyt]; ok {
+		return pre
+	}
+
+	if predecl == nil {
+		predecl = make(map[types.Type][]types.Type)
+	}
+
+	decls := []types.Type{ // basic types
+		types.Typ[types.Bool],
+		types.Typ[types.Int],
+		types.Typ[types.Int8],
+		types.Typ[types.Int16],
+		types.Typ[types.Int32],
+		types.Typ[types.Int64],
+		types.Typ[types.Uint],
+		types.Typ[types.Uint8],
+		types.Typ[types.Uint16],
+		types.Typ[types.Uint32],
+		types.Typ[types.Uint64],
+		types.Typ[types.Uintptr],
+		types.Typ[types.Float32],
+		types.Typ[types.Float64],
+		types.Typ[types.Complex64],
+		types.Typ[types.Complex128],
+		types.Typ[types.String],
+
+		// basic type aliases
+		types.Universe.Lookup("byte").Type(),
+		types.Universe.Lookup("rune").Type(),
+
+		// error
+		types.Universe.Lookup("error").Type(),
+
+		// untyped types
+		types.Typ[types.UntypedBool],
+		types.Typ[types.UntypedInt],
+		types.Typ[types.UntypedRune],
+		types.Typ[types.UntypedFloat],
+		types.Typ[types.UntypedComplex],
+		types.Typ[types.UntypedString],
+		types.Typ[types.UntypedNil],
+
+		// package unsafe
+		types.Typ[types.UnsafePointer],
+
+		// invalid type
+		types.Typ[types.Invalid], // only appears in packages with errors
+
+		// used internally by gc; never used by this package or in .a files
+		anyType{},
+
+		// comparable
+		types.Universe.Lookup("comparable").Type(),
+
+		// any
+		anyt,
+	}
+
+	predecl[anyt] = decls
+	return decls
+}
+
+type anyType struct{}
+
+func (t anyType) Underlying() types.Type { return t }
+func (t anyType) String() string         { return "any" }
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/support.go b/vendor/golang.org/x/tools/internal/gcimporter/support.go
new file mode 100644
index 0000000000..4af810dc41
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gcimporter/support.go
@@ -0,0 +1,30 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gcimporter
+
+import (
+	"bufio"
+	"io"
+	"strconv"
+	"strings"
+)
+
+// Copy of $GOROOT/src/cmd/internal/archive.ReadHeader.
+func readArchiveHeader(b *bufio.Reader, name string) int {
+	// architecture-independent object file output
+	const HeaderSize = 60
+
+	var buf [HeaderSize]byte
+	if _, err := io.ReadFull(b, buf[:]); err != nil {
+		return -1
+	}
+	aname := strings.Trim(string(buf[0:16]), " ")
+	if !strings.HasPrefix(aname, name) {
+		return -1
+	}
+	asize := strings.Trim(string(buf[48:58]), " ")
+	i, _ := strconv.Atoi(asize)
+	return i
+}
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go b/vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go
new file mode 100644
index 0000000000..37b4a39e9e
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go
@@ -0,0 +1,761 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Derived from go/internal/gcimporter/ureader.go
+
+package gcimporter
+
+import (
+	"fmt"
+	"go/token"
+	"go/types"
+	"sort"
+
+	"golang.org/x/tools/internal/aliases"
+	"golang.org/x/tools/internal/pkgbits"
+	"golang.org/x/tools/internal/typesinternal"
+)
+
+// A pkgReader holds the shared state for reading a unified IR package
+// description.
+type pkgReader struct {
+	pkgbits.PkgDecoder
+
+	fake fakeFileSet
+
+	ctxt    *types.Context
+	imports map[string]*types.Package // previously imported packages, indexed by path
+	aliases bool                      // create types.Alias nodes
+
+	// lazily initialized arrays corresponding to the unified IR
+	// PosBase, Pkg, and Type sections, respectively.
+	posBases []string // position bases (i.e., file names)
+	pkgs     []*types.Package
+	typs     []types.Type
+
+	// laterFns holds functions that need to be invoked at the end of
+	// import reading.
+	laterFns []func()
+	// laterFors is used in case of 'type A B' to ensure that B is processed before A.
+	laterFors map[types.Type]int
+
+	// ifaces holds a list of constructed Interfaces, which need to have
+	// Complete called after importing is done.
+	ifaces []*types.Interface
+}
+
+// later adds a function to be invoked at the end of import reading.
+func (pr *pkgReader) later(fn func()) {
+	pr.laterFns = append(pr.laterFns, fn)
+}
+
+// See cmd/compile/internal/noder.derivedInfo.
+type derivedInfo struct {
+	idx pkgbits.Index
+}
+
+// See cmd/compile/internal/noder.typeInfo.
+type typeInfo struct {
+	idx     pkgbits.Index
+	derived bool
+}
+
+func UImportData(fset *token.FileSet, imports map[string]*types.Package, data []byte, path string) (_ int, pkg *types.Package, err error) {
+	if !debug {
+		defer func() {
+			if x := recover(); x != nil {
+				err = fmt.Errorf("internal error in importing %q (%v); please report an issue", path, x)
+			}
+		}()
+	}
+
+	s := string(data)
+	input := pkgbits.NewPkgDecoder(path, s)
+	pkg = readUnifiedPackage(fset, nil, imports, input)
+	return
+}
+
+// laterFor adds a function to be invoked at the end of import reading, and records the type that function is finishing.
+func (pr *pkgReader) laterFor(t types.Type, fn func()) {
+	if pr.laterFors == nil {
+		pr.laterFors = make(map[types.Type]int)
+	}
+	pr.laterFors[t] = len(pr.laterFns)
+	pr.laterFns = append(pr.laterFns, fn)
+}
+
+// readUnifiedPackage reads a package description from the given
+// unified IR export data decoder.
+func readUnifiedPackage(fset *token.FileSet, ctxt *types.Context, imports map[string]*types.Package, input pkgbits.PkgDecoder) *types.Package {
+	pr := pkgReader{
+		PkgDecoder: input,
+
+		fake: fakeFileSet{
+			fset:  fset,
+			files: make(map[string]*fileInfo),
+		},
+
+		ctxt:    ctxt,
+		imports: imports,
+		aliases: aliases.Enabled(),
+
+		posBases: make([]string, input.NumElems(pkgbits.RelocPosBase)),
+		pkgs:     make([]*types.Package, input.NumElems(pkgbits.RelocPkg)),
+		typs:     make([]types.Type, input.NumElems(pkgbits.RelocType)),
+	}
+	defer pr.fake.setLines()
+
+	r := pr.newReader(pkgbits.RelocMeta, pkgbits.PublicRootIdx, pkgbits.SyncPublic)
+	pkg := r.pkg()
+	if r.Version().Has(pkgbits.HasInit) {
+		r.Bool()
+	}
+
+	for i, n := 0, r.Len(); i < n; i++ {
+		// As if r.obj(), but avoiding the Scope.Lookup call,
+		// to avoid eager loading of imports.
+		r.Sync(pkgbits.SyncObject)
+		if r.Version().Has(pkgbits.DerivedFuncInstance) {
+			assert(!r.Bool())
+		}
+		r.p.objIdx(r.Reloc(pkgbits.RelocObj))
+		assert(r.Len() == 0)
+	}
+
+	r.Sync(pkgbits.SyncEOF)
+
+	for _, fn := range pr.laterFns {
+		fn()
+	}
+
+	for _, iface := range pr.ifaces {
+		iface.Complete()
+	}
+
+	// Imports() of pkg are all of the transitive packages that were loaded.
+	var imps []*types.Package
+	for _, imp := range pr.pkgs {
+		if imp != nil && imp != pkg {
+			imps = append(imps, imp)
+		}
+	}
+	sort.Sort(byPath(imps))
+	pkg.SetImports(imps)
+
+	pkg.MarkComplete()
+	return pkg
+}
+
+// A reader holds the state for reading a single unified IR element
+// within a package.
+type reader struct {
+	pkgbits.Decoder
+
+	p *pkgReader
+
+	dict *readerDict
+}
+
+// A readerDict holds the state for type parameters that parameterize
+// the current unified IR element.
+type readerDict struct {
+	// bounds is a slice of typeInfos corresponding to the underlying
+	// bounds of the element's type parameters.
+	bounds []typeInfo
+
+	// tparams is a slice of the constructed TypeParams for the element.
+	tparams []*types.TypeParam
+
+	// derived is a slice of types derived from tparams, which may be
+	// instantiated while reading the current element.
+	derived      []derivedInfo
+	derivedTypes []types.Type // lazily instantiated from derived
+}
+
+func (pr *pkgReader) newReader(k pkgbits.RelocKind, idx pkgbits.Index, marker pkgbits.SyncMarker) *reader {
+	return &reader{
+		Decoder: pr.NewDecoder(k, idx, marker),
+		p:       pr,
+	}
+}
+
+func (pr *pkgReader) tempReader(k pkgbits.RelocKind, idx pkgbits.Index, marker pkgbits.SyncMarker) *reader {
+	return &reader{
+		Decoder: pr.TempDecoder(k, idx, marker),
+		p:       pr,
+	}
+}
+
+func (pr *pkgReader) retireReader(r *reader) {
+	pr.RetireDecoder(&r.Decoder)
+}
+
+// @@@ Positions
+
+func (r *reader) pos() token.Pos {
+	r.Sync(pkgbits.SyncPos)
+	if !r.Bool() {
+		return token.NoPos
+	}
+
+	// TODO(mdempsky): Delta encoding.
+	posBase := r.posBase()
+	line := r.Uint()
+	col := r.Uint()
+	return r.p.fake.pos(posBase, int(line), int(col))
+}
+
+func (r *reader) posBase() string {
+	return r.p.posBaseIdx(r.Reloc(pkgbits.RelocPosBase))
+}
+
+func (pr *pkgReader) posBaseIdx(idx pkgbits.Index) string {
+	if b := pr.posBases[idx]; b != "" {
+		return b
+	}
+
+	var filename string
+	{
+		r := pr.tempReader(pkgbits.RelocPosBase, idx, pkgbits.SyncPosBase)
+
+		// Within types2, position bases have a lot more details (e.g.,
+		// keeping track of where //line directives appeared exactly).
+		//
+		// For go/types, we just track the file name.
+
+		filename = r.String()
+
+		if r.Bool() { // file base
+			// Was: "b = token.NewTrimmedFileBase(filename, true)"
+		} else { // line base
+			pos := r.pos()
+			line := r.Uint()
+			col := r.Uint()
+
+			// Was: "b = token.NewLineBase(pos, filename, true, line, col)"
+			_, _, _ = pos, line, col
+		}
+		pr.retireReader(r)
+	}
+	b := filename
+	pr.posBases[idx] = b
+	return b
+}
+
+// @@@ Packages
+
+func (r *reader) pkg() *types.Package {
+	r.Sync(pkgbits.SyncPkg)
+	return r.p.pkgIdx(r.Reloc(pkgbits.RelocPkg))
+}
+
+func (pr *pkgReader) pkgIdx(idx pkgbits.Index) *types.Package {
+	// TODO(mdempsky): Consider using some non-nil pointer to indicate
+	// the universe scope, so we don't need to keep re-reading it.
+	if pkg := pr.pkgs[idx]; pkg != nil {
+		return pkg
+	}
+
+	pkg := pr.newReader(pkgbits.RelocPkg, idx, pkgbits.SyncPkgDef).doPkg()
+	pr.pkgs[idx] = pkg
+	return pkg
+}
+
+func (r *reader) doPkg() *types.Package {
+	path := r.String()
+	switch path {
+	// cmd/compile emits path="main" for main packages because
+	// that's the linker symbol prefix it used; but we need
+	// the package's path as it would be reported by go list,
+	// hence "main" below.
+	// See test at go/packages.TestMainPackagePathInModeTypes.
+	case "", "main":
+		path = r.p.PkgPath()
+	case "builtin":
+		return nil // universe
+	case "unsafe":
+		return types.Unsafe
+	}
+
+	if pkg := r.p.imports[path]; pkg != nil {
+		return pkg
+	}
+
+	name := r.String()
+
+	pkg := types.NewPackage(path, name)
+	r.p.imports[path] = pkg
+
+	return pkg
+}
+
+// @@@ Types
+
+func (r *reader) typ() types.Type {
+	return r.p.typIdx(r.typInfo(), r.dict)
+}
+
+func (r *reader) typInfo() typeInfo {
+	r.Sync(pkgbits.SyncType)
+	if r.Bool() {
+		return typeInfo{idx: pkgbits.Index(r.Len()), derived: true}
+	}
+	return typeInfo{idx: r.Reloc(pkgbits.RelocType), derived: false}
+}
+
+func (pr *pkgReader) typIdx(info typeInfo, dict *readerDict) types.Type {
+	idx := info.idx
+	var where *types.Type
+	if info.derived {
+		where = &dict.derivedTypes[idx]
+		idx = dict.derived[idx].idx
+	} else {
+		where = &pr.typs[idx]
+	}
+
+	if typ := *where; typ != nil {
+		return typ
+	}
+
+	var typ types.Type
+	{
+		r := pr.tempReader(pkgbits.RelocType, idx, pkgbits.SyncTypeIdx)
+		r.dict = dict
+
+		typ = r.doTyp()
+		assert(typ != nil)
+		pr.retireReader(r)
+	}
+	// See comment in pkgReader.typIdx explaining how this happens.
+	if prev := *where; prev != nil {
+		return prev
+	}
+
+	*where = typ
+	return typ
+}
+
+func (r *reader) doTyp() (res types.Type) {
+	switch tag := pkgbits.CodeType(r.Code(pkgbits.SyncType)); tag {
+	default:
+		errorf("unhandled type tag: %v", tag)
+		panic("unreachable")
+
+	case pkgbits.TypeBasic:
+		return types.Typ[r.Len()]
+
+	case pkgbits.TypeNamed:
+		obj, targs := r.obj()
+		name := obj.(*types.TypeName)
+		if len(targs) != 0 {
+			t, _ := types.Instantiate(r.p.ctxt, name.Type(), targs, false)
+			return t
+		}
+		return name.Type()
+
+	case pkgbits.TypeTypeParam:
+		return r.dict.tparams[r.Len()]
+
+	case pkgbits.TypeArray:
+		len := int64(r.Uint64())
+		return types.NewArray(r.typ(), len)
+	case pkgbits.TypeChan:
+		dir := types.ChanDir(r.Len())
+		return types.NewChan(dir, r.typ())
+	case pkgbits.TypeMap:
+		return types.NewMap(r.typ(), r.typ())
+	case pkgbits.TypePointer:
+		return types.NewPointer(r.typ())
+	case pkgbits.TypeSignature:
+		return r.signature(nil, nil, nil)
+	case pkgbits.TypeSlice:
+		return types.NewSlice(r.typ())
+	case pkgbits.TypeStruct:
+		return r.structType()
+	case pkgbits.TypeInterface:
+		return r.interfaceType()
+	case pkgbits.TypeUnion:
+		return r.unionType()
+	}
+}
+
+func (r *reader) structType() *types.Struct {
+	fields := make([]*types.Var, r.Len())
+	var tags []string
+	for i := range fields {
+		pos := r.pos()
+		pkg, name := r.selector()
+		ftyp := r.typ()
+		tag := r.String()
+		embedded := r.Bool()
+
+		fields[i] = types.NewField(pos, pkg, name, ftyp, embedded)
+		if tag != "" {
+			for len(tags) < i {
+				tags = append(tags, "")
+			}
+			tags = append(tags, tag)
+		}
+	}
+	return types.NewStruct(fields, tags)
+}
+
+func (r *reader) unionType() *types.Union {
+	terms := make([]*types.Term, r.Len())
+	for i := range terms {
+		terms[i] = types.NewTerm(r.Bool(), r.typ())
+	}
+	return types.NewUnion(terms)
+}
+
+func (r *reader) interfaceType() *types.Interface {
+	methods := make([]*types.Func, r.Len())
+	embeddeds := make([]types.Type, r.Len())
+	implicit := len(methods) == 0 && len(embeddeds) == 1 && r.Bool()
+
+	for i := range methods {
+		pos := r.pos()
+		pkg, name := r.selector()
+		mtyp := r.signature(nil, nil, nil)
+		methods[i] = types.NewFunc(pos, pkg, name, mtyp)
+	}
+
+	for i := range embeddeds {
+		embeddeds[i] = r.typ()
+	}
+
+	iface := types.NewInterfaceType(methods, embeddeds)
+	if implicit {
+		iface.MarkImplicit()
+	}
+
+	// We need to call iface.Complete(), but if there are any embedded
+	// defined types, then we may not have set their underlying
+	// interface type yet. So we need to defer calling Complete until
+	// after we've called SetUnderlying everywhere.
+	//
+	// TODO(mdempsky): After CL 424876 lands, it should be safe to call
+	// iface.Complete() immediately.
+	r.p.ifaces = append(r.p.ifaces, iface)
+
+	return iface
+}
+
+func (r *reader) signature(recv *types.Var, rtparams, tparams []*types.TypeParam) *types.Signature {
+	r.Sync(pkgbits.SyncSignature)
+
+	params := r.params()
+	results := r.params()
+	variadic := r.Bool()
+
+	return types.NewSignatureType(recv, rtparams, tparams, params, results, variadic)
+}
+
+func (r *reader) params() *types.Tuple {
+	r.Sync(pkgbits.SyncParams)
+
+	params := make([]*types.Var, r.Len())
+	for i := range params {
+		params[i] = r.param()
+	}
+
+	return types.NewTuple(params...)
+}
+
+func (r *reader) param() *types.Var {
+	r.Sync(pkgbits.SyncParam)
+
+	pos := r.pos()
+	pkg, name := r.localIdent()
+	typ := r.typ()
+
+	return types.NewParam(pos, pkg, name, typ)
+}
+
+// @@@ Objects
+
+func (r *reader) obj() (types.Object, []types.Type) {
+	r.Sync(pkgbits.SyncObject)
+
+	if r.Version().Has(pkgbits.DerivedFuncInstance) {
+		assert(!r.Bool())
+	}
+
+	pkg, name := r.p.objIdx(r.Reloc(pkgbits.RelocObj))
+	obj := pkgScope(pkg).Lookup(name)
+
+	targs := make([]types.Type, r.Len())
+	for i := range targs {
+		targs[i] = r.typ()
+	}
+
+	return obj, targs
+}
+
+func (pr *pkgReader) objIdx(idx pkgbits.Index) (*types.Package, string) {
+
+	var objPkg *types.Package
+	var objName string
+	var tag pkgbits.CodeObj
+	{
+		rname := pr.tempReader(pkgbits.RelocName, idx, pkgbits.SyncObject1)
+
+		objPkg, objName = rname.qualifiedIdent()
+		assert(objName != "")
+
+		tag = pkgbits.CodeObj(rname.Code(pkgbits.SyncCodeObj))
+		pr.retireReader(rname)
+	}
+
+	if tag == pkgbits.ObjStub {
+		assert(objPkg == nil || objPkg == types.Unsafe)
+		return objPkg, objName
+	}
+
+	// Ignore local types promoted to global scope (#55110).
+	if _, suffix := splitVargenSuffix(objName); suffix != "" {
+		return objPkg, objName
+	}
+
+	if objPkg.Scope().Lookup(objName) == nil {
+		dict := pr.objDictIdx(idx)
+
+		r := pr.newReader(pkgbits.RelocObj, idx, pkgbits.SyncObject1)
+		r.dict = dict
+
+		declare := func(obj types.Object) {
+			objPkg.Scope().Insert(obj)
+		}
+
+		switch tag {
+		default:
+			panic("weird")
+
+		case pkgbits.ObjAlias:
+			pos := r.pos()
+			var tparams []*types.TypeParam
+			if r.Version().Has(pkgbits.AliasTypeParamNames) {
+				tparams = r.typeParamNames()
+			}
+			typ := r.typ()
+			declare(aliases.NewAlias(r.p.aliases, pos, objPkg, objName, typ, tparams))
+
+		case pkgbits.ObjConst:
+			pos := r.pos()
+			typ := r.typ()
+			val := r.Value()
+			declare(types.NewConst(pos, objPkg, objName, typ, val))
+
+		case pkgbits.ObjFunc:
+			pos := r.pos()
+			tparams := r.typeParamNames()
+			sig := r.signature(nil, nil, tparams)
+			declare(types.NewFunc(pos, objPkg, objName, sig))
+
+		case pkgbits.ObjType:
+			pos := r.pos()
+
+			obj := types.NewTypeName(pos, objPkg, objName, nil)
+			named := types.NewNamed(obj, nil, nil)
+			declare(obj)
+
+			named.SetTypeParams(r.typeParamNames())
+
+			setUnderlying := func(underlying types.Type) {
+				// If the underlying type is an interface, we need to
+				// duplicate its methods so we can replace the receiver
+				// parameter's type (#49906).
+				if iface, ok := types.Unalias(underlying).(*types.Interface); ok && iface.NumExplicitMethods() != 0 {
+					methods := make([]*types.Func, iface.NumExplicitMethods())
+					for i := range methods {
+						fn := iface.ExplicitMethod(i)
+						sig := fn.Type().(*types.Signature)
+
+						recv := types.NewVar(fn.Pos(), fn.Pkg(), "", named)
+						typesinternal.SetVarKind(recv, typesinternal.RecvVar)
+						methods[i] = types.NewFunc(fn.Pos(), fn.Pkg(), fn.Name(), types.NewSignatureType(recv, nil, nil, sig.Params(), sig.Results(), sig.Variadic()))
+					}
+
+					embeds := make([]types.Type, iface.NumEmbeddeds())
+					for i := range embeds {
+						embeds[i] = iface.EmbeddedType(i)
+					}
+
+					newIface := types.NewInterfaceType(methods, embeds)
+					r.p.ifaces = append(r.p.ifaces, newIface)
+					underlying = newIface
+				}
+
+				named.SetUnderlying(underlying)
+			}
+
+			// Since go.dev/cl/455279, we can assume rhs.Underlying() will
+			// always be non-nil. However, to temporarily support users of
+			// older snapshot releases, we continue to fallback to the old
+			// behavior for now.
+			//
+			// TODO(mdempsky): Remove fallback code and simplify after
+			// allowing time for snapshot users to upgrade.
+			rhs := r.typ()
+			if underlying := rhs.Underlying(); underlying != nil {
+				setUnderlying(underlying)
+			} else {
+				pk := r.p
+				pk.laterFor(named, func() {
+					// First be sure that the rhs is initialized, if it needs to be initialized.
+					delete(pk.laterFors, named) // prevent cycles
+					if i, ok := pk.laterFors[rhs]; ok {
+						f := pk.laterFns[i]
+						pk.laterFns[i] = func() {} // function is running now, so replace it with a no-op
+						f()                        // initialize RHS
+					}
+					setUnderlying(rhs.Underlying())
+				})
+			}
+
+			for i, n := 0, r.Len(); i < n; i++ {
+				named.AddMethod(r.method())
+			}
+
+		case pkgbits.ObjVar:
+			pos := r.pos()
+			typ := r.typ()
+			v := types.NewVar(pos, objPkg, objName, typ)
+			typesinternal.SetVarKind(v, typesinternal.PackageVar)
+			declare(v)
+		}
+	}
+
+	return objPkg, objName
+}
+
+func (pr *pkgReader) objDictIdx(idx pkgbits.Index) *readerDict {
+
+	var dict readerDict
+
+	{
+		r := pr.tempReader(pkgbits.RelocObjDict, idx, pkgbits.SyncObject1)
+		if implicits := r.Len(); implicits != 0 {
+			errorf("unexpected object with %v implicit type parameter(s)", implicits)
+		}
+
+		dict.bounds = make([]typeInfo, r.Len())
+		for i := range dict.bounds {
+			dict.bounds[i] = r.typInfo()
+		}
+
+		dict.derived = make([]derivedInfo, r.Len())
+		dict.derivedTypes = make([]types.Type, len(dict.derived))
+		for i := range dict.derived {
+			dict.derived[i] = derivedInfo{idx: r.Reloc(pkgbits.RelocType)}
+			if r.Version().Has(pkgbits.DerivedInfoNeeded) {
+				assert(!r.Bool())
+			}
+		}
+
+		pr.retireReader(r)
+	}
+	// function references follow, but reader doesn't need those
+
+	return &dict
+}
+
+func (r *reader) typeParamNames() []*types.TypeParam {
+	r.Sync(pkgbits.SyncTypeParamNames)
+
+	// Note: This code assumes it only processes objects without
+	// implement type parameters. This is currently fine, because
+	// reader is only used to read in exported declarations, which are
+	// always package scoped.
+
+	if len(r.dict.bounds) == 0 {
+		return nil
+	}
+
+	// Careful: Type parameter lists may have cycles. To allow for this,
+	// we construct the type parameter list in two passes: first we
+	// create all the TypeNames and TypeParams, then we construct and
+	// set the bound type.
+
+	r.dict.tparams = make([]*types.TypeParam, len(r.dict.bounds))
+	for i := range r.dict.bounds {
+		pos := r.pos()
+		pkg, name := r.localIdent()
+
+		tname := types.NewTypeName(pos, pkg, name, nil)
+		r.dict.tparams[i] = types.NewTypeParam(tname, nil)
+	}
+
+	typs := make([]types.Type, len(r.dict.bounds))
+	for i, bound := range r.dict.bounds {
+		typs[i] = r.p.typIdx(bound, r.dict)
+	}
+
+	// TODO(mdempsky): This is subtle, elaborate further.
+	//
+	// We have to save tparams outside of the closure, because
+	// typeParamNames() can be called multiple times with the same
+	// dictionary instance.
+	//
+	// Also, this needs to happen later to make sure SetUnderlying has
+	// been called.
+	//
+	// TODO(mdempsky): Is it safe to have a single "later" slice or do
+	// we need to have multiple passes? See comments on CL 386002 and
+	// go.dev/issue/52104.
+	tparams := r.dict.tparams
+	r.p.later(func() {
+		for i, typ := range typs {
+			tparams[i].SetConstraint(typ)
+		}
+	})
+
+	return r.dict.tparams
+}
+
+func (r *reader) method() *types.Func {
+	r.Sync(pkgbits.SyncMethod)
+	pos := r.pos()
+	pkg, name := r.selector()
+
+	rparams := r.typeParamNames()
+	sig := r.signature(r.param(), rparams, nil)
+
+	_ = r.pos() // TODO(mdempsky): Remove; this is a hacker for linker.go.
+	return types.NewFunc(pos, pkg, name, sig)
+}
+
+func (r *reader) qualifiedIdent() (*types.Package, string) { return r.ident(pkgbits.SyncSym) }
+func (r *reader) localIdent() (*types.Package, string)     { return r.ident(pkgbits.SyncLocalIdent) }
+func (r *reader) selector() (*types.Package, string)       { return r.ident(pkgbits.SyncSelector) }
+
+func (r *reader) ident(marker pkgbits.SyncMarker) (*types.Package, string) {
+	r.Sync(marker)
+	return r.pkg(), r.String()
+}
+
+// pkgScope returns pkg.Scope().
+// If pkg is nil, it returns types.Universe instead.
+//
+// TODO(mdempsky): Remove after x/tools can depend on Go 1.19.
+func pkgScope(pkg *types.Package) *types.Scope {
+	if pkg != nil {
+		return pkg.Scope()
+	}
+	return types.Universe
+}
+
+// See cmd/compile/internal/types.SplitVargenSuffix.
+func splitVargenSuffix(name string) (base, suffix string) {
+	i := len(name)
+	for i > 0 && name[i-1] >= '0' && name[i-1] <= '9' {
+		i--
+	}
+	const dot = "·"
+	if i >= len(dot) && name[i-len(dot):i] == dot {
+		i -= len(dot)
+		return name[:i], name[i:]
+	}
+	return name, ""
+}
diff --git a/vendor/golang.org/x/tools/internal/gocommand/invoke.go b/vendor/golang.org/x/tools/internal/gocommand/invoke.go
new file mode 100644
index 0000000000..58721202de
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gocommand/invoke.go
@@ -0,0 +1,567 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package gocommand is a helper for calling the go command.
+package gocommand
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"golang.org/x/tools/internal/event"
+	"golang.org/x/tools/internal/event/keys"
+	"golang.org/x/tools/internal/event/label"
+)
+
+// A Runner will run go command invocations and serialize
+// them if it sees a concurrency error.
+type Runner struct {
+	// once guards the runner initialization.
+	once sync.Once
+
+	// inFlight tracks available workers.
+	inFlight chan struct{}
+
+	// serialized guards the ability to run a go command serially,
+	// to avoid deadlocks when claiming workers.
+	serialized chan struct{}
+}
+
+const maxInFlight = 10
+
+func (runner *Runner) initialize() {
+	runner.once.Do(func() {
+		runner.inFlight = make(chan struct{}, maxInFlight)
+		runner.serialized = make(chan struct{}, 1)
+	})
+}
+
+// 1.13: go: updates to go.mod needed, but contents have changed
+// 1.14: go: updating go.mod: existing contents have changed since last read
+var modConcurrencyError = regexp.MustCompile(`go:.*go.mod.*contents have changed`)
+
+// event keys for go command invocations
+var (
+	verb      = keys.NewString("verb", "go command verb")
+	directory = keys.NewString("directory", "")
+)
+
+func invLabels(inv Invocation) []label.Label {
+	return []label.Label{verb.Of(inv.Verb), directory.Of(inv.WorkingDir)}
+}
+
+// Run is a convenience wrapper around RunRaw.
+// It returns only stdout and a "friendly" error.
+func (runner *Runner) Run(ctx context.Context, inv Invocation) (*bytes.Buffer, error) {
+	ctx, done := event.Start(ctx, "gocommand.Runner.Run", invLabels(inv)...)
+	defer done()
+
+	stdout, _, friendly, _ := runner.RunRaw(ctx, inv)
+	return stdout, friendly
+}
+
+// RunPiped runs the invocation serially, always waiting for any concurrent
+// invocations to complete first.
+func (runner *Runner) RunPiped(ctx context.Context, inv Invocation, stdout, stderr io.Writer) error {
+	ctx, done := event.Start(ctx, "gocommand.Runner.RunPiped", invLabels(inv)...)
+	defer done()
+
+	_, err := runner.runPiped(ctx, inv, stdout, stderr)
+	return err
+}
+
+// RunRaw runs the invocation, serializing requests only if they fight over
+// go.mod changes.
+// Postcondition: both error results have same nilness.
+func (runner *Runner) RunRaw(ctx context.Context, inv Invocation) (*bytes.Buffer, *bytes.Buffer, error, error) {
+	ctx, done := event.Start(ctx, "gocommand.Runner.RunRaw", invLabels(inv)...)
+	defer done()
+	// Make sure the runner is always initialized.
+	runner.initialize()
+
+	// First, try to run the go command concurrently.
+	stdout, stderr, friendlyErr, err := runner.runConcurrent(ctx, inv)
+
+	// If we encounter a load concurrency error, we need to retry serially.
+	if friendlyErr != nil && modConcurrencyError.MatchString(friendlyErr.Error()) {
+		event.Error(ctx, "Load concurrency error, will retry serially", err)
+
+		// Run serially by calling runPiped.
+		stdout.Reset()
+		stderr.Reset()
+		friendlyErr, err = runner.runPiped(ctx, inv, stdout, stderr)
+	}
+
+	return stdout, stderr, friendlyErr, err
+}
+
+// Postcondition: both error results have same nilness.
+func (runner *Runner) runConcurrent(ctx context.Context, inv Invocation) (*bytes.Buffer, *bytes.Buffer, error, error) {
+	// Wait for 1 worker to become available.
+	select {
+	case <-ctx.Done():
+		return nil, nil, ctx.Err(), ctx.Err()
+	case runner.inFlight <- struct{}{}:
+		defer func() { <-runner.inFlight }()
+	}
+
+	stdout, stderr := &bytes.Buffer{}, &bytes.Buffer{}
+	friendlyErr, err := inv.runWithFriendlyError(ctx, stdout, stderr)
+	return stdout, stderr, friendlyErr, err
+}
+
+// Postcondition: both error results have same nilness.
+func (runner *Runner) runPiped(ctx context.Context, inv Invocation, stdout, stderr io.Writer) (error, error) {
+	// Make sure the runner is always initialized.
+	runner.initialize()
+
+	// Acquire the serialization lock. This avoids deadlocks between two
+	// runPiped commands.
+	select {
+	case <-ctx.Done():
+		return ctx.Err(), ctx.Err()
+	case runner.serialized <- struct{}{}:
+		defer func() { <-runner.serialized }()
+	}
+
+	// Wait for all in-progress go commands to return before proceeding,
+	// to avoid load concurrency errors.
+	for range maxInFlight {
+		select {
+		case <-ctx.Done():
+			return ctx.Err(), ctx.Err()
+		case runner.inFlight <- struct{}{}:
+			// Make sure we always "return" any workers we took.
+			defer func() { <-runner.inFlight }()
+		}
+	}
+
+	return inv.runWithFriendlyError(ctx, stdout, stderr)
+}
+
+// An Invocation represents a call to the go command.
+type Invocation struct {
+	Verb       string
+	Args       []string
+	BuildFlags []string
+
+	// If ModFlag is set, the go command is invoked with -mod=ModFlag.
+	// TODO(rfindley): remove, in favor of Args.
+	ModFlag string
+
+	// If ModFile is set, the go command is invoked with -modfile=ModFile.
+	// TODO(rfindley): remove, in favor of Args.
+	ModFile string
+
+	// Overlay is the name of the JSON overlay file that describes
+	// unsaved editor buffers; see [WriteOverlays].
+	// If set, the go command is invoked with -overlay=Overlay.
+	// TODO(rfindley): remove, in favor of Args.
+	Overlay string
+
+	// If CleanEnv is set, the invocation will run only with the environment
+	// in Env, not starting with os.Environ.
+	CleanEnv   bool
+	Env        []string
+	WorkingDir string
+	Logf       func(format string, args ...any)
+}
+
+// Postcondition: both error results have same nilness.
+func (i *Invocation) runWithFriendlyError(ctx context.Context, stdout, stderr io.Writer) (friendlyError error, rawError error) {
+	rawError = i.run(ctx, stdout, stderr)
+	if rawError != nil {
+		friendlyError = rawError
+		// Check for 'go' executable not being found.
+		if ee, ok := rawError.(*exec.Error); ok && ee.Err == exec.ErrNotFound {
+			friendlyError = fmt.Errorf("go command required, not found: %v", ee)
+		}
+		if ctx.Err() != nil {
+			friendlyError = ctx.Err()
+		}
+		friendlyError = fmt.Errorf("err: %v: stderr: %s", friendlyError, stderr)
+	}
+	return
+}
+
+// logf logs if i.Logf is non-nil.
+func (i *Invocation) logf(format string, args ...any) {
+	if i.Logf != nil {
+		i.Logf(format, args...)
+	}
+}
+
+func (i *Invocation) run(ctx context.Context, stdout, stderr io.Writer) error {
+	goArgs := []string{i.Verb}
+
+	appendModFile := func() {
+		if i.ModFile != "" {
+			goArgs = append(goArgs, "-modfile="+i.ModFile)
+		}
+	}
+	appendModFlag := func() {
+		if i.ModFlag != "" {
+			goArgs = append(goArgs, "-mod="+i.ModFlag)
+		}
+	}
+	appendOverlayFlag := func() {
+		if i.Overlay != "" {
+			goArgs = append(goArgs, "-overlay="+i.Overlay)
+		}
+	}
+
+	switch i.Verb {
+	case "env", "version":
+		goArgs = append(goArgs, i.Args...)
+	case "mod":
+		// mod needs the sub-verb before flags.
+		goArgs = append(goArgs, i.Args[0])
+		appendModFile()
+		goArgs = append(goArgs, i.Args[1:]...)
+	case "get":
+		goArgs = append(goArgs, i.BuildFlags...)
+		appendModFile()
+		goArgs = append(goArgs, i.Args...)
+
+	default: // notably list and build.
+		goArgs = append(goArgs, i.BuildFlags...)
+		appendModFile()
+		appendModFlag()
+		appendOverlayFlag()
+		goArgs = append(goArgs, i.Args...)
+	}
+	cmd := exec.Command("go", goArgs...)
+	cmd.Stdout = stdout
+	cmd.Stderr = stderr
+
+	// https://go.dev/issue/59541: don't wait forever copying stderr
+	// after the command has exited.
+	// After CL 484741 we copy stdout manually, so we we'll stop reading that as
+	// soon as ctx is done. However, we also don't want to wait around forever
+	// for stderr. Give a much-longer-than-reasonable delay and then assume that
+	// something has wedged in the kernel or runtime.
+	cmd.WaitDelay = 30 * time.Second
+
+	// The cwd gets resolved to the real path. On Darwin, where
+	// /tmp is a symlink, this breaks anything that expects the
+	// working directory to keep the original path, including the
+	// go command when dealing with modules.
+	//
+	// os.Getwd has a special feature where if the cwd and the PWD
+	// are the same node then it trusts the PWD, so by setting it
+	// in the env for the child process we fix up all the paths
+	// returned by the go command.
+	if !i.CleanEnv {
+		cmd.Env = os.Environ()
+	}
+	cmd.Env = append(cmd.Env, i.Env...)
+	if i.WorkingDir != "" {
+		cmd.Env = append(cmd.Env, "PWD="+i.WorkingDir)
+		cmd.Dir = i.WorkingDir
+	}
+
+	debugStr := cmdDebugStr(cmd)
+	i.logf("starting %v", debugStr)
+	start := time.Now()
+	defer func() {
+		i.logf("%s for %v", time.Since(start), debugStr)
+	}()
+
+	return runCmdContext(ctx, cmd)
+}
+
+// DebugHangingGoCommands may be set by tests to enable additional
+// instrumentation (including panics) for debugging hanging Go commands.
+//
+// See golang/go#54461 for details.
+var DebugHangingGoCommands = false
+
+// runCmdContext is like exec.CommandContext except it sends os.Interrupt
+// before os.Kill.
+func runCmdContext(ctx context.Context, cmd *exec.Cmd) (err error) {
+	// If cmd.Stdout is not an *os.File, the exec package will create a pipe and
+	// copy it to the Writer in a goroutine until the process has finished and
+	// either the pipe reaches EOF or command's WaitDelay expires.
+	//
+	// However, the output from 'go list' can be quite large, and we don't want to
+	// keep reading (and allocating buffers) if we've already decided we don't
+	// care about the output. We don't want to wait for the process to finish, and
+	// we don't wait to wait for the WaitDelay to expire either.
+	//
+	// Instead, if cmd.Stdout requires a copying goroutine we explicitly replace
+	// it with a pipe (which is an *os.File), which we can close in order to stop
+	// copying output as soon as we realize we don't care about it.
+	var stdoutW *os.File
+	if cmd.Stdout != nil {
+		if _, ok := cmd.Stdout.(*os.File); !ok {
+			var stdoutR *os.File
+			stdoutR, stdoutW, err = os.Pipe()
+			if err != nil {
+				return err
+			}
+			prevStdout := cmd.Stdout
+			cmd.Stdout = stdoutW
+
+			stdoutErr := make(chan error, 1)
+			go func() {
+				_, err := io.Copy(prevStdout, stdoutR)
+				if err != nil {
+					err = fmt.Errorf("copying stdout: %w", err)
+				}
+				stdoutErr <- err
+			}()
+			defer func() {
+				// We started a goroutine to copy a stdout pipe.
+				// Wait for it to finish, or terminate it if need be.
+				var err2 error
+				select {
+				case err2 = <-stdoutErr:
+					stdoutR.Close()
+				case <-ctx.Done():
+					stdoutR.Close()
+					// Per https://pkg.go.dev/os#File.Close, the call to stdoutR.Close
+					// should cause the Read call in io.Copy to unblock and return
+					// immediately, but we still need to receive from stdoutErr to confirm
+					// that it has happened.
+					<-stdoutErr
+					err2 = ctx.Err()
+				}
+				if err == nil {
+					err = err2
+				}
+			}()
+
+			// Per https://pkg.go.dev/os/exec#Cmd, “If Stdout and Stderr are the
+			// same writer, and have a type that can be compared with ==, at most
+			// one goroutine at a time will call Write.”
+			//
+			// Since we're starting a goroutine that writes to cmd.Stdout, we must
+			// also update cmd.Stderr so that it still holds.
+			func() {
+				defer func() { recover() }()
+				if cmd.Stderr == prevStdout {
+					cmd.Stderr = cmd.Stdout
+				}
+			}()
+		}
+	}
+
+	startTime := time.Now()
+	err = cmd.Start()
+	if stdoutW != nil {
+		// The child process has inherited the pipe file,
+		// so close the copy held in this process.
+		stdoutW.Close()
+		stdoutW = nil
+	}
+	if err != nil {
+		return err
+	}
+
+	resChan := make(chan error, 1)
+	go func() {
+		resChan <- cmd.Wait()
+	}()
+
+	// If we're interested in debugging hanging Go commands, stop waiting after a
+	// minute and panic with interesting information.
+	debug := DebugHangingGoCommands
+	if debug {
+		timer := time.NewTimer(1 * time.Minute)
+		defer timer.Stop()
+		select {
+		case err := <-resChan:
+			return err
+		case <-timer.C:
+			// HandleHangingGoCommand terminates this process.
+			// Pass off resChan in case we can collect the command error.
+			handleHangingGoCommand(startTime, cmd, resChan)
+		case <-ctx.Done():
+		}
+	} else {
+		select {
+		case err := <-resChan:
+			return err
+		case <-ctx.Done():
+		}
+	}
+
+	// Cancelled. Interrupt and see if it ends voluntarily.
+	if err := cmd.Process.Signal(os.Interrupt); err == nil {
+		// (We used to wait only 1s but this proved
+		// fragile on loaded builder machines.)
+		timer := time.NewTimer(5 * time.Second)
+		defer timer.Stop()
+		select {
+		case err := <-resChan:
+			return err
+		case <-timer.C:
+		}
+	}
+
+	// Didn't shut down in response to interrupt. Kill it hard.
+	if err := cmd.Process.Kill(); err != nil && !errors.Is(err, os.ErrProcessDone) && debug {
+		log.Printf("error killing the Go command: %v", err)
+	}
+
+	return <-resChan
+}
+
+// handleHangingGoCommand outputs debugging information to help diagnose the
+// cause of a hanging Go command, and then exits with log.Fatalf.
+func handleHangingGoCommand(start time.Time, cmd *exec.Cmd, resChan chan error) {
+	switch runtime.GOOS {
+	case "linux", "darwin", "freebsd", "netbsd", "openbsd":
+		fmt.Fprintln(os.Stderr, `DETECTED A HANGING GO COMMAND
+
+			The gopls test runner has detected a hanging go command. In order to debug
+			this, the output of ps and lsof/fstat is printed below.
+
+			See golang/go#54461 for more details.`)
+
+		fmt.Fprintln(os.Stderr, "\nps axo ppid,pid,command:")
+		fmt.Fprintln(os.Stderr, "-------------------------")
+		psCmd := exec.Command("ps", "axo", "ppid,pid,command")
+		psCmd.Stdout = os.Stderr
+		psCmd.Stderr = os.Stderr
+		if err := psCmd.Run(); err != nil {
+			log.Printf("Handling hanging Go command: running ps: %v", err)
+		}
+
+		listFiles := "lsof"
+		if runtime.GOOS == "freebsd" || runtime.GOOS == "netbsd" {
+			listFiles = "fstat"
+		}
+
+		fmt.Fprintln(os.Stderr, "\n"+listFiles+":")
+		fmt.Fprintln(os.Stderr, "-----")
+		listFilesCmd := exec.Command(listFiles)
+		listFilesCmd.Stdout = os.Stderr
+		listFilesCmd.Stderr = os.Stderr
+		if err := listFilesCmd.Run(); err != nil {
+			log.Printf("Handling hanging Go command: running %s: %v", listFiles, err)
+		}
+		// Try to extract information about the slow go process by issuing a SIGQUIT.
+		if err := cmd.Process.Signal(sigStuckProcess); err == nil {
+			select {
+			case err := <-resChan:
+				stderr := "not a bytes.Buffer"
+				if buf, _ := cmd.Stderr.(*bytes.Buffer); buf != nil {
+					stderr = buf.String()
+				}
+				log.Printf("Quit hanging go command:\n\terr:%v\n\tstderr:\n%v\n\n", err, stderr)
+			case <-time.After(5 * time.Second):
+			}
+		} else {
+			log.Printf("Sending signal %d to hanging go command: %v", sigStuckProcess, err)
+		}
+	}
+	log.Fatalf("detected hanging go command (golang/go#54461); waited %s\n\tcommand:%s\n\tpid:%d", time.Since(start), cmd, cmd.Process.Pid)
+}
+
+func cmdDebugStr(cmd *exec.Cmd) string {
+	env := make(map[string]string)
+	for _, kv := range cmd.Env {
+		split := strings.SplitN(kv, "=", 2)
+		if len(split) == 2 {
+			k, v := split[0], split[1]
+			env[k] = v
+		}
+	}
+
+	var args []string
+	for _, arg := range cmd.Args {
+		quoted := strconv.Quote(arg)
+		if quoted[1:len(quoted)-1] != arg || strings.Contains(arg, " ") {
+			args = append(args, quoted)
+		} else {
+			args = append(args, arg)
+		}
+	}
+	return fmt.Sprintf("GOROOT=%v GOPATH=%v GO111MODULE=%v GOPROXY=%v PWD=%v %v", env["GOROOT"], env["GOPATH"], env["GO111MODULE"], env["GOPROXY"], env["PWD"], strings.Join(args, " "))
+}
+
+// WriteOverlays writes each value in the overlay (see the Overlay
+// field of go/packages.Config) to a temporary file and returns the name
+// of a JSON file describing the mapping that is suitable for the "go
+// list -overlay" flag.
+//
+// On success, the caller must call the cleanup function exactly once
+// when the files are no longer needed.
+func WriteOverlays(overlay map[string][]byte) (filename string, cleanup func(), err error) {
+	// Do nothing if there are no overlays in the config.
+	if len(overlay) == 0 {
+		return "", func() {}, nil
+	}
+
+	dir, err := os.MkdirTemp("", "gocommand-*")
+	if err != nil {
+		return "", nil, err
+	}
+
+	// The caller must clean up this directory,
+	// unless this function returns an error.
+	// (The cleanup operand of each return
+	// statement below is ignored.)
+	defer func() {
+		cleanup = func() {
+			os.RemoveAll(dir)
+		}
+		if err != nil {
+			cleanup()
+			cleanup = nil
+		}
+	}()
+
+	// Write each map entry to a temporary file.
+	overlays := make(map[string]string)
+	for k, v := range overlay {
+		// Use a unique basename for each file (001-foo.go),
+		// to avoid creating nested directories.
+		base := fmt.Sprintf("%d-%s", 1+len(overlays), filepath.Base(k))
+		filename := filepath.Join(dir, base)
+		err := os.WriteFile(filename, v, 0666)
+		if err != nil {
+			return "", nil, err
+		}
+		overlays[k] = filename
+	}
+
+	// Write the JSON overlay file that maps logical file names to temp files.
+	//
+	// OverlayJSON is the format overlay files are expected to be in.
+	// The Replace map maps from overlaid paths to replacement paths:
+	// the Go command will forward all reads trying to open
+	// each overlaid path to its replacement path, or consider the overlaid
+	// path not to exist if the replacement path is empty.
+	//
+	// From golang/go#39958.
+	type OverlayJSON struct {
+		Replace map[string]string `json:"replace,omitempty"`
+	}
+	b, err := json.Marshal(OverlayJSON{Replace: overlays})
+	if err != nil {
+		return "", nil, err
+	}
+	filename = filepath.Join(dir, "overlay.json")
+	if err := os.WriteFile(filename, b, 0666); err != nil {
+		return "", nil, err
+	}
+
+	return filename, nil, nil
+}
diff --git a/vendor/golang.org/x/tools/internal/gocommand/invoke_notunix.go b/vendor/golang.org/x/tools/internal/gocommand/invoke_notunix.go
new file mode 100644
index 0000000000..469c648e4d
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gocommand/invoke_notunix.go
@@ -0,0 +1,13 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !unix
+
+package gocommand
+
+import "os"
+
+// sigStuckProcess is the signal to send to kill a hanging subprocess.
+// On Unix we send SIGQUIT, but on non-Unix we only have os.Kill.
+var sigStuckProcess = os.Kill
diff --git a/vendor/golang.org/x/tools/internal/gocommand/invoke_unix.go b/vendor/golang.org/x/tools/internal/gocommand/invoke_unix.go
new file mode 100644
index 0000000000..169d37c8e9
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gocommand/invoke_unix.go
@@ -0,0 +1,13 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build unix
+
+package gocommand
+
+import "syscall"
+
+// Sigstuckprocess is the signal to send to kill a hanging subprocess.
+// Send SIGQUIT to get a stack trace.
+var sigStuckProcess = syscall.SIGQUIT
diff --git a/vendor/golang.org/x/tools/internal/gocommand/vendor.go b/vendor/golang.org/x/tools/internal/gocommand/vendor.go
new file mode 100644
index 0000000000..e38d1fb488
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gocommand/vendor.go
@@ -0,0 +1,163 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocommand
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"time"
+
+	"golang.org/x/mod/semver"
+)
+
+// ModuleJSON holds information about a module.
+type ModuleJSON struct {
+	Path      string      // module path
+	Version   string      // module version
+	Versions  []string    // available module versions (with -versions)
+	Replace   *ModuleJSON // replaced by this module
+	Time      *time.Time  // time version was created
+	Update    *ModuleJSON // available update, if any (with -u)
+	Main      bool        // is this the main module?
+	Indirect  bool        // is this module only an indirect dependency of main module?
+	Dir       string      // directory holding files for this module, if any
+	GoMod     string      // path to go.mod file used when loading this module, if any
+	GoVersion string      // go version used in module
+}
+
+var modFlagRegexp = regexp.MustCompile(`-mod[ =](\w+)`)
+
+// VendorEnabled reports whether vendoring is enabled. It takes a *Runner to execute Go commands
+// with the supplied context.Context and Invocation. The Invocation can contain pre-defined fields,
+// of which only Verb and Args are modified to run the appropriate Go command.
+// Inspired by setDefaultBuildMod in modload/init.go
+func VendorEnabled(ctx context.Context, inv Invocation, r *Runner) (bool, *ModuleJSON, error) {
+	mainMod, go114, err := getMainModuleAnd114(ctx, inv, r)
+	if err != nil {
+		return false, nil, err
+	}
+
+	// We check the GOFLAGS to see if there is anything overridden or not.
+	inv.Verb = "env"
+	inv.Args = []string{"GOFLAGS"}
+	stdout, err := r.Run(ctx, inv)
+	if err != nil {
+		return false, nil, err
+	}
+	goflags := string(bytes.TrimSpace(stdout.Bytes()))
+	matches := modFlagRegexp.FindStringSubmatch(goflags)
+	var modFlag string
+	if len(matches) != 0 {
+		modFlag = matches[1]
+	}
+	// Don't override an explicit '-mod=' argument.
+	if modFlag == "vendor" {
+		return true, mainMod, nil
+	} else if modFlag != "" {
+		return false, nil, nil
+	}
+	if mainMod == nil || !go114 {
+		return false, nil, nil
+	}
+	// Check 1.14's automatic vendor mode.
+	if fi, err := os.Stat(filepath.Join(mainMod.Dir, "vendor")); err == nil && fi.IsDir() {
+		if mainMod.GoVersion != "" && semver.Compare("v"+mainMod.GoVersion, "v1.14") >= 0 {
+			// The Go version is at least 1.14, and a vendor directory exists.
+			// Set -mod=vendor by default.
+			return true, mainMod, nil
+		}
+	}
+	return false, nil, nil
+}
+
+// getMainModuleAnd114 gets one of the main modules' information and whether the
+// go command in use is 1.14+. This is the information needed to figure out
+// if vendoring should be enabled.
+func getMainModuleAnd114(ctx context.Context, inv Invocation, r *Runner) (*ModuleJSON, bool, error) {
+	const format = `{{.Path}}
+{{.Dir}}
+{{.GoMod}}
+{{.GoVersion}}
+{{range context.ReleaseTags}}{{if eq . "go1.14"}}{{.}}{{end}}{{end}}
+`
+	inv.Verb = "list"
+	inv.Args = []string{"-m", "-f", format}
+	stdout, err := r.Run(ctx, inv)
+	if err != nil {
+		return nil, false, err
+	}
+
+	lines := strings.Split(stdout.String(), "\n")
+	if len(lines) < 5 {
+		return nil, false, fmt.Errorf("unexpected stdout: %q", stdout.String())
+	}
+	mod := &ModuleJSON{
+		Path:      lines[0],
+		Dir:       lines[1],
+		GoMod:     lines[2],
+		GoVersion: lines[3],
+		Main:      true,
+	}
+	return mod, lines[4] == "go1.14", nil
+}
+
+// WorkspaceVendorEnabled reports whether workspace vendoring is enabled. It takes a *Runner to execute Go commands
+// with the supplied context.Context and Invocation. The Invocation can contain pre-defined fields,
+// of which only Verb and Args are modified to run the appropriate Go command.
+// Inspired by setDefaultBuildMod in modload/init.go
+func WorkspaceVendorEnabled(ctx context.Context, inv Invocation, r *Runner) (bool, []*ModuleJSON, error) {
+	inv.Verb = "env"
+	inv.Args = []string{"GOWORK"}
+	stdout, err := r.Run(ctx, inv)
+	if err != nil {
+		return false, nil, err
+	}
+	goWork := string(bytes.TrimSpace(stdout.Bytes()))
+	if fi, err := os.Stat(filepath.Join(filepath.Dir(goWork), "vendor")); err == nil && fi.IsDir() {
+		mainMods, err := getWorkspaceMainModules(ctx, inv, r)
+		if err != nil {
+			return false, nil, err
+		}
+		return true, mainMods, nil
+	}
+	return false, nil, nil
+}
+
+// getWorkspaceMainModules gets the main modules' information.
+// This is the information needed to figure out if vendoring should be enabled.
+func getWorkspaceMainModules(ctx context.Context, inv Invocation, r *Runner) ([]*ModuleJSON, error) {
+	const format = `{{.Path}}
+{{.Dir}}
+{{.GoMod}}
+{{.GoVersion}}
+`
+	inv.Verb = "list"
+	inv.Args = []string{"-m", "-f", format}
+	stdout, err := r.Run(ctx, inv)
+	if err != nil {
+		return nil, err
+	}
+
+	lines := strings.Split(strings.TrimSuffix(stdout.String(), "\n"), "\n")
+	if len(lines) < 4 {
+		return nil, fmt.Errorf("unexpected stdout: %q", stdout.String())
+	}
+	mods := make([]*ModuleJSON, 0, len(lines)/4)
+	for i := 0; i < len(lines); i += 4 {
+		mods = append(mods, &ModuleJSON{
+			Path:      lines[i],
+			Dir:       lines[i+1],
+			GoMod:     lines[i+2],
+			GoVersion: lines[i+3],
+			Main:      true,
+		})
+	}
+	return mods, nil
+}
diff --git a/vendor/golang.org/x/tools/internal/gocommand/version.go b/vendor/golang.org/x/tools/internal/gocommand/version.go
new file mode 100644
index 0000000000..446c5846a6
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/gocommand/version.go
@@ -0,0 +1,71 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocommand
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+// GoVersion reports the minor version number of the highest release
+// tag built into the go command on the PATH.
+//
+// Note that this may be higher than the version of the go tool used
+// to build this application, and thus the versions of the standard
+// go/{scanner,parser,ast,types} packages that are linked into it.
+// In that case, callers should either downgrade to the version of
+// go used to build the application, or report an error that the
+// application is too old to use the go command on the PATH.
+func GoVersion(ctx context.Context, inv Invocation, r *Runner) (int, error) {
+	inv.Verb = "list"
+	inv.Args = []string{"-e", "-f", `{{context.ReleaseTags}}`, `--`, `unsafe`}
+	inv.BuildFlags = nil // This is not a build command.
+	inv.ModFlag = ""
+	inv.ModFile = ""
+	inv.Env = append(inv.Env[:len(inv.Env):len(inv.Env)], "GO111MODULE=off")
+
+	stdoutBytes, err := r.Run(ctx, inv)
+	if err != nil {
+		return 0, err
+	}
+	stdout := stdoutBytes.String()
+	if len(stdout) < 3 {
+		return 0, fmt.Errorf("bad ReleaseTags output: %q", stdout)
+	}
+	// Split up "[go1.1 go1.15]" and return highest go1.X value.
+	tags := strings.Fields(stdout[1 : len(stdout)-2])
+	for i := len(tags) - 1; i >= 0; i-- {
+		var version int
+		if _, err := fmt.Sscanf(tags[i], "go1.%d", &version); err != nil {
+			continue
+		}
+		return version, nil
+	}
+	return 0, fmt.Errorf("no parseable ReleaseTags in %v", tags)
+}
+
+// GoVersionOutput returns the complete output of the go version command.
+func GoVersionOutput(ctx context.Context, inv Invocation, r *Runner) (string, error) {
+	inv.Verb = "version"
+	goVersion, err := r.Run(ctx, inv)
+	if err != nil {
+		return "", err
+	}
+	return goVersion.String(), nil
+}
+
+// ParseGoVersionOutput extracts the Go version string
+// from the output of the "go version" command.
+// Given an unrecognized form, it returns an empty string.
+func ParseGoVersionOutput(data string) string {
+	re := regexp.MustCompile(`^go version (go\S+|devel \S+)`)
+	m := re.FindStringSubmatch(data)
+	if len(m) != 2 {
+		return "" // unrecognized version
+	}
+	return m[1]
+}
diff --git a/vendor/golang.org/x/tools/internal/packagesinternal/packages.go b/vendor/golang.org/x/tools/internal/packagesinternal/packages.go
new file mode 100644
index 0000000000..929b470beb
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/packagesinternal/packages.go
@@ -0,0 +1,23 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package packagesinternal exposes internal-only fields from go/packages.
+package packagesinternal
+
+import "fmt"
+
+var GetDepsErrors = func(p any) []*PackageError { return nil }
+
+type PackageError struct {
+	ImportStack []string // shortest path from package named on command line to this one
+	Pos         string   // position of error (if present, file:line:col)
+	Err         string   // the error itself
+}
+
+func (err PackageError) String() string {
+	return fmt.Sprintf("%s: %s (import stack: %s)", err.Pos, err.Err, err.ImportStack)
+}
+
+var TypecheckCgo int
+var DepsErrors int // must be set as a LoadMode to call GetDepsErrors
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/codes.go b/vendor/golang.org/x/tools/internal/pkgbits/codes.go
new file mode 100644
index 0000000000..f0cabde96e
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/codes.go
@@ -0,0 +1,77 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkgbits
+
+// A Code is an enum value that can be encoded into bitstreams.
+//
+// Code types are preferable for enum types, because they allow
+// Decoder to detect desyncs.
+type Code interface {
+	// Marker returns the SyncMarker for the Code's dynamic type.
+	Marker() SyncMarker
+
+	// Value returns the Code's ordinal value.
+	Value() int
+}
+
+// A CodeVal distinguishes among go/constant.Value encodings.
+type CodeVal int
+
+func (c CodeVal) Marker() SyncMarker { return SyncVal }
+func (c CodeVal) Value() int         { return int(c) }
+
+// Note: These values are public and cannot be changed without
+// updating the go/types importers.
+
+const (
+	ValBool CodeVal = iota
+	ValString
+	ValInt64
+	ValBigInt
+	ValBigRat
+	ValBigFloat
+)
+
+// A CodeType distinguishes among go/types.Type encodings.
+type CodeType int
+
+func (c CodeType) Marker() SyncMarker { return SyncType }
+func (c CodeType) Value() int         { return int(c) }
+
+// Note: These values are public and cannot be changed without
+// updating the go/types importers.
+
+const (
+	TypeBasic CodeType = iota
+	TypeNamed
+	TypePointer
+	TypeSlice
+	TypeArray
+	TypeChan
+	TypeMap
+	TypeSignature
+	TypeStruct
+	TypeInterface
+	TypeUnion
+	TypeTypeParam
+)
+
+// A CodeObj distinguishes among go/types.Object encodings.
+type CodeObj int
+
+func (c CodeObj) Marker() SyncMarker { return SyncCodeObj }
+func (c CodeObj) Value() int         { return int(c) }
+
+// Note: These values are public and cannot be changed without
+// updating the go/types importers.
+
+const (
+	ObjAlias CodeObj = iota
+	ObjConst
+	ObjType
+	ObjFunc
+	ObjVar
+	ObjStub
+)
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/decoder.go b/vendor/golang.org/x/tools/internal/pkgbits/decoder.go
new file mode 100644
index 0000000000..c0aba26c48
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/decoder.go
@@ -0,0 +1,519 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkgbits
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"go/constant"
+	"go/token"
+	"io"
+	"math/big"
+	"os"
+	"runtime"
+	"strings"
+)
+
+// A PkgDecoder provides methods for decoding a package's Unified IR
+// export data.
+type PkgDecoder struct {
+	// version is the file format version.
+	version Version
+
+	// sync indicates whether the file uses sync markers.
+	sync bool
+
+	// pkgPath is the package path for the package to be decoded.
+	//
+	// TODO(mdempsky): Remove; unneeded since CL 391014.
+	pkgPath string
+
+	// elemData is the full data payload of the encoded package.
+	// Elements are densely and contiguously packed together.
+	//
+	// The last 8 bytes of elemData are the package fingerprint.
+	elemData string
+
+	// elemEnds stores the byte-offset end positions of element
+	// bitstreams within elemData.
+	//
+	// For example, element I's bitstream data starts at elemEnds[I-1]
+	// (or 0, if I==0) and ends at elemEnds[I].
+	//
+	// Note: elemEnds is indexed by absolute indices, not
+	// section-relative indices.
+	elemEnds []uint32
+
+	// elemEndsEnds stores the index-offset end positions of relocation
+	// sections within elemEnds.
+	//
+	// For example, section K's end positions start at elemEndsEnds[K-1]
+	// (or 0, if K==0) and end at elemEndsEnds[K].
+	elemEndsEnds [numRelocs]uint32
+
+	scratchRelocEnt []RelocEnt
+}
+
+// PkgPath returns the package path for the package
+//
+// TODO(mdempsky): Remove; unneeded since CL 391014.
+func (pr *PkgDecoder) PkgPath() string { return pr.pkgPath }
+
+// SyncMarkers reports whether pr uses sync markers.
+func (pr *PkgDecoder) SyncMarkers() bool { return pr.sync }
+
+// NewPkgDecoder returns a PkgDecoder initialized to read the Unified
+// IR export data from input. pkgPath is the package path for the
+// compilation unit that produced the export data.
+func NewPkgDecoder(pkgPath, input string) PkgDecoder {
+	pr := PkgDecoder{
+		pkgPath: pkgPath,
+	}
+
+	// TODO(mdempsky): Implement direct indexing of input string to
+	// avoid copying the position information.
+
+	r := strings.NewReader(input)
+
+	var ver uint32
+	assert(binary.Read(r, binary.LittleEndian, &ver) == nil)
+	pr.version = Version(ver)
+
+	if pr.version >= numVersions {
+		panic(fmt.Errorf("cannot decode %q, export data version %d is greater than maximum supported version %d", pkgPath, pr.version, numVersions-1))
+	}
+
+	if pr.version.Has(Flags) {
+		var flags uint32
+		assert(binary.Read(r, binary.LittleEndian, &flags) == nil)
+		pr.sync = flags&flagSyncMarkers != 0
+	}
+
+	assert(binary.Read(r, binary.LittleEndian, pr.elemEndsEnds[:]) == nil)
+
+	pr.elemEnds = make([]uint32, pr.elemEndsEnds[len(pr.elemEndsEnds)-1])
+	assert(binary.Read(r, binary.LittleEndian, pr.elemEnds[:]) == nil)
+
+	pos, err := r.Seek(0, io.SeekCurrent)
+	assert(err == nil)
+
+	pr.elemData = input[pos:]
+
+	const fingerprintSize = 8
+	assert(len(pr.elemData)-fingerprintSize == int(pr.elemEnds[len(pr.elemEnds)-1]))
+
+	return pr
+}
+
+// NumElems returns the number of elements in section k.
+func (pr *PkgDecoder) NumElems(k RelocKind) int {
+	count := int(pr.elemEndsEnds[k])
+	if k > 0 {
+		count -= int(pr.elemEndsEnds[k-1])
+	}
+	return count
+}
+
+// TotalElems returns the total number of elements across all sections.
+func (pr *PkgDecoder) TotalElems() int {
+	return len(pr.elemEnds)
+}
+
+// Fingerprint returns the package fingerprint.
+func (pr *PkgDecoder) Fingerprint() [8]byte {
+	var fp [8]byte
+	copy(fp[:], pr.elemData[len(pr.elemData)-8:])
+	return fp
+}
+
+// AbsIdx returns the absolute index for the given (section, index)
+// pair.
+func (pr *PkgDecoder) AbsIdx(k RelocKind, idx Index) int {
+	absIdx := int(idx)
+	if k > 0 {
+		absIdx += int(pr.elemEndsEnds[k-1])
+	}
+	if absIdx >= int(pr.elemEndsEnds[k]) {
+		panicf("%v:%v is out of bounds; %v", k, idx, pr.elemEndsEnds)
+	}
+	return absIdx
+}
+
+// DataIdx returns the raw element bitstream for the given (section,
+// index) pair.
+func (pr *PkgDecoder) DataIdx(k RelocKind, idx Index) string {
+	absIdx := pr.AbsIdx(k, idx)
+
+	var start uint32
+	if absIdx > 0 {
+		start = pr.elemEnds[absIdx-1]
+	}
+	end := pr.elemEnds[absIdx]
+
+	return pr.elemData[start:end]
+}
+
+// StringIdx returns the string value for the given string index.
+func (pr *PkgDecoder) StringIdx(idx Index) string {
+	return pr.DataIdx(RelocString, idx)
+}
+
+// NewDecoder returns a Decoder for the given (section, index) pair,
+// and decodes the given SyncMarker from the element bitstream.
+func (pr *PkgDecoder) NewDecoder(k RelocKind, idx Index, marker SyncMarker) Decoder {
+	r := pr.NewDecoderRaw(k, idx)
+	r.Sync(marker)
+	return r
+}
+
+// TempDecoder returns a Decoder for the given (section, index) pair,
+// and decodes the given SyncMarker from the element bitstream.
+// If possible the Decoder should be RetireDecoder'd when it is no longer
+// needed, this will avoid heap allocations.
+func (pr *PkgDecoder) TempDecoder(k RelocKind, idx Index, marker SyncMarker) Decoder {
+	r := pr.TempDecoderRaw(k, idx)
+	r.Sync(marker)
+	return r
+}
+
+func (pr *PkgDecoder) RetireDecoder(d *Decoder) {
+	pr.scratchRelocEnt = d.Relocs
+	d.Relocs = nil
+}
+
+// NewDecoderRaw returns a Decoder for the given (section, index) pair.
+//
+// Most callers should use NewDecoder instead.
+func (pr *PkgDecoder) NewDecoderRaw(k RelocKind, idx Index) Decoder {
+	r := Decoder{
+		common: pr,
+		k:      k,
+		Idx:    idx,
+	}
+
+	r.Data.Reset(pr.DataIdx(k, idx))
+	r.Sync(SyncRelocs)
+	r.Relocs = make([]RelocEnt, r.Len())
+	for i := range r.Relocs {
+		r.Sync(SyncReloc)
+		r.Relocs[i] = RelocEnt{RelocKind(r.Len()), Index(r.Len())}
+	}
+
+	return r
+}
+
+func (pr *PkgDecoder) TempDecoderRaw(k RelocKind, idx Index) Decoder {
+	r := Decoder{
+		common: pr,
+		k:      k,
+		Idx:    idx,
+	}
+
+	r.Data.Reset(pr.DataIdx(k, idx))
+	r.Sync(SyncRelocs)
+	l := r.Len()
+	if cap(pr.scratchRelocEnt) >= l {
+		r.Relocs = pr.scratchRelocEnt[:l]
+		pr.scratchRelocEnt = nil
+	} else {
+		r.Relocs = make([]RelocEnt, l)
+	}
+	for i := range r.Relocs {
+		r.Sync(SyncReloc)
+		r.Relocs[i] = RelocEnt{RelocKind(r.Len()), Index(r.Len())}
+	}
+
+	return r
+}
+
+// A Decoder provides methods for decoding an individual element's
+// bitstream data.
+type Decoder struct {
+	common *PkgDecoder
+
+	Relocs []RelocEnt
+	Data   strings.Reader
+
+	k   RelocKind
+	Idx Index
+}
+
+func (r *Decoder) checkErr(err error) {
+	if err != nil {
+		panicf("unexpected decoding error: %w", err)
+	}
+}
+
+func (r *Decoder) rawUvarint() uint64 {
+	x, err := readUvarint(&r.Data)
+	r.checkErr(err)
+	return x
+}
+
+// readUvarint is a type-specialized copy of encoding/binary.ReadUvarint.
+// This avoids the interface conversion and thus has better escape properties,
+// which flows up the stack.
+func readUvarint(r *strings.Reader) (uint64, error) {
+	var x uint64
+	var s uint
+	for i := range binary.MaxVarintLen64 {
+		b, err := r.ReadByte()
+		if err != nil {
+			if i > 0 && err == io.EOF {
+				err = io.ErrUnexpectedEOF
+			}
+			return x, err
+		}
+		if b < 0x80 {
+			if i == binary.MaxVarintLen64-1 && b > 1 {
+				return x, overflow
+			}
+			return x | uint64(b)<> 1)
+	if ux&1 != 0 {
+		x = ^x
+	}
+	return x
+}
+
+func (r *Decoder) rawReloc(k RelocKind, idx int) Index {
+	e := r.Relocs[idx]
+	assert(e.Kind == k)
+	return e.Idx
+}
+
+// Sync decodes a sync marker from the element bitstream and asserts
+// that it matches the expected marker.
+//
+// If r.common.sync is false, then Sync is a no-op.
+func (r *Decoder) Sync(mWant SyncMarker) {
+	if !r.common.sync {
+		return
+	}
+
+	pos, _ := r.Data.Seek(0, io.SeekCurrent)
+	mHave := SyncMarker(r.rawUvarint())
+	writerPCs := make([]int, r.rawUvarint())
+	for i := range writerPCs {
+		writerPCs[i] = int(r.rawUvarint())
+	}
+
+	if mHave == mWant {
+		return
+	}
+
+	// There's some tension here between printing:
+	//
+	// (1) full file paths that tools can recognize (e.g., so emacs
+	//     hyperlinks the "file:line" text for easy navigation), or
+	//
+	// (2) short file paths that are easier for humans to read (e.g., by
+	//     omitting redundant or irrelevant details, so it's easier to
+	//     focus on the useful bits that remain).
+	//
+	// The current formatting favors the former, as it seems more
+	// helpful in practice. But perhaps the formatting could be improved
+	// to better address both concerns. For example, use relative file
+	// paths if they would be shorter, or rewrite file paths to contain
+	// "$GOROOT" (like objabi.AbsFile does) if tools can be taught how
+	// to reliably expand that again.
+
+	fmt.Printf("export data desync: package %q, section %v, index %v, offset %v\n", r.common.pkgPath, r.k, r.Idx, pos)
+
+	fmt.Printf("\nfound %v, written at:\n", mHave)
+	if len(writerPCs) == 0 {
+		fmt.Printf("\t[stack trace unavailable; recompile package %q with -d=syncframes]\n", r.common.pkgPath)
+	}
+	for _, pc := range writerPCs {
+		fmt.Printf("\t%s\n", r.common.StringIdx(r.rawReloc(RelocString, pc)))
+	}
+
+	fmt.Printf("\nexpected %v, reading at:\n", mWant)
+	var readerPCs [32]uintptr // TODO(mdempsky): Dynamically size?
+	n := runtime.Callers(2, readerPCs[:])
+	for _, pc := range fmtFrames(readerPCs[:n]...) {
+		fmt.Printf("\t%s\n", pc)
+	}
+
+	// We already printed a stack trace for the reader, so now we can
+	// simply exit. Printing a second one with panic or base.Fatalf
+	// would just be noise.
+	os.Exit(1)
+}
+
+// Bool decodes and returns a bool value from the element bitstream.
+func (r *Decoder) Bool() bool {
+	r.Sync(SyncBool)
+	x, err := r.Data.ReadByte()
+	r.checkErr(err)
+	assert(x < 2)
+	return x != 0
+}
+
+// Int64 decodes and returns an int64 value from the element bitstream.
+func (r *Decoder) Int64() int64 {
+	r.Sync(SyncInt64)
+	return r.rawVarint()
+}
+
+// Uint64 decodes and returns a uint64 value from the element bitstream.
+func (r *Decoder) Uint64() uint64 {
+	r.Sync(SyncUint64)
+	return r.rawUvarint()
+}
+
+// Len decodes and returns a non-negative int value from the element bitstream.
+func (r *Decoder) Len() int { x := r.Uint64(); v := int(x); assert(uint64(v) == x); return v }
+
+// Int decodes and returns an int value from the element bitstream.
+func (r *Decoder) Int() int { x := r.Int64(); v := int(x); assert(int64(v) == x); return v }
+
+// Uint decodes and returns a uint value from the element bitstream.
+func (r *Decoder) Uint() uint { x := r.Uint64(); v := uint(x); assert(uint64(v) == x); return v }
+
+// Code decodes a Code value from the element bitstream and returns
+// its ordinal value. It's the caller's responsibility to convert the
+// result to an appropriate Code type.
+//
+// TODO(mdempsky): Ideally this method would have signature "Code[T
+// Code] T" instead, but we don't allow generic methods and the
+// compiler can't depend on generics yet anyway.
+func (r *Decoder) Code(mark SyncMarker) int {
+	r.Sync(mark)
+	return r.Len()
+}
+
+// Reloc decodes a relocation of expected section k from the element
+// bitstream and returns an index to the referenced element.
+func (r *Decoder) Reloc(k RelocKind) Index {
+	r.Sync(SyncUseReloc)
+	return r.rawReloc(k, r.Len())
+}
+
+// String decodes and returns a string value from the element
+// bitstream.
+func (r *Decoder) String() string {
+	r.Sync(SyncString)
+	return r.common.StringIdx(r.Reloc(RelocString))
+}
+
+// Strings decodes and returns a variable-length slice of strings from
+// the element bitstream.
+func (r *Decoder) Strings() []string {
+	res := make([]string, r.Len())
+	for i := range res {
+		res[i] = r.String()
+	}
+	return res
+}
+
+// Value decodes and returns a constant.Value from the element
+// bitstream.
+func (r *Decoder) Value() constant.Value {
+	r.Sync(SyncValue)
+	isComplex := r.Bool()
+	val := r.scalar()
+	if isComplex {
+		val = constant.BinaryOp(val, token.ADD, constant.MakeImag(r.scalar()))
+	}
+	return val
+}
+
+func (r *Decoder) scalar() constant.Value {
+	switch tag := CodeVal(r.Code(SyncVal)); tag {
+	default:
+		panic(fmt.Errorf("unexpected scalar tag: %v", tag))
+
+	case ValBool:
+		return constant.MakeBool(r.Bool())
+	case ValString:
+		return constant.MakeString(r.String())
+	case ValInt64:
+		return constant.MakeInt64(r.Int64())
+	case ValBigInt:
+		return constant.Make(r.bigInt())
+	case ValBigRat:
+		num := r.bigInt()
+		denom := r.bigInt()
+		return constant.Make(new(big.Rat).SetFrac(num, denom))
+	case ValBigFloat:
+		return constant.Make(r.bigFloat())
+	}
+}
+
+func (r *Decoder) bigInt() *big.Int {
+	v := new(big.Int).SetBytes([]byte(r.String()))
+	if r.Bool() {
+		v.Neg(v)
+	}
+	return v
+}
+
+func (r *Decoder) bigFloat() *big.Float {
+	v := new(big.Float).SetPrec(512)
+	assert(v.UnmarshalText([]byte(r.String())) == nil)
+	return v
+}
+
+// @@@ Helpers
+
+// TODO(mdempsky): These should probably be removed. I think they're a
+// smell that the export data format is not yet quite right.
+
+// PeekPkgPath returns the package path for the specified package
+// index.
+func (pr *PkgDecoder) PeekPkgPath(idx Index) string {
+	var path string
+	{
+		r := pr.TempDecoder(RelocPkg, idx, SyncPkgDef)
+		path = r.String()
+		pr.RetireDecoder(&r)
+	}
+	if path == "" {
+		path = pr.pkgPath
+	}
+	return path
+}
+
+// PeekObj returns the package path, object name, and CodeObj for the
+// specified object index.
+func (pr *PkgDecoder) PeekObj(idx Index) (string, string, CodeObj) {
+	var ridx Index
+	var name string
+	var rcode int
+	{
+		r := pr.TempDecoder(RelocName, idx, SyncObject1)
+		r.Sync(SyncSym)
+		r.Sync(SyncPkg)
+		ridx = r.Reloc(RelocPkg)
+		name = r.String()
+		rcode = r.Code(SyncCodeObj)
+		pr.RetireDecoder(&r)
+	}
+
+	path := pr.PeekPkgPath(ridx)
+	assert(name != "")
+
+	tag := CodeObj(rcode)
+
+	return path, name, tag
+}
+
+// Version reports the version of the bitstream.
+func (w *Decoder) Version() Version { return w.common.version }
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/doc.go b/vendor/golang.org/x/tools/internal/pkgbits/doc.go
new file mode 100644
index 0000000000..c8a2796b5e
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/doc.go
@@ -0,0 +1,32 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package pkgbits implements low-level coding abstractions for
+// Unified IR's export data format.
+//
+// At a low-level, a package is a collection of bitstream elements.
+// Each element has a "kind" and a dense, non-negative index.
+// Elements can be randomly accessed given their kind and index.
+//
+// Individual elements are sequences of variable-length values (e.g.,
+// integers, booleans, strings, go/constant values, cross-references
+// to other elements). Package pkgbits provides APIs for encoding and
+// decoding these low-level values, but the details of mapping
+// higher-level Go constructs into elements is left to higher-level
+// abstractions.
+//
+// Elements may cross-reference each other with "relocations." For
+// example, an element representing a pointer type has a relocation
+// referring to the element type.
+//
+// Go constructs may be composed as a constellation of multiple
+// elements. For example, a declared function may have one element to
+// describe the object (e.g., its name, type, position), and a
+// separate element to describe its function body. This allows readers
+// some flexibility in efficiently seeking or re-reading data (e.g.,
+// inlining requires re-reading the function body for each inlined
+// call, without needing to re-read the object-level details).
+//
+// This is a copy of internal/pkgbits in the Go implementation.
+package pkgbits
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/encoder.go b/vendor/golang.org/x/tools/internal/pkgbits/encoder.go
new file mode 100644
index 0000000000..c17a12399d
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/encoder.go
@@ -0,0 +1,392 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkgbits
+
+import (
+	"bytes"
+	"crypto/md5"
+	"encoding/binary"
+	"go/constant"
+	"io"
+	"math/big"
+	"runtime"
+	"strings"
+)
+
+// A PkgEncoder provides methods for encoding a package's Unified IR
+// export data.
+type PkgEncoder struct {
+	// version of the bitstream.
+	version Version
+
+	// elems holds the bitstream for previously encoded elements.
+	elems [numRelocs][]string
+
+	// stringsIdx maps previously encoded strings to their index within
+	// the RelocString section, to allow deduplication. That is,
+	// elems[RelocString][stringsIdx[s]] == s (if present).
+	stringsIdx map[string]Index
+
+	// syncFrames is the number of frames to write at each sync
+	// marker. A negative value means sync markers are omitted.
+	syncFrames int
+}
+
+// SyncMarkers reports whether pw uses sync markers.
+func (pw *PkgEncoder) SyncMarkers() bool { return pw.syncFrames >= 0 }
+
+// NewPkgEncoder returns an initialized PkgEncoder.
+//
+// syncFrames is the number of caller frames that should be serialized
+// at Sync points. Serializing additional frames results in larger
+// export data files, but can help diagnosing desync errors in
+// higher-level Unified IR reader/writer code. If syncFrames is
+// negative, then sync markers are omitted entirely.
+func NewPkgEncoder(version Version, syncFrames int) PkgEncoder {
+	return PkgEncoder{
+		version:    version,
+		stringsIdx: make(map[string]Index),
+		syncFrames: syncFrames,
+	}
+}
+
+// DumpTo writes the package's encoded data to out0 and returns the
+// package fingerprint.
+func (pw *PkgEncoder) DumpTo(out0 io.Writer) (fingerprint [8]byte) {
+	h := md5.New()
+	out := io.MultiWriter(out0, h)
+
+	writeUint32 := func(x uint32) {
+		assert(binary.Write(out, binary.LittleEndian, x) == nil)
+	}
+
+	writeUint32(uint32(pw.version))
+
+	if pw.version.Has(Flags) {
+		var flags uint32
+		if pw.SyncMarkers() {
+			flags |= flagSyncMarkers
+		}
+		writeUint32(flags)
+	}
+
+	// Write elemEndsEnds.
+	var sum uint32
+	for _, elems := range &pw.elems {
+		sum += uint32(len(elems))
+		writeUint32(sum)
+	}
+
+	// Write elemEnds.
+	sum = 0
+	for _, elems := range &pw.elems {
+		for _, elem := range elems {
+			sum += uint32(len(elem))
+			writeUint32(sum)
+		}
+	}
+
+	// Write elemData.
+	for _, elems := range &pw.elems {
+		for _, elem := range elems {
+			_, err := io.WriteString(out, elem)
+			assert(err == nil)
+		}
+	}
+
+	// Write fingerprint.
+	copy(fingerprint[:], h.Sum(nil))
+	_, err := out0.Write(fingerprint[:])
+	assert(err == nil)
+
+	return
+}
+
+// StringIdx adds a string value to the strings section, if not
+// already present, and returns its index.
+func (pw *PkgEncoder) StringIdx(s string) Index {
+	if idx, ok := pw.stringsIdx[s]; ok {
+		assert(pw.elems[RelocString][idx] == s)
+		return idx
+	}
+
+	idx := Index(len(pw.elems[RelocString]))
+	pw.elems[RelocString] = append(pw.elems[RelocString], s)
+	pw.stringsIdx[s] = idx
+	return idx
+}
+
+// NewEncoder returns an Encoder for a new element within the given
+// section, and encodes the given SyncMarker as the start of the
+// element bitstream.
+func (pw *PkgEncoder) NewEncoder(k RelocKind, marker SyncMarker) Encoder {
+	e := pw.NewEncoderRaw(k)
+	e.Sync(marker)
+	return e
+}
+
+// NewEncoderRaw returns an Encoder for a new element within the given
+// section.
+//
+// Most callers should use NewEncoder instead.
+func (pw *PkgEncoder) NewEncoderRaw(k RelocKind) Encoder {
+	idx := Index(len(pw.elems[k]))
+	pw.elems[k] = append(pw.elems[k], "") // placeholder
+
+	return Encoder{
+		p:   pw,
+		k:   k,
+		Idx: idx,
+	}
+}
+
+// An Encoder provides methods for encoding an individual element's
+// bitstream data.
+type Encoder struct {
+	p *PkgEncoder
+
+	Relocs   []RelocEnt
+	RelocMap map[RelocEnt]uint32
+	Data     bytes.Buffer // accumulated element bitstream data
+
+	encodingRelocHeader bool
+
+	k   RelocKind
+	Idx Index // index within relocation section
+}
+
+// Flush finalizes the element's bitstream and returns its Index.
+func (w *Encoder) Flush() Index {
+	var sb strings.Builder
+
+	// Backup the data so we write the relocations at the front.
+	var tmp bytes.Buffer
+	io.Copy(&tmp, &w.Data)
+
+	// TODO(mdempsky): Consider writing these out separately so they're
+	// easier to strip, along with function bodies, so that we can prune
+	// down to just the data that's relevant to go/types.
+	if w.encodingRelocHeader {
+		panic("encodingRelocHeader already true; recursive flush?")
+	}
+	w.encodingRelocHeader = true
+	w.Sync(SyncRelocs)
+	w.Len(len(w.Relocs))
+	for _, rEnt := range w.Relocs {
+		w.Sync(SyncReloc)
+		w.Len(int(rEnt.Kind))
+		w.Len(int(rEnt.Idx))
+	}
+
+	io.Copy(&sb, &w.Data)
+	io.Copy(&sb, &tmp)
+	w.p.elems[w.k][w.Idx] = sb.String()
+
+	return w.Idx
+}
+
+func (w *Encoder) checkErr(err error) {
+	if err != nil {
+		panicf("unexpected encoding error: %v", err)
+	}
+}
+
+func (w *Encoder) rawUvarint(x uint64) {
+	var buf [binary.MaxVarintLen64]byte
+	n := binary.PutUvarint(buf[:], x)
+	_, err := w.Data.Write(buf[:n])
+	w.checkErr(err)
+}
+
+func (w *Encoder) rawVarint(x int64) {
+	// Zig-zag encode.
+	ux := uint64(x) << 1
+	if x < 0 {
+		ux = ^ux
+	}
+
+	w.rawUvarint(ux)
+}
+
+func (w *Encoder) rawReloc(r RelocKind, idx Index) int {
+	e := RelocEnt{r, idx}
+	if w.RelocMap != nil {
+		if i, ok := w.RelocMap[e]; ok {
+			return int(i)
+		}
+	} else {
+		w.RelocMap = make(map[RelocEnt]uint32)
+	}
+
+	i := len(w.Relocs)
+	w.RelocMap[e] = uint32(i)
+	w.Relocs = append(w.Relocs, e)
+	return i
+}
+
+func (w *Encoder) Sync(m SyncMarker) {
+	if !w.p.SyncMarkers() {
+		return
+	}
+
+	// Writing out stack frame string references requires working
+	// relocations, but writing out the relocations themselves involves
+	// sync markers. To prevent infinite recursion, we simply trim the
+	// stack frame for sync markers within the relocation header.
+	var frames []string
+	if !w.encodingRelocHeader && w.p.syncFrames > 0 {
+		pcs := make([]uintptr, w.p.syncFrames)
+		n := runtime.Callers(2, pcs)
+		frames = fmtFrames(pcs[:n]...)
+	}
+
+	// TODO(mdempsky): Save space by writing out stack frames as a
+	// linked list so we can share common stack frames.
+	w.rawUvarint(uint64(m))
+	w.rawUvarint(uint64(len(frames)))
+	for _, frame := range frames {
+		w.rawUvarint(uint64(w.rawReloc(RelocString, w.p.StringIdx(frame))))
+	}
+}
+
+// Bool encodes and writes a bool value into the element bitstream,
+// and then returns the bool value.
+//
+// For simple, 2-alternative encodings, the idiomatic way to call Bool
+// is something like:
+//
+//	if w.Bool(x != 0) {
+//		// alternative #1
+//	} else {
+//		// alternative #2
+//	}
+//
+// For multi-alternative encodings, use Code instead.
+func (w *Encoder) Bool(b bool) bool {
+	w.Sync(SyncBool)
+	var x byte
+	if b {
+		x = 1
+	}
+	err := w.Data.WriteByte(x)
+	w.checkErr(err)
+	return b
+}
+
+// Int64 encodes and writes an int64 value into the element bitstream.
+func (w *Encoder) Int64(x int64) {
+	w.Sync(SyncInt64)
+	w.rawVarint(x)
+}
+
+// Uint64 encodes and writes a uint64 value into the element bitstream.
+func (w *Encoder) Uint64(x uint64) {
+	w.Sync(SyncUint64)
+	w.rawUvarint(x)
+}
+
+// Len encodes and writes a non-negative int value into the element bitstream.
+func (w *Encoder) Len(x int) { assert(x >= 0); w.Uint64(uint64(x)) }
+
+// Int encodes and writes an int value into the element bitstream.
+func (w *Encoder) Int(x int) { w.Int64(int64(x)) }
+
+// Uint encodes and writes a uint value into the element bitstream.
+func (w *Encoder) Uint(x uint) { w.Uint64(uint64(x)) }
+
+// Reloc encodes and writes a relocation for the given (section,
+// index) pair into the element bitstream.
+//
+// Note: Only the index is formally written into the element
+// bitstream, so bitstream decoders must know from context which
+// section an encoded relocation refers to.
+func (w *Encoder) Reloc(r RelocKind, idx Index) {
+	w.Sync(SyncUseReloc)
+	w.Len(w.rawReloc(r, idx))
+}
+
+// Code encodes and writes a Code value into the element bitstream.
+func (w *Encoder) Code(c Code) {
+	w.Sync(c.Marker())
+	w.Len(c.Value())
+}
+
+// String encodes and writes a string value into the element
+// bitstream.
+//
+// Internally, strings are deduplicated by adding them to the strings
+// section (if not already present), and then writing a relocation
+// into the element bitstream.
+func (w *Encoder) String(s string) {
+	w.StringRef(w.p.StringIdx(s))
+}
+
+// StringRef writes a reference to the given index, which must be a
+// previously encoded string value.
+func (w *Encoder) StringRef(idx Index) {
+	w.Sync(SyncString)
+	w.Reloc(RelocString, idx)
+}
+
+// Strings encodes and writes a variable-length slice of strings into
+// the element bitstream.
+func (w *Encoder) Strings(ss []string) {
+	w.Len(len(ss))
+	for _, s := range ss {
+		w.String(s)
+	}
+}
+
+// Value encodes and writes a constant.Value into the element
+// bitstream.
+func (w *Encoder) Value(val constant.Value) {
+	w.Sync(SyncValue)
+	if w.Bool(val.Kind() == constant.Complex) {
+		w.scalar(constant.Real(val))
+		w.scalar(constant.Imag(val))
+	} else {
+		w.scalar(val)
+	}
+}
+
+func (w *Encoder) scalar(val constant.Value) {
+	switch v := constant.Val(val).(type) {
+	default:
+		panicf("unhandled %v (%v)", val, val.Kind())
+	case bool:
+		w.Code(ValBool)
+		w.Bool(v)
+	case string:
+		w.Code(ValString)
+		w.String(v)
+	case int64:
+		w.Code(ValInt64)
+		w.Int64(v)
+	case *big.Int:
+		w.Code(ValBigInt)
+		w.bigInt(v)
+	case *big.Rat:
+		w.Code(ValBigRat)
+		w.bigInt(v.Num())
+		w.bigInt(v.Denom())
+	case *big.Float:
+		w.Code(ValBigFloat)
+		w.bigFloat(v)
+	}
+}
+
+func (w *Encoder) bigInt(v *big.Int) {
+	b := v.Bytes()
+	w.String(string(b)) // TODO: More efficient encoding.
+	w.Bool(v.Sign() < 0)
+}
+
+func (w *Encoder) bigFloat(v *big.Float) {
+	b := v.Append(nil, 'p', -1)
+	w.String(string(b)) // TODO: More efficient encoding.
+}
+
+// Version reports the version of the bitstream.
+func (w *Encoder) Version() Version { return w.p.version }
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/flags.go b/vendor/golang.org/x/tools/internal/pkgbits/flags.go
new file mode 100644
index 0000000000..654222745f
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/flags.go
@@ -0,0 +1,9 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkgbits
+
+const (
+	flagSyncMarkers = 1 << iota // file format contains sync markers
+)
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/reloc.go b/vendor/golang.org/x/tools/internal/pkgbits/reloc.go
new file mode 100644
index 0000000000..fcdfb97ca9
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/reloc.go
@@ -0,0 +1,42 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkgbits
+
+// A RelocKind indicates a particular section within a unified IR export.
+type RelocKind int32
+
+// An Index represents a bitstream element index within a particular
+// section.
+type Index int32
+
+// A relocEnt (relocation entry) is an entry in an element's local
+// reference table.
+//
+// TODO(mdempsky): Rename this too.
+type RelocEnt struct {
+	Kind RelocKind
+	Idx  Index
+}
+
+// Reserved indices within the meta relocation section.
+const (
+	PublicRootIdx  Index = 0
+	PrivateRootIdx Index = 1
+)
+
+const (
+	RelocString RelocKind = iota
+	RelocMeta
+	RelocPosBase
+	RelocPkg
+	RelocName
+	RelocType
+	RelocObj
+	RelocObjExt
+	RelocObjDict
+	RelocBody
+
+	numRelocs = iota
+)
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/support.go b/vendor/golang.org/x/tools/internal/pkgbits/support.go
new file mode 100644
index 0000000000..50534a2955
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/support.go
@@ -0,0 +1,17 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkgbits
+
+import "fmt"
+
+func assert(b bool) {
+	if !b {
+		panic("assertion failed")
+	}
+}
+
+func panicf(format string, args ...any) {
+	panic(fmt.Errorf(format, args...))
+}
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/sync.go b/vendor/golang.org/x/tools/internal/pkgbits/sync.go
new file mode 100644
index 0000000000..1520b73afb
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/sync.go
@@ -0,0 +1,136 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkgbits
+
+import (
+	"fmt"
+	"runtime"
+	"strings"
+)
+
+// fmtFrames formats a backtrace for reporting reader/writer desyncs.
+func fmtFrames(pcs ...uintptr) []string {
+	res := make([]string, 0, len(pcs))
+	walkFrames(pcs, func(file string, line int, name string, offset uintptr) {
+		// Trim package from function name. It's just redundant noise.
+		name = strings.TrimPrefix(name, "cmd/compile/internal/noder.")
+
+		res = append(res, fmt.Sprintf("%s:%v: %s +0x%v", file, line, name, offset))
+	})
+	return res
+}
+
+type frameVisitor func(file string, line int, name string, offset uintptr)
+
+// walkFrames calls visit for each call frame represented by pcs.
+//
+// pcs should be a slice of PCs, as returned by runtime.Callers.
+func walkFrames(pcs []uintptr, visit frameVisitor) {
+	if len(pcs) == 0 {
+		return
+	}
+
+	frames := runtime.CallersFrames(pcs)
+	for {
+		frame, more := frames.Next()
+		visit(frame.File, frame.Line, frame.Function, frame.PC-frame.Entry)
+		if !more {
+			return
+		}
+	}
+}
+
+// SyncMarker is an enum type that represents markers that may be
+// written to export data to ensure the reader and writer stay
+// synchronized.
+type SyncMarker int
+
+//go:generate stringer -type=SyncMarker -trimprefix=Sync
+
+const (
+	_ SyncMarker = iota
+
+	// Public markers (known to go/types importers).
+
+	// Low-level coding markers.
+	SyncEOF
+	SyncBool
+	SyncInt64
+	SyncUint64
+	SyncString
+	SyncValue
+	SyncVal
+	SyncRelocs
+	SyncReloc
+	SyncUseReloc
+
+	// Higher-level object and type markers.
+	SyncPublic
+	SyncPos
+	SyncPosBase
+	SyncObject
+	SyncObject1
+	SyncPkg
+	SyncPkgDef
+	SyncMethod
+	SyncType
+	SyncTypeIdx
+	SyncTypeParamNames
+	SyncSignature
+	SyncParams
+	SyncParam
+	SyncCodeObj
+	SyncSym
+	SyncLocalIdent
+	SyncSelector
+
+	// Private markers (only known to cmd/compile).
+	SyncPrivate
+
+	SyncFuncExt
+	SyncVarExt
+	SyncTypeExt
+	SyncPragma
+
+	SyncExprList
+	SyncExprs
+	SyncExpr
+	SyncExprType
+	SyncAssign
+	SyncOp
+	SyncFuncLit
+	SyncCompLit
+
+	SyncDecl
+	SyncFuncBody
+	SyncOpenScope
+	SyncCloseScope
+	SyncCloseAnotherScope
+	SyncDeclNames
+	SyncDeclName
+
+	SyncStmts
+	SyncBlockStmt
+	SyncIfStmt
+	SyncForStmt
+	SyncSwitchStmt
+	SyncRangeStmt
+	SyncCaseClause
+	SyncCommClause
+	SyncSelectStmt
+	SyncDecls
+	SyncLabeledStmt
+	SyncUseObjLocal
+	SyncAddLocal
+	SyncLinkname
+	SyncStmt1
+	SyncStmtsEnd
+	SyncLabel
+	SyncOptLabel
+
+	SyncMultiExpr
+	SyncRType
+	SyncConvRTTI
+)
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/syncmarker_string.go b/vendor/golang.org/x/tools/internal/pkgbits/syncmarker_string.go
new file mode 100644
index 0000000000..582ad56d3e
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/syncmarker_string.go
@@ -0,0 +1,92 @@
+// Code generated by "stringer -type=SyncMarker -trimprefix=Sync"; DO NOT EDIT.
+
+package pkgbits
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[SyncEOF-1]
+	_ = x[SyncBool-2]
+	_ = x[SyncInt64-3]
+	_ = x[SyncUint64-4]
+	_ = x[SyncString-5]
+	_ = x[SyncValue-6]
+	_ = x[SyncVal-7]
+	_ = x[SyncRelocs-8]
+	_ = x[SyncReloc-9]
+	_ = x[SyncUseReloc-10]
+	_ = x[SyncPublic-11]
+	_ = x[SyncPos-12]
+	_ = x[SyncPosBase-13]
+	_ = x[SyncObject-14]
+	_ = x[SyncObject1-15]
+	_ = x[SyncPkg-16]
+	_ = x[SyncPkgDef-17]
+	_ = x[SyncMethod-18]
+	_ = x[SyncType-19]
+	_ = x[SyncTypeIdx-20]
+	_ = x[SyncTypeParamNames-21]
+	_ = x[SyncSignature-22]
+	_ = x[SyncParams-23]
+	_ = x[SyncParam-24]
+	_ = x[SyncCodeObj-25]
+	_ = x[SyncSym-26]
+	_ = x[SyncLocalIdent-27]
+	_ = x[SyncSelector-28]
+	_ = x[SyncPrivate-29]
+	_ = x[SyncFuncExt-30]
+	_ = x[SyncVarExt-31]
+	_ = x[SyncTypeExt-32]
+	_ = x[SyncPragma-33]
+	_ = x[SyncExprList-34]
+	_ = x[SyncExprs-35]
+	_ = x[SyncExpr-36]
+	_ = x[SyncExprType-37]
+	_ = x[SyncAssign-38]
+	_ = x[SyncOp-39]
+	_ = x[SyncFuncLit-40]
+	_ = x[SyncCompLit-41]
+	_ = x[SyncDecl-42]
+	_ = x[SyncFuncBody-43]
+	_ = x[SyncOpenScope-44]
+	_ = x[SyncCloseScope-45]
+	_ = x[SyncCloseAnotherScope-46]
+	_ = x[SyncDeclNames-47]
+	_ = x[SyncDeclName-48]
+	_ = x[SyncStmts-49]
+	_ = x[SyncBlockStmt-50]
+	_ = x[SyncIfStmt-51]
+	_ = x[SyncForStmt-52]
+	_ = x[SyncSwitchStmt-53]
+	_ = x[SyncRangeStmt-54]
+	_ = x[SyncCaseClause-55]
+	_ = x[SyncCommClause-56]
+	_ = x[SyncSelectStmt-57]
+	_ = x[SyncDecls-58]
+	_ = x[SyncLabeledStmt-59]
+	_ = x[SyncUseObjLocal-60]
+	_ = x[SyncAddLocal-61]
+	_ = x[SyncLinkname-62]
+	_ = x[SyncStmt1-63]
+	_ = x[SyncStmtsEnd-64]
+	_ = x[SyncLabel-65]
+	_ = x[SyncOptLabel-66]
+	_ = x[SyncMultiExpr-67]
+	_ = x[SyncRType-68]
+	_ = x[SyncConvRTTI-69]
+}
+
+const _SyncMarker_name = "EOFBoolInt64Uint64StringValueValRelocsRelocUseRelocPublicPosPosBaseObjectObject1PkgPkgDefMethodTypeTypeIdxTypeParamNamesSignatureParamsParamCodeObjSymLocalIdentSelectorPrivateFuncExtVarExtTypeExtPragmaExprListExprsExprExprTypeAssignOpFuncLitCompLitDeclFuncBodyOpenScopeCloseScopeCloseAnotherScopeDeclNamesDeclNameStmtsBlockStmtIfStmtForStmtSwitchStmtRangeStmtCaseClauseCommClauseSelectStmtDeclsLabeledStmtUseObjLocalAddLocalLinknameStmt1StmtsEndLabelOptLabelMultiExprRTypeConvRTTI"
+
+var _SyncMarker_index = [...]uint16{0, 3, 7, 12, 18, 24, 29, 32, 38, 43, 51, 57, 60, 67, 73, 80, 83, 89, 95, 99, 106, 120, 129, 135, 140, 147, 150, 160, 168, 175, 182, 188, 195, 201, 209, 214, 218, 226, 232, 234, 241, 248, 252, 260, 269, 279, 296, 305, 313, 318, 327, 333, 340, 350, 359, 369, 379, 389, 394, 405, 416, 424, 432, 437, 445, 450, 458, 467, 472, 480}
+
+func (i SyncMarker) String() string {
+	i -= 1
+	if i < 0 || i >= SyncMarker(len(_SyncMarker_index)-1) {
+		return "SyncMarker(" + strconv.FormatInt(int64(i+1), 10) + ")"
+	}
+	return _SyncMarker_name[_SyncMarker_index[i]:_SyncMarker_index[i+1]]
+}
diff --git a/vendor/golang.org/x/tools/internal/pkgbits/version.go b/vendor/golang.org/x/tools/internal/pkgbits/version.go
new file mode 100644
index 0000000000..53af9df22b
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/pkgbits/version.go
@@ -0,0 +1,85 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkgbits
+
+// Version indicates a version of a unified IR bitstream.
+// Each Version indicates the addition, removal, or change of
+// new data in the bitstream.
+//
+// These are serialized to disk and the interpretation remains fixed.
+type Version uint32
+
+const (
+	// V0: initial prototype.
+	//
+	// All data that is not assigned a Field is in version V0
+	// and has not been deprecated.
+	V0 Version = iota
+
+	// V1: adds the Flags uint32 word
+	V1
+
+	// V2: removes unused legacy fields and supports type parameters for aliases.
+	// - remove the legacy "has init" bool from the public root
+	// - remove obj's "derived func instance" bool
+	// - add a TypeParamNames field to ObjAlias
+	// - remove derived info "needed" bool
+	V2
+
+	numVersions = iota
+)
+
+// Field denotes a unit of data in the serialized unified IR bitstream.
+// It is conceptually a like field in a structure.
+//
+// We only really need Fields when the data may or may not be present
+// in a stream based on the Version of the bitstream.
+//
+// Unlike much of pkgbits, Fields are not serialized and
+// can change values as needed.
+type Field int
+
+const (
+	// Flags in a uint32 in the header of a bitstream
+	// that is used to indicate whether optional features are enabled.
+	Flags Field = iota
+
+	// Deprecated: HasInit was a bool indicating whether a package
+	// has any init functions.
+	HasInit
+
+	// Deprecated: DerivedFuncInstance was a bool indicating
+	// whether an object was a function instance.
+	DerivedFuncInstance
+
+	// ObjAlias has a list of TypeParamNames.
+	AliasTypeParamNames
+
+	// Deprecated: DerivedInfoNeeded was a bool indicating
+	// whether a type was a derived type.
+	DerivedInfoNeeded
+
+	numFields = iota
+)
+
+// introduced is the version a field was added.
+var introduced = [numFields]Version{
+	Flags:               V1,
+	AliasTypeParamNames: V2,
+}
+
+// removed is the version a field was removed in or 0 for fields
+// that have not yet been deprecated.
+// (So removed[f]-1 is the last version it is included in.)
+var removed = [numFields]Version{
+	HasInit:             V2,
+	DerivedFuncInstance: V2,
+	DerivedInfoNeeded:   V2,
+}
+
+// Has reports whether field f is present in a bitstream at version v.
+func (v Version) Has(f Field) bool {
+	return introduced[f] <= v && (v < removed[f] || removed[f] == V0)
+}
diff --git a/vendor/golang.org/x/tools/internal/stdlib/deps.go b/vendor/golang.org/x/tools/internal/stdlib/deps.go
new file mode 100644
index 0000000000..f41431c949
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/stdlib/deps.go
@@ -0,0 +1,527 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by generate.go. DO NOT EDIT.
+
+package stdlib
+
+type pkginfo struct {
+	name string
+	deps string // list of indices of dependencies, as varint-encoded deltas
+}
+
+var deps = [...]pkginfo{
+	{"archive/tar", "\x03q\x03F=\x01\n\x01$\x01\x01\x02\x05\b\x02\x01\x02\x02\r"},
+	{"archive/zip", "\x02\x04g\a\x03\x13\x021=\x01+\x05\x01\x0f\x03\x02\x0f\x04"},
+	{"bufio", "\x03q\x86\x01D\x15"},
+	{"bytes", "t+[\x03\fH\x02\x02"},
+	{"cmp", ""},
+	{"compress/bzip2", "\x02\x02\xf6\x01A"},
+	{"compress/flate", "\x02r\x03\x83\x01\f\x033\x01\x03"},
+	{"compress/gzip", "\x02\x04g\a\x03\x15nU"},
+	{"compress/lzw", "\x02r\x03\x83\x01"},
+	{"compress/zlib", "\x02\x04g\a\x03\x13\x01o"},
+	{"container/heap", "\xbc\x02"},
+	{"container/list", ""},
+	{"container/ring", ""},
+	{"context", "t\\p\x01\x0e"},
+	{"crypto", "\x8a\x01pC"},
+	{"crypto/aes", "\x10\v\t\x99\x02"},
+	{"crypto/cipher", "\x03!\x01\x01 \x12\x1c,Z"},
+	{"crypto/des", "\x10\x16 .,\x9d\x01\x03"},
+	{"crypto/dsa", "F\x03+\x86\x01\r"},
+	{"crypto/ecdh", "\x03\v\r\x10\x04\x17\x03\x0f\x1c\x86\x01"},
+	{"crypto/ecdsa", "\x0e\x05\x03\x05\x01\x10\b\v\x06\x01\x03\x0e\x01\x1c\x86\x01\r\x05L\x01"},
+	{"crypto/ed25519", "\x0e\x1f\x12\a\x03\b\a\x1cI=C"},
+	{"crypto/elliptic", "4@\x86\x01\r9"},
+	{"crypto/fips140", "#\x05\x95\x01\x98\x01"},
+	{"crypto/hkdf", "0\x15\x01.\x16"},
+	{"crypto/hmac", "\x1b\x16\x14\x01\x122"},
+	{"crypto/hpke", "\x03\v\x02\x03\x04\x01\f\x01\x05\x1f\x05\a\x01\x01\x1d\x03\x13\x16\x9b\x01\x1c"},
+	{"crypto/internal/boring", "\x0e\x02\x0el"},
+	{"crypto/internal/boring/bbig", "\x1b\xec\x01N"},
+	{"crypto/internal/boring/bcache", "\xc1\x02\x14"},
+	{"crypto/internal/boring/sig", ""},
+	{"crypto/internal/constanttime", ""},
+	{"crypto/internal/cryptotest", "\x03\r\v\b%\x10\x19\x06\x13\x12 \x04\x06\t\x19\x01\x11\x11\x1b\x01\a\x05\b\x03\x05\f"},
+	{"crypto/internal/entropy", "K"},
+	{"crypto/internal/entropy/v1.0.0", "D0\x95\x018\x14"},
+	{"crypto/internal/fips140", "C1\xbf\x01\v\x17"},
+	{"crypto/internal/fips140/aes", "\x03 \x03\x02\x14\x05\x01\x01\x05,\x95\x014"},
+	{"crypto/internal/fips140/aes/gcm", "#\x01\x02\x02\x02\x12\x05\x01\x06,\x92\x01"},
+	{"crypto/internal/fips140/alias", "\xd5\x02"},
+	{"crypto/internal/fips140/bigmod", "(\x19\x01\x06,\x95\x01"},
+	{"crypto/internal/fips140/check", "#\x0e\a\t\x02\xb7\x01["},
+	{"crypto/internal/fips140/check/checktest", "(\x8b\x02\""},
+	{"crypto/internal/fips140/drbg", "\x03\x1f\x01\x01\x04\x14\x05\n)\x86\x01\x0f7\x01"},
+	{"crypto/internal/fips140/ecdh", "\x03 \x05\x02\n\r3\x86\x01\x0f7"},
+	{"crypto/internal/fips140/ecdsa", "\x03 \x04\x01\x02\a\x03\x06:\x16pF"},
+	{"crypto/internal/fips140/ed25519", "\x03 \x05\x02\x04\f:\xc9\x01\x03"},
+	{"crypto/internal/fips140/edwards25519", "\x1f\t\a\x123\x95\x017"},
+	{"crypto/internal/fips140/edwards25519/field", "(\x14\x053\x95\x01"},
+	{"crypto/internal/fips140/hkdf", "\x03 \x05\t\a<\x16"},
+	{"crypto/internal/fips140/hmac", "\x03 \x15\x01\x01:\x16"},
+	{"crypto/internal/fips140/mldsa", "\x03\x1c\x04\x05\x02\x0e\x01\x03\x053\x95\x017"},
+	{"crypto/internal/fips140/mlkem", "\x03 \x05\x02\x0f\x03\x053\xcc\x01"},
+	{"crypto/internal/fips140/nistec", "\x1f\t\r\f3\x95\x01*\r\x15"},
+	{"crypto/internal/fips140/nistec/fiat", "(\x148\x95\x01"},
+	{"crypto/internal/fips140/pbkdf2", "\x03 \x05\t\a<\x16"},
+	{"crypto/internal/fips140/rsa", "\x03\x1c\x04\x04\x01\x02\x0e\x01\x01\x028\x16pF"},
+	{"crypto/internal/fips140/sha256", "\x03 \x1e\x01\x06,\x16\x7f"},
+	{"crypto/internal/fips140/sha3", "\x03 \x19\x05\x012\x95\x01L"},
+	{"crypto/internal/fips140/sha512", "\x03 \x1e\x01\x06,\x16\x7f"},
+	{"crypto/internal/fips140/ssh", "(b"},
+	{"crypto/internal/fips140/subtle", "\x1f\a\x1b\xc8\x01"},
+	{"crypto/internal/fips140/tls12", "\x03 \x05\t\a\x02:\x16"},
+	{"crypto/internal/fips140/tls13", "\x03 \x05\b\b\t3\x16"},
+	{"crypto/internal/fips140cache", "\xb3\x02\r'"},
+	{"crypto/internal/fips140deps", ""},
+	{"crypto/internal/fips140deps/byteorder", "\xa0\x01"},
+	{"crypto/internal/fips140deps/cpu", "\xb5\x01\a"},
+	{"crypto/internal/fips140deps/godebug", "\xbd\x01"},
+	{"crypto/internal/fips140deps/time", "\xcf\x02"},
+	{"crypto/internal/fips140hash", "9\x1d4\xcb\x01"},
+	{"crypto/internal/fips140only", "\x17\x13\x0e\x01\x01Pp"},
+	{"crypto/internal/fips140test", ""},
+	{"crypto/internal/impl", "\xbe\x02"},
+	{"crypto/internal/rand", "\x1b\x0f s=["},
+	{"crypto/internal/randutil", "\xfa\x01\x12"},
+	{"crypto/internal/sysrand", "tq! \r\r\x01\x01\r\x06"},
+	{"crypto/internal/sysrand/internal/seccomp", "t"},
+	{"crypto/md5", "\x0e8.\x16\x16i"},
+	{"crypto/mlkem", "\x0e%"},
+	{"crypto/mlkem/mlkemtest", "3\x13\b&"},
+	{"crypto/pbkdf2", "6\x0f\x01.\x16"},
+	{"crypto/rand", "\x1b\x0f\x1c\x03+\x86\x01\rN"},
+	{"crypto/rc4", "& .\xc9\x01"},
+	{"crypto/rsa", "\x0e\r\x01\v\x10\x0e\x01\x03\b\a\x1c\x03\x133=\f\x01"},
+	{"crypto/sha1", "\x0e\r+\x02,\x16\x16\x15T"},
+	{"crypto/sha256", "\x0e\r\x1dR"},
+	{"crypto/sha3", "\x0e+Q\xcb\x01"},
+	{"crypto/sha512", "\x0e\r\x1fP"},
+	{"crypto/subtle", "\x1f\x1d\x9f\x01z"},
+	{"crypto/tls", "\x03\b\x02\x01\x01\x01\x01\x02\x01\x01\x01\x02\x01\x01\x01\t\x01\x18\x01\x0f\x01\x03\x01\x01\x01\x01\x02\x01\x02\x01\x17\x02\x03\x13\x16\x15\b=\x16\x16\r\b\x01\x01\x01\x02\x01\x0e\x06\x02\x01\x0f"},
+	{"crypto/tls/internal/fips140tls", "\x17\xaa\x02"},
+	{"crypto/x509", "\x03\v\x01\x01\x01\x01\x01\x01\x01\x017\x06\x01\x01\x02\x05\x0e\x06\x02\x02\x03F\x03:\x01\x02\b\x01\x01\x02\a\x10\x05\x01\x06\a\b\x02\x01\x02\x0f\x02\x01\x01\x02\x03\x01"},
+	{"crypto/x509/pkix", "j\x06\a\x90\x01H"},
+	{"database/sql", "\x03\nQ\x16\x03\x83\x01\v\a\"\x05\b\x02\x03\x01\x0e\x02\x02\x02"},
+	{"database/sql/driver", "\rg\x03\xb7\x01\x0f\x12"},
+	{"debug/buildinfo", "\x03^\x02\x01\x01\b\a\x03g\x1a\x02\x01+\x0f "},
+	{"debug/dwarf", "\x03j\a\x03\x83\x011\x11\x01\x01"},
+	{"debug/elf", "\x03\x06W\r\a\x03g\x1b\x01\f \x17\x01\x17"},
+	{"debug/gosym", "\x03j\n$\xa1\x01\x01\x01\x02"},
+	{"debug/macho", "\x03\x06W\r\ng\x1c,\x17\x01"},
+	{"debug/pe", "\x03\x06W\r\a\x03g\x1c,\x17\x01\x17"},
+	{"debug/plan9obj", "m\a\x03g\x1c,"},
+	{"embed", "t+B\x19\x01T"},
+	{"embed/internal/embedtest", ""},
+	{"encoding", ""},
+	{"encoding/ascii85", "\xfa\x01C"},
+	{"encoding/asn1", "\x03q\x03g(\x01'\r\x02\x01\x11\x03\x01"},
+	{"encoding/base32", "\xfa\x01A\x02"},
+	{"encoding/base64", "\xa0\x01ZA\x02"},
+	{"encoding/binary", "t\x86\x01\f(\r\x05"},
+	{"encoding/csv", "\x02\x01q\x03\x83\x01D\x13\x02"},
+	{"encoding/gob", "\x02f\x05\a\x03g\x1c\v\x01\x03\x1d\b\x12\x01\x10\x02"},
+	{"encoding/hex", "t\x03\x83\x01A\x03"},
+	{"encoding/json", "\x03\x01d\x04\b\x03\x83\x01\f(\r\x02\x01\x02\x11\x01\x01\x02"},
+	{"encoding/pem", "\x03i\b\x86\x01A\x03"},
+	{"encoding/xml", "\x02\x01e\f\x03\x83\x014\x05\n\x01\x02\x11\x02"},
+	{"errors", "\xd0\x01\x85\x01"},
+	{"expvar", "qLA\b\v\x15\r\b\x02\x03\x01\x12"},
+	{"flag", "h\f\x03\x83\x01,\b\x05\b\x02\x01\x11"},
+	{"fmt", "tF'\x19\f \b\r\x02\x03\x13"},
+	{"go/ast", "\x03\x01s\x0f\x01s\x03)\b\r\x02\x01\x13\x02"},
+	{"go/build", "\x02\x01q\x03\x01\x02\x02\b\x02\x01\x17\x1f\x04\x02\b\x1c\x13\x01+\x01\x04\x01\a\b\x02\x01\x13\x02\x02"},
+	{"go/build/constraint", "t\xc9\x01\x01\x13\x02"},
+	{"go/constant", "w\x10\x7f\x01\x024\x01\x02\x13"},
+	{"go/doc", "\x04s\x01\x05\n=61\x10\x02\x01\x13\x02"},
+	{"go/doc/comment", "\x03t\xc4\x01\x01\x01\x01\x13\x02"},
+	{"go/format", "\x03t\x01\f\x01\x02sD"},
+	{"go/importer", "y\a\x01\x02\x04\x01r9"},
+	{"go/internal/gccgoimporter", "\x02\x01^\x13\x03\x04\f\x01p\x02,\x01\x05\x11\x01\r\b"},
+	{"go/internal/gcimporter", "\x02u\x10\x010\x05\r0,\x15\x03\x02"},
+	{"go/internal/scannerhooks", "\x87\x01"},
+	{"go/internal/srcimporter", "w\x01\x01\v\x03\x01r,\x01\x05\x12\x02\x15"},
+	{"go/parser", "\x03q\x03\x01\x02\b\x04\x01s\x01+\x06\x12"},
+	{"go/printer", "w\x01\x02\x03\ns\f \x15\x02\x01\x02\f\x05\x02"},
+	{"go/scanner", "\x03t\v\x05s2\x10\x01\x14\x02"},
+	{"go/token", "\x04s\x86\x01>\x02\x03\x01\x10\x02"},
+	{"go/types", "\x03\x01\x06j\x03\x01\x03\t\x03\x024\x063\x04\x03\t \x06\a\b\x01\x01\x01\x02\x01\x10\x02\x02"},
+	{"go/version", "\xc2\x01|"},
+	{"hash", "\xfa\x01"},
+	{"hash/adler32", "t\x16\x16"},
+	{"hash/crc32", "t\x16\x16\x15\x8b\x01\x01\x14"},
+	{"hash/crc64", "t\x16\x16\xa0\x01"},
+	{"hash/fnv", "t\x16\x16i"},
+	{"hash/maphash", "\x8a\x01\x11<~"},
+	{"html", "\xbe\x02\x02\x13"},
+	{"html/template", "\x03n\x06\x19-=\x01\n!\x05\x01\x02\x03\f\x01\x02\r\x01\x03\x02"},
+	{"image", "\x02r\x1fg\x0f4\x03\x01"},
+	{"image/color", ""},
+	{"image/color/palette", "\x93\x01"},
+	{"image/draw", "\x92\x01\x01\x04"},
+	{"image/gif", "\x02\x01\x05l\x03\x1b\x01\x01\x01\vZ\x0f"},
+	{"image/internal/imageutil", "\x92\x01"},
+	{"image/jpeg", "\x02r\x1e\x01\x04c"},
+	{"image/png", "\x02\ad\n\x13\x02\x06\x01gC"},
+	{"index/suffixarray", "\x03j\a\x86\x01\f+\n\x01"},
+	{"internal/abi", "\xbc\x01\x99\x01"},
+	{"internal/asan", "\xd5\x02"},
+	{"internal/bisect", "\xb3\x02\r\x01"},
+	{"internal/buildcfg", "wHg\x06\x02\x05\n\x01"},
+	{"internal/bytealg", "\xb5\x01\xa0\x01"},
+	{"internal/byteorder", ""},
+	{"internal/cfg", ""},
+	{"internal/cgrouptest", "w[T\x06\x0f\x02\x01\x04\x01"},
+	{"internal/chacha8rand", "\xa0\x01\x15\a\x99\x01"},
+	{"internal/copyright", ""},
+	{"internal/coverage", ""},
+	{"internal/coverage/calloc", ""},
+	{"internal/coverage/cfile", "q\x06\x17\x17\x01\x02\x01\x01\x01\x01\x01\x01\x01\"\x02',\x06\a\n\x01\x03\x0e\x06"},
+	{"internal/coverage/cformat", "\x04s.\x04Q\v6\x01\x02\x0e"},
+	{"internal/coverage/cmerge", "w.a"},
+	{"internal/coverage/decodecounter", "m\n.\v\x02H,\x17\x18"},
+	{"internal/coverage/decodemeta", "\x02k\n\x17\x17\v\x02H,"},
+	{"internal/coverage/encodecounter", "\x02k\n.\f\x01\x02F\v!\x15"},
+	{"internal/coverage/encodemeta", "\x02\x01j\n\x13\x04\x17\r\x02F,/"},
+	{"internal/coverage/pods", "\x04s.\x81\x01\x06\x05\n\x02\x01"},
+	{"internal/coverage/rtcov", "\xd5\x02"},
+	{"internal/coverage/slicereader", "m\n\x83\x01["},
+	{"internal/coverage/slicewriter", "w\x83\x01"},
+	{"internal/coverage/stringtab", "w9\x04F"},
+	{"internal/coverage/test", ""},
+	{"internal/coverage/uleb128", ""},
+	{"internal/cpu", "\xd5\x02"},
+	{"internal/dag", "\x04s\xc4\x01\x03"},
+	{"internal/diff", "\x03t\xc5\x01\x02"},
+	{"internal/exportdata", "\x02\x01q\x03\x02e\x1c,\x01\x05\x11\x01\x02"},
+	{"internal/filepathlite", "t+B\x1a@"},
+	{"internal/fmtsort", "\x04\xaa\x02\r"},
+	{"internal/fuzz", "\x03\nH\x18\x04\x03\x03\x01\f\x036=\f\x03\x1d\x01\x05\x02\x05\n\x01\x02\x01\x01\r\x04\x02"},
+	{"internal/goarch", ""},
+	{"internal/godebug", "\x9d\x01!\x82\x01\x01\x14"},
+	{"internal/godebugs", ""},
+	{"internal/goexperiment", ""},
+	{"internal/goos", ""},
+	{"internal/goroot", "\xa6\x02\x01\x05\x12\x02"},
+	{"internal/gover", "\x04"},
+	{"internal/goversion", ""},
+	{"internal/lazyregexp", "\xa6\x02\v\r\x02"},
+	{"internal/lazytemplate", "\xfa\x01,\x18\x02\r"},
+	{"internal/msan", "\xd5\x02"},
+	{"internal/nettrace", ""},
+	{"internal/obscuretestdata", "l\x8e\x01,"},
+	{"internal/oserror", "t"},
+	{"internal/pkgbits", "\x03R\x18\a\x03\x04\fs\r\x1f\r\n\x01"},
+	{"internal/platform", ""},
+	{"internal/poll", "tl\x05\x159\r\x01\x01\r\x06"},
+	{"internal/profile", "\x03\x04m\x03\x83\x017\n\x01\x01\x01\x11"},
+	{"internal/profilerecord", ""},
+	{"internal/race", "\x9b\x01\xba\x01"},
+	{"internal/reflectlite", "\x9b\x01!;<\""},
+	{"internal/runtime/atomic", "\xbc\x01\x99\x01"},
+	{"internal/runtime/cgroup", "\x9f\x01=\x04u"},
+	{"internal/runtime/exithook", "\xd1\x01\x84\x01"},
+	{"internal/runtime/gc", "\xbc\x01"},
+	{"internal/runtime/gc/internal/gen", "\nc\n\x18k\x04\v\x1d\b\x10\x02"},
+	{"internal/runtime/gc/scan", "\xb5\x01\a\x18\az"},
+	{"internal/runtime/maps", "\x9b\x01\x01 \n\t\t\x03z"},
+	{"internal/runtime/math", "\xbc\x01"},
+	{"internal/runtime/pprof/label", ""},
+	{"internal/runtime/startlinetest", ""},
+	{"internal/runtime/sys", "\xbc\x01\x04"},
+	{"internal/runtime/syscall/linux", "\xbc\x01\x99\x01"},
+	{"internal/runtime/wasitest", ""},
+	{"internal/saferio", "\xfa\x01["},
+	{"internal/singleflight", "\xc0\x02"},
+	{"internal/strconv", "\x89\x02L"},
+	{"internal/stringslite", "\x9f\x01\xb6\x01"},
+	{"internal/sync", "\x9b\x01!\x13r\x14"},
+	{"internal/synctest", "\x9b\x01\xba\x01"},
+	{"internal/syscall/execenv", "\xc2\x02"},
+	{"internal/syscall/unix", "\xb3\x02\x0e\x01\x13"},
+	{"internal/sysinfo", "\x02\x01\xb2\x01E,\x18\x02"},
+	{"internal/syslist", ""},
+	{"internal/testenv", "\x03\ng\x02\x01*\x1b\x0f0+\x01\x05\a\n\x01\x02\x02\x01\f"},
+	{"internal/testhash", "\x03\x87\x01p\x118\f"},
+	{"internal/testlog", "\xc0\x02\x01\x14"},
+	{"internal/testpty", "t\x03\xaf\x01"},
+	{"internal/trace", "\x02\x01\x01\x06c\a\x03w\x03\x03\x06\x03\t+\n\x01\x01\x01\x11\x06"},
+	{"internal/trace/internal/testgen", "\x03j\nu\x03\x02\x03\x011\v\r\x11"},
+	{"internal/trace/internal/tracev1", "\x03\x01i\a\x03}\x06\f5\x01"},
+	{"internal/trace/raw", "\x02k\nz\x03\x06C\x01\x13"},
+	{"internal/trace/testtrace", "\x02\x01q\x03q\x04\x03\x05\x01\x05,\v\x02\b\x02\x01\x05"},
+	{"internal/trace/tracev2", ""},
+	{"internal/trace/traceviewer", "\x02d\v\x06\x1a<\x1f\a\a\x04\b\v\x15\x01\x05\a\n\x01\x02\x0f"},
+	{"internal/trace/traceviewer/format", ""},
+	{"internal/trace/version", "wz\t"},
+	{"internal/txtar", "\x03t\xaf\x01\x18"},
+	{"internal/types/errors", "\xbd\x02"},
+	{"internal/unsafeheader", "\xd5\x02"},
+	{"internal/xcoff", "`\r\a\x03g\x1c,\x17\x01"},
+	{"internal/zstd", "m\a\x03\x83\x01\x0f"},
+	{"io", "t\xcc\x01"},
+	{"io/fs", "t+*11\x10\x14\x04"},
+	{"io/ioutil", "\xfa\x01\x01+\x15\x03"},
+	{"iter", "\xcf\x01d\""},
+	{"log", "w\x83\x01\x05'\r\r\x01\x0e"},
+	{"log/internal", ""},
+	{"log/slog", "\x03\n[\t\x03\x03\x83\x01\x04\x01\x02\x02\x03(\x05\b\x02\x01\x02\x01\x0e\x02\x02\x02"},
+	{"log/slog/internal", ""},
+	{"log/slog/internal/benchmarks", "\rg\x03\x83\x01\x06\x03:\x12"},
+	{"log/slog/internal/buffer", "\xc0\x02"},
+	{"log/syslog", "t\x03\x87\x01\x12\x16\x18\x02\x0f"},
+	{"maps", "\xfd\x01X"},
+	{"math", "\xb5\x01TL"},
+	{"math/big", "\x03q\x03)\x15E\f\x03\x020\x02\x01\x02\x15"},
+	{"math/big/internal/asmgen", "\x03\x01s\x92\x012\x03"},
+	{"math/bits", "\xd5\x02"},
+	{"math/cmplx", "\x86\x02\x03"},
+	{"math/rand", "\xbd\x01I:\x01\x14"},
+	{"math/rand/v2", "t,\x03c\x03L"},
+	{"mime", "\x02\x01i\b\x03\x83\x01\v!\x15\x03\x02\x11\x02"},
+	{"mime/multipart", "\x02\x01N#\x03F=\v\x01\a\x02\x15\x02\x06\x0f\x02\x01\x17"},
+	{"mime/quotedprintable", "\x02\x01t\x83\x01"},
+	{"net", "\x04\tg+\x1e\n\x05\x13\x01\x01\x04\x15\x01%\x06\r\b\x05\x01\x01\r\x06\a"},
+	{"net/http", "\x02\x01\x03\x01\x04\x02D\b\x13\x01\a\x03F=\x01\x03\a\x01\x03\x02\x02\x01\x02\x06\x02\x01\x01\n\x01\x01\x05\x01\x02\x05\b\x01\x01\x01\x02\x01\x0e\x02\x02\x02\b\x01\x01\x01"},
+	{"net/http/cgi", "\x02W\x1b\x03\x83\x01\x04\a\v\x01\x13\x01\x01\x01\x04\x01\x05\x02\b\x02\x01\x11\x0e"},
+	{"net/http/cookiejar", "\x04p\x03\x99\x01\x01\b\a\x05\x16\x03\x02\x0f\x04"},
+	{"net/http/fcgi", "\x02\x01\n`\a\x03\x83\x01\x16\x01\x01\x14\x18\x02\x0f"},
+	{"net/http/httptest", "\x02\x01\nL\x02\x1b\x01\x83\x01\x04\x12\x01\n\t\x02\x17\x01\x02\x0f\x0e"},
+	{"net/http/httptrace", "\rLnI\x14\n!"},
+	{"net/http/httputil", "\x02\x01\ng\x03\x83\x01\x04\x0f\x03\x01\x05\x02\x01\v\x01\x19\x02\x01\x0e\x0e"},
+	{"net/http/internal", "\x02\x01q\x03\x83\x01"},
+	{"net/http/internal/ascii", "\xbe\x02\x13"},
+	{"net/http/internal/httpcommon", "\rg\x03\x9f\x01\x0e\x01\x17\x01\x01\x02\x1d\x02"},
+	{"net/http/internal/testcert", "\xbe\x02"},
+	{"net/http/pprof", "\x02\x01\nj\x19-\x02\x0e-\x04\x13\x14\x01\r\x04\x03\x01\x02\x01\x11"},
+	{"net/internal/cgotest", ""},
+	{"net/internal/socktest", "w\xc9\x01\x02"},
+	{"net/mail", "\x02r\x03\x83\x01\x04\x0f\x03\x14\x1a\x02\x0f\x04"},
+	{"net/netip", "\x04p+\x01f\x034\x17"},
+	{"net/rpc", "\x02m\x05\x03\x10\ni\x04\x12\x01\x1d\r\x03\x02"},
+	{"net/rpc/jsonrpc", "q\x03\x03\x83\x01\x16\x11\x1f"},
+	{"net/smtp", "\x194\f\x13\b\x03\x83\x01\x16\x14\x1a"},
+	{"net/textproto", "\x02\x01q\x03\x83\x01\f\n-\x01\x02\x15"},
+	{"net/url", "t\x03Fc\v\x10\x02\x01\x17"},
+	{"os", "t+\x01\x19\x03\x10\x14\x01\x03\x01\x05\x10\x018\b\x05\x01\x01\r\x06"},
+	{"os/exec", "\x03\ngI'\x01\x15\x01+\x06\a\n\x01\x04\r"},
+	{"os/exec/internal/fdtest", "\xc2\x02"},
+	{"os/signal", "\r\x99\x02\x15\x05\x02"},
+	{"os/user", "\x02\x01q\x03\x83\x01,\r\n\x01\x02"},
+	{"path", "t+\xb4\x01"},
+	{"path/filepath", "t+\x1aB+\r\b\x03\x04\x11"},
+	{"plugin", "t"},
+	{"reflect", "t'\x04\x1d\x13\b\x04\x05\x17\x06\t-\n\x03\x11\x02\x02"},
+	{"reflect/internal/example1", ""},
+	{"reflect/internal/example2", ""},
+	{"regexp", "\x03\xf7\x018\t\x02\x01\x02\x11\x02"},
+	{"regexp/syntax", "\xbb\x02\x01\x01\x01\x02\x11\x02"},
+	{"runtime", "\x9b\x01\x04\x01\x03\f\x06\a\x02\x01\x01\x0e\x03\x01\x01\x01\x02\x01\x01\x01\x02\x01\x04\x01\x10\x18L"},
+	{"runtime/coverage", "\xa7\x01S"},
+	{"runtime/debug", "wUZ\r\b\x02\x01\x11\x06"},
+	{"runtime/metrics", "\xbe\x01H-\""},
+	{"runtime/pprof", "\x02\x01\x01\x03\x06`\a\x03$$\x0f\v!\f \r\b\x01\x01\x01\x02\x02\n\x03\x06"},
+	{"runtime/race", "\xb9\x02"},
+	{"runtime/race/internal/amd64v1", ""},
+	{"runtime/trace", "\rg\x03z\t9\b\x05\x01\x0e\x06"},
+	{"slices", "\x04\xf9\x01\fL"},
+	{"sort", "\xd0\x0192"},
+	{"strconv", "t+A\x01r"},
+	{"strings", "t'\x04B\x19\x03\f7\x11\x02\x02"},
+	{"structs", ""},
+	{"sync", "\xcf\x01\x13\x01P\x0e\x14"},
+	{"sync/atomic", "\xd5\x02"},
+	{"syscall", "t(\x03\x01\x1c\n\x03\x06\r\x04S\b\x05\x01\x14"},
+	{"testing", "\x03\ng\x02\x01X\x17\x14\f\x05\x1b\x06\x02\x05\x02\x05\x01\x02\x01\x02\x01\x0e\x02\x04"},
+	{"testing/cryptotest", "QOZ\x124\x03\x12"},
+	{"testing/fstest", "t\x03\x83\x01\x01\n&\x10\x03\t\b"},
+	{"testing/internal/testdeps", "\x02\v\xae\x01/\x10,\x03\x05\x03\x06\a\x02\x0f"},
+	{"testing/iotest", "\x03q\x03\x83\x01\x04"},
+	{"testing/quick", "v\x01\x8f\x01\x05#\x10\x11"},
+	{"testing/slogtest", "\rg\x03\x89\x01.\x05\x10\f"},
+	{"testing/synctest", "\xe3\x01`\x12"},
+	{"text/scanner", "\x03t\x83\x01,+\x02"},
+	{"text/tabwriter", "w\x83\x01Y"},
+	{"text/template", "t\x03C@\x01\n \x01\x05\x01\x02\x05\v\x02\x0e\x03\x02"},
+	{"text/template/parse", "\x03t\xbc\x01\n\x01\x13\x02"},
+	{"time", "t+\x1e$(*\r\x02\x13"},
+	{"time/tzdata", "t\xce\x01\x13"},
+	{"unicode", ""},
+	{"unicode/utf16", ""},
+	{"unicode/utf8", ""},
+	{"unique", "\x9b\x01!%\x01Q\r\x01\x14\x12"},
+	{"unsafe", ""},
+	{"vendor/golang.org/x/crypto/chacha20", "\x10]\a\x95\x01*'"},
+	{"vendor/golang.org/x/crypto/chacha20poly1305", "\x10\aV\a\xe2\x01\x04\x01\a"},
+	{"vendor/golang.org/x/crypto/cryptobyte", "j\n\x03\x90\x01'!\n"},
+	{"vendor/golang.org/x/crypto/cryptobyte/asn1", ""},
+	{"vendor/golang.org/x/crypto/internal/alias", "\xd5\x02"},
+	{"vendor/golang.org/x/crypto/internal/poly1305", "X\x15\x9c\x01"},
+	{"vendor/golang.org/x/net/dns/dnsmessage", "t\xc7\x01"},
+	{"vendor/golang.org/x/net/http/httpguts", "\x90\x02\x14\x1a\x15\r"},
+	{"vendor/golang.org/x/net/http/httpproxy", "t\x03\x99\x01\x10\x05\x01\x18\x15\r"},
+	{"vendor/golang.org/x/net/http2/hpack", "\x03q\x03\x83\x01F"},
+	{"vendor/golang.org/x/net/idna", "w\x8f\x018\x15\x10\x02\x01"},
+	{"vendor/golang.org/x/net/nettest", "\x03j\a\x03\x83\x01\x11\x05\x16\x01\f\n\x01\x02\x02\x01\f"},
+	{"vendor/golang.org/x/sys/cpu", "\xa6\x02\r\n\x01\x17"},
+	{"vendor/golang.org/x/text/secure/bidirule", "t\xdf\x01\x11\x01"},
+	{"vendor/golang.org/x/text/transform", "\x03q\x86\x01Y"},
+	{"vendor/golang.org/x/text/unicode/bidi", "\x03\bl\x87\x01>\x17"},
+	{"vendor/golang.org/x/text/unicode/norm", "m\n\x83\x01F\x13\x11"},
+	{"weak", "\x9b\x01\x98\x01\""},
+}
+
+// bootstrap is the list of bootstrap packages extracted from cmd/dist.
+var bootstrap = map[string]bool{
+	"cmp":                                     true,
+	"cmd/asm":                                 true,
+	"cmd/asm/internal/arch":                   true,
+	"cmd/asm/internal/asm":                    true,
+	"cmd/asm/internal/flags":                  true,
+	"cmd/asm/internal/lex":                    true,
+	"cmd/cgo":                                 true,
+	"cmd/compile":                             true,
+	"cmd/compile/internal/abi":                true,
+	"cmd/compile/internal/abt":                true,
+	"cmd/compile/internal/amd64":              true,
+	"cmd/compile/internal/arm":                true,
+	"cmd/compile/internal/arm64":              true,
+	"cmd/compile/internal/base":               true,
+	"cmd/compile/internal/bitvec":             true,
+	"cmd/compile/internal/bloop":              true,
+	"cmd/compile/internal/compare":            true,
+	"cmd/compile/internal/coverage":           true,
+	"cmd/compile/internal/deadlocals":         true,
+	"cmd/compile/internal/devirtualize":       true,
+	"cmd/compile/internal/dwarfgen":           true,
+	"cmd/compile/internal/escape":             true,
+	"cmd/compile/internal/gc":                 true,
+	"cmd/compile/internal/importer":           true,
+	"cmd/compile/internal/inline":             true,
+	"cmd/compile/internal/inline/inlheur":     true,
+	"cmd/compile/internal/inline/interleaved": true,
+	"cmd/compile/internal/ir":                 true,
+	"cmd/compile/internal/liveness":           true,
+	"cmd/compile/internal/logopt":             true,
+	"cmd/compile/internal/loong64":            true,
+	"cmd/compile/internal/loopvar":            true,
+	"cmd/compile/internal/mips":               true,
+	"cmd/compile/internal/mips64":             true,
+	"cmd/compile/internal/noder":              true,
+	"cmd/compile/internal/objw":               true,
+	"cmd/compile/internal/pgoir":              true,
+	"cmd/compile/internal/pkginit":            true,
+	"cmd/compile/internal/ppc64":              true,
+	"cmd/compile/internal/rangefunc":          true,
+	"cmd/compile/internal/reflectdata":        true,
+	"cmd/compile/internal/riscv64":            true,
+	"cmd/compile/internal/rttype":             true,
+	"cmd/compile/internal/s390x":              true,
+	"cmd/compile/internal/slice":              true,
+	"cmd/compile/internal/ssa":                true,
+	"cmd/compile/internal/ssagen":             true,
+	"cmd/compile/internal/staticdata":         true,
+	"cmd/compile/internal/staticinit":         true,
+	"cmd/compile/internal/syntax":             true,
+	"cmd/compile/internal/test":               true,
+	"cmd/compile/internal/typebits":           true,
+	"cmd/compile/internal/typecheck":          true,
+	"cmd/compile/internal/types":              true,
+	"cmd/compile/internal/types2":             true,
+	"cmd/compile/internal/walk":               true,
+	"cmd/compile/internal/wasm":               true,
+	"cmd/compile/internal/x86":                true,
+	"cmd/internal/archive":                    true,
+	"cmd/internal/bio":                        true,
+	"cmd/internal/codesign":                   true,
+	"cmd/internal/dwarf":                      true,
+	"cmd/internal/edit":                       true,
+	"cmd/internal/gcprog":                     true,
+	"cmd/internal/goobj":                      true,
+	"cmd/internal/hash":                       true,
+	"cmd/internal/macho":                      true,
+	"cmd/internal/obj":                        true,
+	"cmd/internal/obj/arm":                    true,
+	"cmd/internal/obj/arm64":                  true,
+	"cmd/internal/obj/loong64":                true,
+	"cmd/internal/obj/mips":                   true,
+	"cmd/internal/obj/ppc64":                  true,
+	"cmd/internal/obj/riscv":                  true,
+	"cmd/internal/obj/s390x":                  true,
+	"cmd/internal/obj/wasm":                   true,
+	"cmd/internal/obj/x86":                    true,
+	"cmd/internal/objabi":                     true,
+	"cmd/internal/par":                        true,
+	"cmd/internal/pgo":                        true,
+	"cmd/internal/pkgpath":                    true,
+	"cmd/internal/quoted":                     true,
+	"cmd/internal/src":                        true,
+	"cmd/internal/sys":                        true,
+	"cmd/internal/telemetry":                  true,
+	"cmd/internal/telemetry/counter":          true,
+	"cmd/link":                                true,
+	"cmd/link/internal/amd64":                 true,
+	"cmd/link/internal/arm":                   true,
+	"cmd/link/internal/arm64":                 true,
+	"cmd/link/internal/benchmark":             true,
+	"cmd/link/internal/dwtest":                true,
+	"cmd/link/internal/ld":                    true,
+	"cmd/link/internal/loadelf":               true,
+	"cmd/link/internal/loader":                true,
+	"cmd/link/internal/loadmacho":             true,
+	"cmd/link/internal/loadpe":                true,
+	"cmd/link/internal/loadxcoff":             true,
+	"cmd/link/internal/loong64":               true,
+	"cmd/link/internal/mips":                  true,
+	"cmd/link/internal/mips64":                true,
+	"cmd/link/internal/ppc64":                 true,
+	"cmd/link/internal/riscv64":               true,
+	"cmd/link/internal/s390x":                 true,
+	"cmd/link/internal/sym":                   true,
+	"cmd/link/internal/wasm":                  true,
+	"cmd/link/internal/x86":                   true,
+	"compress/flate":                          true,
+	"compress/zlib":                           true,
+	"container/heap":                          true,
+	"debug/dwarf":                             true,
+	"debug/elf":                               true,
+	"debug/macho":                             true,
+	"debug/pe":                                true,
+	"go/build/constraint":                     true,
+	"go/constant":                             true,
+	"go/version":                              true,
+	"internal/abi":                            true,
+	"internal/coverage":                       true,
+	"cmd/internal/cov/covcmd":                 true,
+	"internal/bisect":                         true,
+	"internal/buildcfg":                       true,
+	"internal/exportdata":                     true,
+	"internal/goarch":                         true,
+	"internal/godebugs":                       true,
+	"internal/goexperiment":                   true,
+	"internal/goroot":                         true,
+	"internal/gover":                          true,
+	"internal/goversion":                      true,
+	"internal/lazyregexp":                     true,
+	"internal/pkgbits":                        true,
+	"internal/platform":                       true,
+	"internal/profile":                        true,
+	"internal/race":                           true,
+	"internal/runtime/gc":                     true,
+	"internal/saferio":                        true,
+	"internal/syscall/unix":                   true,
+	"internal/types/errors":                   true,
+	"internal/unsafeheader":                   true,
+	"internal/xcoff":                          true,
+	"internal/zstd":                           true,
+	"math/bits":                               true,
+	"sort":                                    true,
+}
+
+// BootstrapVersion is the minor version of Go used during toolchain
+// bootstrapping. Packages for which [IsBootstrapPackage] must not use
+// features of Go newer than this version.
+const BootstrapVersion = Version(24) // go1.24.6
diff --git a/vendor/golang.org/x/tools/internal/stdlib/import.go b/vendor/golang.org/x/tools/internal/stdlib/import.go
new file mode 100644
index 0000000000..8ecc672b8b
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/stdlib/import.go
@@ -0,0 +1,97 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package stdlib
+
+// This file provides the API for the import graph of the standard library.
+//
+// Be aware that the compiler-generated code for every package
+// implicitly depends on package "runtime" and a handful of others
+// (see runtimePkgs in GOROOT/src/cmd/internal/objabi/pkgspecial.go).
+
+import (
+	"encoding/binary"
+	"iter"
+	"slices"
+	"strings"
+)
+
+// Imports returns the sequence of packages directly imported by the
+// named standard packages, in name order.
+// The imports of an unknown package are the empty set.
+//
+// The graph is built into the application and may differ from the
+// graph in the Go source tree being analyzed by the application.
+func Imports(pkgs ...string) iter.Seq[string] {
+	return func(yield func(string) bool) {
+		for _, pkg := range pkgs {
+			if i, ok := find(pkg); ok {
+				var depIndex uint64
+				for data := []byte(deps[i].deps); len(data) > 0; {
+					delta, n := binary.Uvarint(data)
+					depIndex += delta
+					if !yield(deps[depIndex].name) {
+						return
+					}
+					data = data[n:]
+				}
+			}
+		}
+	}
+}
+
+// Dependencies returns the set of all dependencies of the named
+// standard packages, including the initial package,
+// in a deterministic topological order.
+// The dependencies of an unknown package are the empty set.
+//
+// The graph is built into the application and may differ from the
+// graph in the Go source tree being analyzed by the application.
+func Dependencies(pkgs ...string) iter.Seq[string] {
+	return func(yield func(string) bool) {
+		for _, pkg := range pkgs {
+			if i, ok := find(pkg); ok {
+				var seen [1 + len(deps)/8]byte // bit set of seen packages
+				var visit func(i int) bool
+				visit = func(i int) bool {
+					bit := byte(1) << (i % 8)
+					if seen[i/8]&bit == 0 {
+						seen[i/8] |= bit
+						var depIndex uint64
+						for data := []byte(deps[i].deps); len(data) > 0; {
+							delta, n := binary.Uvarint(data)
+							depIndex += delta
+							if !visit(int(depIndex)) {
+								return false
+							}
+							data = data[n:]
+						}
+						if !yield(deps[i].name) {
+							return false
+						}
+					}
+					return true
+				}
+				if !visit(i) {
+					return
+				}
+			}
+		}
+	}
+}
+
+// find returns the index of pkg in the deps table.
+func find(pkg string) (int, bool) {
+	return slices.BinarySearchFunc(deps[:], pkg, func(p pkginfo, n string) int {
+		return strings.Compare(p.name, n)
+	})
+}
+
+// IsBootstrapPackage reports whether pkg is one of the low-level
+// packages in the Go distribution that must compile with the older
+// language version specified by [BootstrapVersion] during toolchain
+// bootstrapping; see golang.org/s/go15bootstrap.
+func IsBootstrapPackage(pkg string) bool {
+	return bootstrap[pkg]
+}
diff --git a/vendor/golang.org/x/tools/internal/stdlib/manifest.go b/vendor/golang.org/x/tools/internal/stdlib/manifest.go
new file mode 100644
index 0000000000..33e4f505f3
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/stdlib/manifest.go
@@ -0,0 +1,18328 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by generate.go. DO NOT EDIT.
+
+package stdlib
+
+var PackageSymbols = map[string][]Symbol{
+	"archive/tar": {
+		{"(*Header).FileInfo", Method, 1, ""},
+		{"(*Reader).Next", Method, 0, ""},
+		{"(*Reader).Read", Method, 0, ""},
+		{"(*Writer).AddFS", Method, 22, ""},
+		{"(*Writer).Close", Method, 0, ""},
+		{"(*Writer).Flush", Method, 0, ""},
+		{"(*Writer).Write", Method, 0, ""},
+		{"(*Writer).WriteHeader", Method, 0, ""},
+		{"(FileInfoNames).Gname", Method, 23, ""},
+		{"(FileInfoNames).IsDir", Method, 23, ""},
+		{"(FileInfoNames).ModTime", Method, 23, ""},
+		{"(FileInfoNames).Mode", Method, 23, ""},
+		{"(FileInfoNames).Name", Method, 23, ""},
+		{"(FileInfoNames).Size", Method, 23, ""},
+		{"(FileInfoNames).Sys", Method, 23, ""},
+		{"(FileInfoNames).Uname", Method, 23, ""},
+		{"(Format).String", Method, 10, ""},
+		{"ErrFieldTooLong", Var, 0, ""},
+		{"ErrHeader", Var, 0, ""},
+		{"ErrInsecurePath", Var, 20, ""},
+		{"ErrWriteAfterClose", Var, 0, ""},
+		{"ErrWriteTooLong", Var, 0, ""},
+		{"FileInfoHeader", Func, 1, "func(fi fs.FileInfo, link string) (*Header, error)"},
+		{"FileInfoNames", Type, 23, ""},
+		{"Format", Type, 10, ""},
+		{"FormatGNU", Const, 10, ""},
+		{"FormatPAX", Const, 10, ""},
+		{"FormatUSTAR", Const, 10, ""},
+		{"FormatUnknown", Const, 10, ""},
+		{"Header", Type, 0, ""},
+		{"Header.AccessTime", Field, 0, ""},
+		{"Header.ChangeTime", Field, 0, ""},
+		{"Header.Devmajor", Field, 0, ""},
+		{"Header.Devminor", Field, 0, ""},
+		{"Header.Format", Field, 10, ""},
+		{"Header.Gid", Field, 0, ""},
+		{"Header.Gname", Field, 0, ""},
+		{"Header.Linkname", Field, 0, ""},
+		{"Header.ModTime", Field, 0, ""},
+		{"Header.Mode", Field, 0, ""},
+		{"Header.Name", Field, 0, ""},
+		{"Header.PAXRecords", Field, 10, ""},
+		{"Header.Size", Field, 0, ""},
+		{"Header.Typeflag", Field, 0, ""},
+		{"Header.Uid", Field, 0, ""},
+		{"Header.Uname", Field, 0, ""},
+		{"Header.Xattrs", Field, 3, ""},
+		{"NewReader", Func, 0, "func(r io.Reader) *Reader"},
+		{"NewWriter", Func, 0, "func(w io.Writer) *Writer"},
+		{"Reader", Type, 0, ""},
+		{"TypeBlock", Const, 0, ""},
+		{"TypeChar", Const, 0, ""},
+		{"TypeCont", Const, 0, ""},
+		{"TypeDir", Const, 0, ""},
+		{"TypeFifo", Const, 0, ""},
+		{"TypeGNULongLink", Const, 1, ""},
+		{"TypeGNULongName", Const, 1, ""},
+		{"TypeGNUSparse", Const, 3, ""},
+		{"TypeLink", Const, 0, ""},
+		{"TypeReg", Const, 0, ""},
+		{"TypeRegA", Const, 0, ""},
+		{"TypeSymlink", Const, 0, ""},
+		{"TypeXGlobalHeader", Const, 0, ""},
+		{"TypeXHeader", Const, 0, ""},
+		{"Writer", Type, 0, ""},
+	},
+	"archive/zip": {
+		{"(*File).DataOffset", Method, 2, ""},
+		{"(*File).FileInfo", Method, 0, ""},
+		{"(*File).ModTime", Method, 0, ""},
+		{"(*File).Mode", Method, 0, ""},
+		{"(*File).Open", Method, 0, ""},
+		{"(*File).OpenRaw", Method, 17, ""},
+		{"(*File).SetModTime", Method, 0, ""},
+		{"(*File).SetMode", Method, 0, ""},
+		{"(*FileHeader).FileInfo", Method, 0, ""},
+		{"(*FileHeader).ModTime", Method, 0, ""},
+		{"(*FileHeader).Mode", Method, 0, ""},
+		{"(*FileHeader).SetModTime", Method, 0, ""},
+		{"(*FileHeader).SetMode", Method, 0, ""},
+		{"(*ReadCloser).Close", Method, 0, ""},
+		{"(*ReadCloser).Open", Method, 16, ""},
+		{"(*ReadCloser).RegisterDecompressor", Method, 6, ""},
+		{"(*Reader).Open", Method, 16, ""},
+		{"(*Reader).RegisterDecompressor", Method, 6, ""},
+		{"(*Writer).AddFS", Method, 22, ""},
+		{"(*Writer).Close", Method, 0, ""},
+		{"(*Writer).Copy", Method, 17, ""},
+		{"(*Writer).Create", Method, 0, ""},
+		{"(*Writer).CreateHeader", Method, 0, ""},
+		{"(*Writer).CreateRaw", Method, 17, ""},
+		{"(*Writer).Flush", Method, 4, ""},
+		{"(*Writer).RegisterCompressor", Method, 6, ""},
+		{"(*Writer).SetComment", Method, 10, ""},
+		{"(*Writer).SetOffset", Method, 5, ""},
+		{"Compressor", Type, 2, ""},
+		{"Decompressor", Type, 2, ""},
+		{"Deflate", Const, 0, ""},
+		{"ErrAlgorithm", Var, 0, ""},
+		{"ErrChecksum", Var, 0, ""},
+		{"ErrFormat", Var, 0, ""},
+		{"ErrInsecurePath", Var, 20, ""},
+		{"File", Type, 0, ""},
+		{"File.FileHeader", Field, 0, ""},
+		{"FileHeader", Type, 0, ""},
+		{"FileHeader.CRC32", Field, 0, ""},
+		{"FileHeader.Comment", Field, 0, ""},
+		{"FileHeader.CompressedSize", Field, 0, ""},
+		{"FileHeader.CompressedSize64", Field, 1, ""},
+		{"FileHeader.CreatorVersion", Field, 0, ""},
+		{"FileHeader.ExternalAttrs", Field, 0, ""},
+		{"FileHeader.Extra", Field, 0, ""},
+		{"FileHeader.Flags", Field, 0, ""},
+		{"FileHeader.Method", Field, 0, ""},
+		{"FileHeader.Modified", Field, 10, ""},
+		{"FileHeader.ModifiedDate", Field, 0, ""},
+		{"FileHeader.ModifiedTime", Field, 0, ""},
+		{"FileHeader.Name", Field, 0, ""},
+		{"FileHeader.NonUTF8", Field, 10, ""},
+		{"FileHeader.ReaderVersion", Field, 0, ""},
+		{"FileHeader.UncompressedSize", Field, 0, ""},
+		{"FileHeader.UncompressedSize64", Field, 1, ""},
+		{"FileInfoHeader", Func, 0, "func(fi fs.FileInfo) (*FileHeader, error)"},
+		{"NewReader", Func, 0, "func(r io.ReaderAt, size int64) (*Reader, error)"},
+		{"NewWriter", Func, 0, "func(w io.Writer) *Writer"},
+		{"OpenReader", Func, 0, "func(name string) (*ReadCloser, error)"},
+		{"ReadCloser", Type, 0, ""},
+		{"ReadCloser.Reader", Field, 0, ""},
+		{"Reader", Type, 0, ""},
+		{"Reader.Comment", Field, 0, ""},
+		{"Reader.File", Field, 0, ""},
+		{"RegisterCompressor", Func, 2, "func(method uint16, comp Compressor)"},
+		{"RegisterDecompressor", Func, 2, "func(method uint16, dcomp Decompressor)"},
+		{"Store", Const, 0, ""},
+		{"Writer", Type, 0, ""},
+	},
+	"bufio": {
+		{"(*Reader).Buffered", Method, 0, ""},
+		{"(*Reader).Discard", Method, 5, ""},
+		{"(*Reader).Peek", Method, 0, ""},
+		{"(*Reader).Read", Method, 0, ""},
+		{"(*Reader).ReadByte", Method, 0, ""},
+		{"(*Reader).ReadBytes", Method, 0, ""},
+		{"(*Reader).ReadLine", Method, 0, ""},
+		{"(*Reader).ReadRune", Method, 0, ""},
+		{"(*Reader).ReadSlice", Method, 0, ""},
+		{"(*Reader).ReadString", Method, 0, ""},
+		{"(*Reader).Reset", Method, 2, ""},
+		{"(*Reader).Size", Method, 10, ""},
+		{"(*Reader).UnreadByte", Method, 0, ""},
+		{"(*Reader).UnreadRune", Method, 0, ""},
+		{"(*Reader).WriteTo", Method, 1, ""},
+		{"(*Scanner).Buffer", Method, 6, ""},
+		{"(*Scanner).Bytes", Method, 1, ""},
+		{"(*Scanner).Err", Method, 1, ""},
+		{"(*Scanner).Scan", Method, 1, ""},
+		{"(*Scanner).Split", Method, 1, ""},
+		{"(*Scanner).Text", Method, 1, ""},
+		{"(*Writer).Available", Method, 0, ""},
+		{"(*Writer).AvailableBuffer", Method, 18, ""},
+		{"(*Writer).Buffered", Method, 0, ""},
+		{"(*Writer).Flush", Method, 0, ""},
+		{"(*Writer).ReadFrom", Method, 1, ""},
+		{"(*Writer).Reset", Method, 2, ""},
+		{"(*Writer).Size", Method, 10, ""},
+		{"(*Writer).Write", Method, 0, ""},
+		{"(*Writer).WriteByte", Method, 0, ""},
+		{"(*Writer).WriteRune", Method, 0, ""},
+		{"(*Writer).WriteString", Method, 0, ""},
+		{"(ReadWriter).Available", Method, 0, ""},
+		{"(ReadWriter).AvailableBuffer", Method, 18, ""},
+		{"(ReadWriter).Discard", Method, 5, ""},
+		{"(ReadWriter).Flush", Method, 0, ""},
+		{"(ReadWriter).Peek", Method, 0, ""},
+		{"(ReadWriter).Read", Method, 0, ""},
+		{"(ReadWriter).ReadByte", Method, 0, ""},
+		{"(ReadWriter).ReadBytes", Method, 0, ""},
+		{"(ReadWriter).ReadFrom", Method, 1, ""},
+		{"(ReadWriter).ReadLine", Method, 0, ""},
+		{"(ReadWriter).ReadRune", Method, 0, ""},
+		{"(ReadWriter).ReadSlice", Method, 0, ""},
+		{"(ReadWriter).ReadString", Method, 0, ""},
+		{"(ReadWriter).UnreadByte", Method, 0, ""},
+		{"(ReadWriter).UnreadRune", Method, 0, ""},
+		{"(ReadWriter).Write", Method, 0, ""},
+		{"(ReadWriter).WriteByte", Method, 0, ""},
+		{"(ReadWriter).WriteRune", Method, 0, ""},
+		{"(ReadWriter).WriteString", Method, 0, ""},
+		{"(ReadWriter).WriteTo", Method, 1, ""},
+		{"ErrAdvanceTooFar", Var, 1, ""},
+		{"ErrBadReadCount", Var, 15, ""},
+		{"ErrBufferFull", Var, 0, ""},
+		{"ErrFinalToken", Var, 6, ""},
+		{"ErrInvalidUnreadByte", Var, 0, ""},
+		{"ErrInvalidUnreadRune", Var, 0, ""},
+		{"ErrNegativeAdvance", Var, 1, ""},
+		{"ErrNegativeCount", Var, 0, ""},
+		{"ErrTooLong", Var, 1, ""},
+		{"MaxScanTokenSize", Const, 1, ""},
+		{"NewReadWriter", Func, 0, "func(r *Reader, w *Writer) *ReadWriter"},
+		{"NewReader", Func, 0, "func(rd io.Reader) *Reader"},
+		{"NewReaderSize", Func, 0, "func(rd io.Reader, size int) *Reader"},
+		{"NewScanner", Func, 1, "func(r io.Reader) *Scanner"},
+		{"NewWriter", Func, 0, "func(w io.Writer) *Writer"},
+		{"NewWriterSize", Func, 0, "func(w io.Writer, size int) *Writer"},
+		{"ReadWriter", Type, 0, ""},
+		{"ReadWriter.Reader", Field, 0, ""},
+		{"ReadWriter.Writer", Field, 0, ""},
+		{"Reader", Type, 0, ""},
+		{"ScanBytes", Func, 1, "func(data []byte, atEOF bool) (advance int, token []byte, err error)"},
+		{"ScanLines", Func, 1, "func(data []byte, atEOF bool) (advance int, token []byte, err error)"},
+		{"ScanRunes", Func, 1, "func(data []byte, atEOF bool) (advance int, token []byte, err error)"},
+		{"ScanWords", Func, 1, "func(data []byte, atEOF bool) (advance int, token []byte, err error)"},
+		{"Scanner", Type, 1, ""},
+		{"SplitFunc", Type, 1, ""},
+		{"Writer", Type, 0, ""},
+	},
+	"bytes": {
+		{"(*Buffer).Available", Method, 21, ""},
+		{"(*Buffer).AvailableBuffer", Method, 21, ""},
+		{"(*Buffer).Bytes", Method, 0, ""},
+		{"(*Buffer).Cap", Method, 5, ""},
+		{"(*Buffer).Grow", Method, 1, ""},
+		{"(*Buffer).Len", Method, 0, ""},
+		{"(*Buffer).Next", Method, 0, ""},
+		{"(*Buffer).Peek", Method, 26, ""},
+		{"(*Buffer).Read", Method, 0, ""},
+		{"(*Buffer).ReadByte", Method, 0, ""},
+		{"(*Buffer).ReadBytes", Method, 0, ""},
+		{"(*Buffer).ReadFrom", Method, 0, ""},
+		{"(*Buffer).ReadRune", Method, 0, ""},
+		{"(*Buffer).ReadString", Method, 0, ""},
+		{"(*Buffer).Reset", Method, 0, ""},
+		{"(*Buffer).String", Method, 0, ""},
+		{"(*Buffer).Truncate", Method, 0, ""},
+		{"(*Buffer).UnreadByte", Method, 0, ""},
+		{"(*Buffer).UnreadRune", Method, 0, ""},
+		{"(*Buffer).Write", Method, 0, ""},
+		{"(*Buffer).WriteByte", Method, 0, ""},
+		{"(*Buffer).WriteRune", Method, 0, ""},
+		{"(*Buffer).WriteString", Method, 0, ""},
+		{"(*Buffer).WriteTo", Method, 0, ""},
+		{"(*Reader).Len", Method, 0, ""},
+		{"(*Reader).Read", Method, 0, ""},
+		{"(*Reader).ReadAt", Method, 0, ""},
+		{"(*Reader).ReadByte", Method, 0, ""},
+		{"(*Reader).ReadRune", Method, 0, ""},
+		{"(*Reader).Reset", Method, 7, ""},
+		{"(*Reader).Seek", Method, 0, ""},
+		{"(*Reader).Size", Method, 5, ""},
+		{"(*Reader).UnreadByte", Method, 0, ""},
+		{"(*Reader).UnreadRune", Method, 0, ""},
+		{"(*Reader).WriteTo", Method, 1, ""},
+		{"Buffer", Type, 0, ""},
+		{"Clone", Func, 20, "func(b []byte) []byte"},
+		{"Compare", Func, 0, "func(a []byte, b []byte) int"},
+		{"Contains", Func, 0, "func(b []byte, subslice []byte) bool"},
+		{"ContainsAny", Func, 7, "func(b []byte, chars string) bool"},
+		{"ContainsFunc", Func, 21, "func(b []byte, f func(rune) bool) bool"},
+		{"ContainsRune", Func, 7, "func(b []byte, r rune) bool"},
+		{"Count", Func, 0, "func(s []byte, sep []byte) int"},
+		{"Cut", Func, 18, "func(s []byte, sep []byte) (before []byte, after []byte, found bool)"},
+		{"CutPrefix", Func, 20, "func(s []byte, prefix []byte) (after []byte, found bool)"},
+		{"CutSuffix", Func, 20, "func(s []byte, suffix []byte) (before []byte, found bool)"},
+		{"Equal", Func, 0, "func(a []byte, b []byte) bool"},
+		{"EqualFold", Func, 0, "func(s []byte, t []byte) bool"},
+		{"ErrTooLarge", Var, 0, ""},
+		{"Fields", Func, 0, "func(s []byte) [][]byte"},
+		{"FieldsFunc", Func, 0, "func(s []byte, f func(rune) bool) [][]byte"},
+		{"FieldsFuncSeq", Func, 24, "func(s []byte, f func(rune) bool) iter.Seq[[]byte]"},
+		{"FieldsSeq", Func, 24, "func(s []byte) iter.Seq[[]byte]"},
+		{"HasPrefix", Func, 0, "func(s []byte, prefix []byte) bool"},
+		{"HasSuffix", Func, 0, "func(s []byte, suffix []byte) bool"},
+		{"Index", Func, 0, "func(s []byte, sep []byte) int"},
+		{"IndexAny", Func, 0, "func(s []byte, chars string) int"},
+		{"IndexByte", Func, 0, "func(b []byte, c byte) int"},
+		{"IndexFunc", Func, 0, "func(s []byte, f func(r rune) bool) int"},
+		{"IndexRune", Func, 0, "func(s []byte, r rune) int"},
+		{"Join", Func, 0, "func(s [][]byte, sep []byte) []byte"},
+		{"LastIndex", Func, 0, "func(s []byte, sep []byte) int"},
+		{"LastIndexAny", Func, 0, "func(s []byte, chars string) int"},
+		{"LastIndexByte", Func, 5, "func(s []byte, c byte) int"},
+		{"LastIndexFunc", Func, 0, "func(s []byte, f func(r rune) bool) int"},
+		{"Lines", Func, 24, "func(s []byte) iter.Seq[[]byte]"},
+		{"Map", Func, 0, "func(mapping func(r rune) rune, s []byte) []byte"},
+		{"MinRead", Const, 0, ""},
+		{"NewBuffer", Func, 0, "func(buf []byte) *Buffer"},
+		{"NewBufferString", Func, 0, "func(s string) *Buffer"},
+		{"NewReader", Func, 0, "func(b []byte) *Reader"},
+		{"Reader", Type, 0, ""},
+		{"Repeat", Func, 0, "func(b []byte, count int) []byte"},
+		{"Replace", Func, 0, "func(s []byte, old []byte, new []byte, n int) []byte"},
+		{"ReplaceAll", Func, 12, "func(s []byte, old []byte, new []byte) []byte"},
+		{"Runes", Func, 0, "func(s []byte) []rune"},
+		{"Split", Func, 0, "func(s []byte, sep []byte) [][]byte"},
+		{"SplitAfter", Func, 0, "func(s []byte, sep []byte) [][]byte"},
+		{"SplitAfterN", Func, 0, "func(s []byte, sep []byte, n int) [][]byte"},
+		{"SplitAfterSeq", Func, 24, "func(s []byte, sep []byte) iter.Seq[[]byte]"},
+		{"SplitN", Func, 0, "func(s []byte, sep []byte, n int) [][]byte"},
+		{"SplitSeq", Func, 24, "func(s []byte, sep []byte) iter.Seq[[]byte]"},
+		{"Title", Func, 0, "func(s []byte) []byte"},
+		{"ToLower", Func, 0, "func(s []byte) []byte"},
+		{"ToLowerSpecial", Func, 0, "func(c unicode.SpecialCase, s []byte) []byte"},
+		{"ToTitle", Func, 0, "func(s []byte) []byte"},
+		{"ToTitleSpecial", Func, 0, "func(c unicode.SpecialCase, s []byte) []byte"},
+		{"ToUpper", Func, 0, "func(s []byte) []byte"},
+		{"ToUpperSpecial", Func, 0, "func(c unicode.SpecialCase, s []byte) []byte"},
+		{"ToValidUTF8", Func, 13, "func(s []byte, replacement []byte) []byte"},
+		{"Trim", Func, 0, "func(s []byte, cutset string) []byte"},
+		{"TrimFunc", Func, 0, "func(s []byte, f func(r rune) bool) []byte"},
+		{"TrimLeft", Func, 0, "func(s []byte, cutset string) []byte"},
+		{"TrimLeftFunc", Func, 0, "func(s []byte, f func(r rune) bool) []byte"},
+		{"TrimPrefix", Func, 1, "func(s []byte, prefix []byte) []byte"},
+		{"TrimRight", Func, 0, "func(s []byte, cutset string) []byte"},
+		{"TrimRightFunc", Func, 0, "func(s []byte, f func(r rune) bool) []byte"},
+		{"TrimSpace", Func, 0, "func(s []byte) []byte"},
+		{"TrimSuffix", Func, 1, "func(s []byte, suffix []byte) []byte"},
+	},
+	"cmp": {
+		{"Compare", Func, 21, "func[T Ordered](x T, y T) int"},
+		{"Less", Func, 21, "func[T Ordered](x T, y T) bool"},
+		{"Or", Func, 22, "func[T comparable](vals ...T) T"},
+		{"Ordered", Type, 21, ""},
+	},
+	"compress/bzip2": {
+		{"(StructuralError).Error", Method, 0, ""},
+		{"NewReader", Func, 0, "func(r io.Reader) io.Reader"},
+		{"StructuralError", Type, 0, ""},
+	},
+	"compress/flate": {
+		{"(*ReadError).Error", Method, 0, ""},
+		{"(*WriteError).Error", Method, 0, ""},
+		{"(*Writer).Close", Method, 0, ""},
+		{"(*Writer).Flush", Method, 0, ""},
+		{"(*Writer).Reset", Method, 2, ""},
+		{"(*Writer).Write", Method, 0, ""},
+		{"(CorruptInputError).Error", Method, 0, ""},
+		{"(InternalError).Error", Method, 0, ""},
+		{"(Reader).Read", Method, 0, ""},
+		{"(Reader).ReadByte", Method, 0, ""},
+		{"(Resetter).Reset", Method, 4, ""},
+		{"BestCompression", Const, 0, ""},
+		{"BestSpeed", Const, 0, ""},
+		{"CorruptInputError", Type, 0, ""},
+		{"DefaultCompression", Const, 0, ""},
+		{"HuffmanOnly", Const, 7, ""},
+		{"InternalError", Type, 0, ""},
+		{"NewReader", Func, 0, "func(r io.Reader) io.ReadCloser"},
+		{"NewReaderDict", Func, 0, "func(r io.Reader, dict []byte) io.ReadCloser"},
+		{"NewWriter", Func, 0, "func(w io.Writer, level int) (*Writer, error)"},
+		{"NewWriterDict", Func, 0, "func(w io.Writer, level int, dict []byte) (*Writer, error)"},
+		{"NoCompression", Const, 0, ""},
+		{"ReadError", Type, 0, ""},
+		{"ReadError.Err", Field, 0, ""},
+		{"ReadError.Offset", Field, 0, ""},
+		{"Reader", Type, 0, ""},
+		{"Resetter", Type, 4, ""},
+		{"WriteError", Type, 0, ""},
+		{"WriteError.Err", Field, 0, ""},
+		{"WriteError.Offset", Field, 0, ""},
+		{"Writer", Type, 0, ""},
+	},
+	"compress/gzip": {
+		{"(*Reader).Close", Method, 0, ""},
+		{"(*Reader).Multistream", Method, 4, ""},
+		{"(*Reader).Read", Method, 0, ""},
+		{"(*Reader).Reset", Method, 3, ""},
+		{"(*Writer).Close", Method, 0, ""},
+		{"(*Writer).Flush", Method, 1, ""},
+		{"(*Writer).Reset", Method, 2, ""},
+		{"(*Writer).Write", Method, 0, ""},
+		{"BestCompression", Const, 0, ""},
+		{"BestSpeed", Const, 0, ""},
+		{"DefaultCompression", Const, 0, ""},
+		{"ErrChecksum", Var, 0, ""},
+		{"ErrHeader", Var, 0, ""},
+		{"Header", Type, 0, ""},
+		{"Header.Comment", Field, 0, ""},
+		{"Header.Extra", Field, 0, ""},
+		{"Header.ModTime", Field, 0, ""},
+		{"Header.Name", Field, 0, ""},
+		{"Header.OS", Field, 0, ""},
+		{"HuffmanOnly", Const, 8, ""},
+		{"NewReader", Func, 0, "func(r io.Reader) (*Reader, error)"},
+		{"NewWriter", Func, 0, "func(w io.Writer) *Writer"},
+		{"NewWriterLevel", Func, 0, "func(w io.Writer, level int) (*Writer, error)"},
+		{"NoCompression", Const, 0, ""},
+		{"Reader", Type, 0, ""},
+		{"Reader.Header", Field, 0, ""},
+		{"Writer", Type, 0, ""},
+		{"Writer.Header", Field, 0, ""},
+	},
+	"compress/lzw": {
+		{"(*Reader).Close", Method, 17, ""},
+		{"(*Reader).Read", Method, 17, ""},
+		{"(*Reader).Reset", Method, 17, ""},
+		{"(*Writer).Close", Method, 17, ""},
+		{"(*Writer).Reset", Method, 17, ""},
+		{"(*Writer).Write", Method, 17, ""},
+		{"LSB", Const, 0, ""},
+		{"MSB", Const, 0, ""},
+		{"NewReader", Func, 0, "func(r io.Reader, order Order, litWidth int) io.ReadCloser"},
+		{"NewWriter", Func, 0, "func(w io.Writer, order Order, litWidth int) io.WriteCloser"},
+		{"Order", Type, 0, ""},
+		{"Reader", Type, 17, ""},
+		{"Writer", Type, 17, ""},
+	},
+	"compress/zlib": {
+		{"(*Writer).Close", Method, 0, ""},
+		{"(*Writer).Flush", Method, 0, ""},
+		{"(*Writer).Reset", Method, 2, ""},
+		{"(*Writer).Write", Method, 0, ""},
+		{"(Resetter).Reset", Method, 4, ""},
+		{"BestCompression", Const, 0, ""},
+		{"BestSpeed", Const, 0, ""},
+		{"DefaultCompression", Const, 0, ""},
+		{"ErrChecksum", Var, 0, ""},
+		{"ErrDictionary", Var, 0, ""},
+		{"ErrHeader", Var, 0, ""},
+		{"HuffmanOnly", Const, 8, ""},
+		{"NewReader", Func, 0, "func(r io.Reader) (io.ReadCloser, error)"},
+		{"NewReaderDict", Func, 0, "func(r io.Reader, dict []byte) (io.ReadCloser, error)"},
+		{"NewWriter", Func, 0, "func(w io.Writer) *Writer"},
+		{"NewWriterLevel", Func, 0, "func(w io.Writer, level int) (*Writer, error)"},
+		{"NewWriterLevelDict", Func, 0, "func(w io.Writer, level int, dict []byte) (*Writer, error)"},
+		{"NoCompression", Const, 0, ""},
+		{"Resetter", Type, 4, ""},
+		{"Writer", Type, 0, ""},
+	},
+	"container/heap": {
+		{"(Interface).Len", Method, 0, ""},
+		{"(Interface).Less", Method, 0, ""},
+		{"(Interface).Pop", Method, 0, ""},
+		{"(Interface).Push", Method, 0, ""},
+		{"(Interface).Swap", Method, 0, ""},
+		{"Fix", Func, 2, "func(h Interface, i int)"},
+		{"Init", Func, 0, "func(h Interface)"},
+		{"Interface", Type, 0, ""},
+		{"Pop", Func, 0, "func(h Interface) any"},
+		{"Push", Func, 0, "func(h Interface, x any)"},
+		{"Remove", Func, 0, "func(h Interface, i int) any"},
+	},
+	"container/list": {
+		{"(*Element).Next", Method, 0, ""},
+		{"(*Element).Prev", Method, 0, ""},
+		{"(*List).Back", Method, 0, ""},
+		{"(*List).Front", Method, 0, ""},
+		{"(*List).Init", Method, 0, ""},
+		{"(*List).InsertAfter", Method, 0, ""},
+		{"(*List).InsertBefore", Method, 0, ""},
+		{"(*List).Len", Method, 0, ""},
+		{"(*List).MoveAfter", Method, 2, ""},
+		{"(*List).MoveBefore", Method, 2, ""},
+		{"(*List).MoveToBack", Method, 0, ""},
+		{"(*List).MoveToFront", Method, 0, ""},
+		{"(*List).PushBack", Method, 0, ""},
+		{"(*List).PushBackList", Method, 0, ""},
+		{"(*List).PushFront", Method, 0, ""},
+		{"(*List).PushFrontList", Method, 0, ""},
+		{"(*List).Remove", Method, 0, ""},
+		{"Element", Type, 0, ""},
+		{"Element.Value", Field, 0, ""},
+		{"List", Type, 0, ""},
+		{"New", Func, 0, "func() *List"},
+	},
+	"container/ring": {
+		{"(*Ring).Do", Method, 0, ""},
+		{"(*Ring).Len", Method, 0, ""},
+		{"(*Ring).Link", Method, 0, ""},
+		{"(*Ring).Move", Method, 0, ""},
+		{"(*Ring).Next", Method, 0, ""},
+		{"(*Ring).Prev", Method, 0, ""},
+		{"(*Ring).Unlink", Method, 0, ""},
+		{"New", Func, 0, "func(n int) *Ring"},
+		{"Ring", Type, 0, ""},
+		{"Ring.Value", Field, 0, ""},
+	},
+	"context": {
+		{"(Context).Deadline", Method, 7, ""},
+		{"(Context).Done", Method, 7, ""},
+		{"(Context).Err", Method, 7, ""},
+		{"(Context).Value", Method, 7, ""},
+		{"AfterFunc", Func, 21, "func(ctx Context, f func()) (stop func() bool)"},
+		{"Background", Func, 7, "func() Context"},
+		{"CancelCauseFunc", Type, 20, ""},
+		{"CancelFunc", Type, 7, ""},
+		{"Canceled", Var, 7, ""},
+		{"Cause", Func, 20, "func(c Context) error"},
+		{"Context", Type, 7, ""},
+		{"DeadlineExceeded", Var, 7, ""},
+		{"TODO", Func, 7, "func() Context"},
+		{"WithCancel", Func, 7, "func(parent Context) (ctx Context, cancel CancelFunc)"},
+		{"WithCancelCause", Func, 20, "func(parent Context) (ctx Context, cancel CancelCauseFunc)"},
+		{"WithDeadline", Func, 7, "func(parent Context, d time.Time) (Context, CancelFunc)"},
+		{"WithDeadlineCause", Func, 21, "func(parent Context, d time.Time, cause error) (Context, CancelFunc)"},
+		{"WithTimeout", Func, 7, "func(parent Context, timeout time.Duration) (Context, CancelFunc)"},
+		{"WithTimeoutCause", Func, 21, "func(parent Context, timeout time.Duration, cause error) (Context, CancelFunc)"},
+		{"WithValue", Func, 7, "func(parent Context, key any, val any) Context"},
+		{"WithoutCancel", Func, 21, "func(parent Context) Context"},
+	},
+	"crypto": {
+		{"(Decapsulator).Decapsulate", Method, 26, ""},
+		{"(Decapsulator).Encapsulator", Method, 26, ""},
+		{"(Decrypter).Decrypt", Method, 5, ""},
+		{"(Decrypter).Public", Method, 5, ""},
+		{"(Encapsulator).Bytes", Method, 26, ""},
+		{"(Encapsulator).Encapsulate", Method, 26, ""},
+		{"(Hash).Available", Method, 0, ""},
+		{"(Hash).HashFunc", Method, 4, ""},
+		{"(Hash).New", Method, 0, ""},
+		{"(Hash).Size", Method, 0, ""},
+		{"(Hash).String", Method, 15, ""},
+		{"(MessageSigner).Public", Method, 25, ""},
+		{"(MessageSigner).Sign", Method, 25, ""},
+		{"(MessageSigner).SignMessage", Method, 25, ""},
+		{"(Signer).Public", Method, 4, ""},
+		{"(Signer).Sign", Method, 4, ""},
+		{"(SignerOpts).HashFunc", Method, 4, ""},
+		{"BLAKE2b_256", Const, 9, ""},
+		{"BLAKE2b_384", Const, 9, ""},
+		{"BLAKE2b_512", Const, 9, ""},
+		{"BLAKE2s_256", Const, 9, ""},
+		{"Decapsulator", Type, 26, ""},
+		{"Decrypter", Type, 5, ""},
+		{"DecrypterOpts", Type, 5, ""},
+		{"Encapsulator", Type, 26, ""},
+		{"Hash", Type, 0, ""},
+		{"MD4", Const, 0, ""},
+		{"MD5", Const, 0, ""},
+		{"MD5SHA1", Const, 0, ""},
+		{"MessageSigner", Type, 25, ""},
+		{"PrivateKey", Type, 0, ""},
+		{"PublicKey", Type, 2, ""},
+		{"RIPEMD160", Const, 0, ""},
+		{"RegisterHash", Func, 0, "func(h Hash, f func() hash.Hash)"},
+		{"SHA1", Const, 0, ""},
+		{"SHA224", Const, 0, ""},
+		{"SHA256", Const, 0, ""},
+		{"SHA384", Const, 0, ""},
+		{"SHA3_224", Const, 4, ""},
+		{"SHA3_256", Const, 4, ""},
+		{"SHA3_384", Const, 4, ""},
+		{"SHA3_512", Const, 4, ""},
+		{"SHA512", Const, 0, ""},
+		{"SHA512_224", Const, 5, ""},
+		{"SHA512_256", Const, 5, ""},
+		{"SignMessage", Func, 25, "func(signer Signer, rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error)"},
+		{"Signer", Type, 4, ""},
+		{"SignerOpts", Type, 4, ""},
+	},
+	"crypto/aes": {
+		{"(KeySizeError).Error", Method, 0, ""},
+		{"BlockSize", Const, 0, ""},
+		{"KeySizeError", Type, 0, ""},
+		{"NewCipher", Func, 0, "func(key []byte) (cipher.Block, error)"},
+	},
+	"crypto/cipher": {
+		{"(AEAD).NonceSize", Method, 2, ""},
+		{"(AEAD).Open", Method, 2, ""},
+		{"(AEAD).Overhead", Method, 2, ""},
+		{"(AEAD).Seal", Method, 2, ""},
+		{"(Block).BlockSize", Method, 0, ""},
+		{"(Block).Decrypt", Method, 0, ""},
+		{"(Block).Encrypt", Method, 0, ""},
+		{"(BlockMode).BlockSize", Method, 0, ""},
+		{"(BlockMode).CryptBlocks", Method, 0, ""},
+		{"(Stream).XORKeyStream", Method, 0, ""},
+		{"(StreamReader).Read", Method, 0, ""},
+		{"(StreamWriter).Close", Method, 0, ""},
+		{"(StreamWriter).Write", Method, 0, ""},
+		{"AEAD", Type, 2, ""},
+		{"Block", Type, 0, ""},
+		{"BlockMode", Type, 0, ""},
+		{"NewCBCDecrypter", Func, 0, "func(b Block, iv []byte) BlockMode"},
+		{"NewCBCEncrypter", Func, 0, "func(b Block, iv []byte) BlockMode"},
+		{"NewCFBDecrypter", Func, 0, "func(block Block, iv []byte) Stream"},
+		{"NewCFBEncrypter", Func, 0, "func(block Block, iv []byte) Stream"},
+		{"NewCTR", Func, 0, "func(block Block, iv []byte) Stream"},
+		{"NewGCM", Func, 2, "func(cipher Block) (AEAD, error)"},
+		{"NewGCMWithNonceSize", Func, 5, "func(cipher Block, size int) (AEAD, error)"},
+		{"NewGCMWithRandomNonce", Func, 24, "func(cipher Block) (AEAD, error)"},
+		{"NewGCMWithTagSize", Func, 11, "func(cipher Block, tagSize int) (AEAD, error)"},
+		{"NewOFB", Func, 0, "func(b Block, iv []byte) Stream"},
+		{"Stream", Type, 0, ""},
+		{"StreamReader", Type, 0, ""},
+		{"StreamReader.R", Field, 0, ""},
+		{"StreamReader.S", Field, 0, ""},
+		{"StreamWriter", Type, 0, ""},
+		{"StreamWriter.Err", Field, 0, ""},
+		{"StreamWriter.S", Field, 0, ""},
+		{"StreamWriter.W", Field, 0, ""},
+	},
+	"crypto/des": {
+		{"(KeySizeError).Error", Method, 0, ""},
+		{"BlockSize", Const, 0, ""},
+		{"KeySizeError", Type, 0, ""},
+		{"NewCipher", Func, 0, "func(key []byte) (cipher.Block, error)"},
+		{"NewTripleDESCipher", Func, 0, "func(key []byte) (cipher.Block, error)"},
+	},
+	"crypto/dsa": {
+		{"ErrInvalidPublicKey", Var, 0, ""},
+		{"GenerateKey", Func, 0, "func(priv *PrivateKey, rand io.Reader) error"},
+		{"GenerateParameters", Func, 0, "func(params *Parameters, rand io.Reader, sizes ParameterSizes) error"},
+		{"L1024N160", Const, 0, ""},
+		{"L2048N224", Const, 0, ""},
+		{"L2048N256", Const, 0, ""},
+		{"L3072N256", Const, 0, ""},
+		{"ParameterSizes", Type, 0, ""},
+		{"Parameters", Type, 0, ""},
+		{"Parameters.G", Field, 0, ""},
+		{"Parameters.P", Field, 0, ""},
+		{"Parameters.Q", Field, 0, ""},
+		{"PrivateKey", Type, 0, ""},
+		{"PrivateKey.PublicKey", Field, 0, ""},
+		{"PrivateKey.X", Field, 0, ""},
+		{"PublicKey", Type, 0, ""},
+		{"PublicKey.Parameters", Field, 0, ""},
+		{"PublicKey.Y", Field, 0, ""},
+		{"Sign", Func, 0, "func(random io.Reader, priv *PrivateKey, hash []byte) (r *big.Int, s *big.Int, err error)"},
+		{"Verify", Func, 0, "func(pub *PublicKey, hash []byte, r *big.Int, s *big.Int) bool"},
+	},
+	"crypto/ecdh": {
+		{"(*PrivateKey).Bytes", Method, 20, ""},
+		{"(*PrivateKey).Curve", Method, 20, ""},
+		{"(*PrivateKey).ECDH", Method, 20, ""},
+		{"(*PrivateKey).Equal", Method, 20, ""},
+		{"(*PrivateKey).Public", Method, 20, ""},
+		{"(*PrivateKey).PublicKey", Method, 20, ""},
+		{"(*PublicKey).Bytes", Method, 20, ""},
+		{"(*PublicKey).Curve", Method, 20, ""},
+		{"(*PublicKey).Equal", Method, 20, ""},
+		{"(Curve).GenerateKey", Method, 20, ""},
+		{"(Curve).NewPrivateKey", Method, 20, ""},
+		{"(Curve).NewPublicKey", Method, 20, ""},
+		{"(KeyExchanger).Curve", Method, 26, ""},
+		{"(KeyExchanger).ECDH", Method, 26, ""},
+		{"(KeyExchanger).PublicKey", Method, 26, ""},
+		{"KeyExchanger", Type, 26, ""},
+		{"P256", Func, 20, "func() Curve"},
+		{"P384", Func, 20, "func() Curve"},
+		{"P521", Func, 20, "func() Curve"},
+		{"PrivateKey", Type, 20, ""},
+		{"PublicKey", Type, 20, ""},
+		{"X25519", Func, 20, "func() Curve"},
+	},
+	"crypto/ecdsa": {
+		{"(*PrivateKey).Bytes", Method, 25, ""},
+		{"(*PrivateKey).ECDH", Method, 20, ""},
+		{"(*PrivateKey).Equal", Method, 15, ""},
+		{"(*PrivateKey).Public", Method, 4, ""},
+		{"(*PrivateKey).Sign", Method, 4, ""},
+		{"(*PublicKey).Bytes", Method, 25, ""},
+		{"(*PublicKey).ECDH", Method, 20, ""},
+		{"(*PublicKey).Equal", Method, 15, ""},
+		{"(PrivateKey).Add", Method, 0, ""},
+		{"(PrivateKey).Double", Method, 0, ""},
+		{"(PrivateKey).IsOnCurve", Method, 0, ""},
+		{"(PrivateKey).Params", Method, 0, ""},
+		{"(PrivateKey).ScalarBaseMult", Method, 0, ""},
+		{"(PrivateKey).ScalarMult", Method, 0, ""},
+		{"(PublicKey).Add", Method, 0, ""},
+		{"(PublicKey).Double", Method, 0, ""},
+		{"(PublicKey).IsOnCurve", Method, 0, ""},
+		{"(PublicKey).Params", Method, 0, ""},
+		{"(PublicKey).ScalarBaseMult", Method, 0, ""},
+		{"(PublicKey).ScalarMult", Method, 0, ""},
+		{"GenerateKey", Func, 0, "func(c elliptic.Curve, r io.Reader) (*PrivateKey, error)"},
+		{"ParseRawPrivateKey", Func, 25, "func(curve elliptic.Curve, data []byte) (*PrivateKey, error)"},
+		{"ParseUncompressedPublicKey", Func, 25, "func(curve elliptic.Curve, data []byte) (*PublicKey, error)"},
+		{"PrivateKey", Type, 0, ""},
+		{"PrivateKey.D", Field, 0, ""},
+		{"PrivateKey.PublicKey", Field, 0, ""},
+		{"PublicKey", Type, 0, ""},
+		{"PublicKey.Curve", Field, 0, ""},
+		{"PublicKey.X", Field, 0, ""},
+		{"PublicKey.Y", Field, 0, ""},
+		{"Sign", Func, 0, "func(rand io.Reader, priv *PrivateKey, hash []byte) (r *big.Int, s *big.Int, err error)"},
+		{"SignASN1", Func, 15, "func(r io.Reader, priv *PrivateKey, hash []byte) ([]byte, error)"},
+		{"Verify", Func, 0, "func(pub *PublicKey, hash []byte, r *big.Int, s *big.Int) bool"},
+		{"VerifyASN1", Func, 15, "func(pub *PublicKey, hash []byte, sig []byte) bool"},
+	},
+	"crypto/ed25519": {
+		{"(*Options).HashFunc", Method, 20, ""},
+		{"(PrivateKey).Equal", Method, 15, ""},
+		{"(PrivateKey).Public", Method, 13, ""},
+		{"(PrivateKey).Seed", Method, 13, ""},
+		{"(PrivateKey).Sign", Method, 13, ""},
+		{"(PublicKey).Equal", Method, 15, ""},
+		{"GenerateKey", Func, 13, "func(random io.Reader) (PublicKey, PrivateKey, error)"},
+		{"NewKeyFromSeed", Func, 13, "func(seed []byte) PrivateKey"},
+		{"Options", Type, 20, ""},
+		{"Options.Context", Field, 20, ""},
+		{"Options.Hash", Field, 20, ""},
+		{"PrivateKey", Type, 13, ""},
+		{"PrivateKeySize", Const, 13, ""},
+		{"PublicKey", Type, 13, ""},
+		{"PublicKeySize", Const, 13, ""},
+		{"SeedSize", Const, 13, ""},
+		{"Sign", Func, 13, "func(privateKey PrivateKey, message []byte) []byte"},
+		{"SignatureSize", Const, 13, ""},
+		{"Verify", Func, 13, "func(publicKey PublicKey, message []byte, sig []byte) bool"},
+		{"VerifyWithOptions", Func, 20, "func(publicKey PublicKey, message []byte, sig []byte, opts *Options) error"},
+	},
+	"crypto/elliptic": {
+		{"(*CurveParams).Add", Method, 0, ""},
+		{"(*CurveParams).Double", Method, 0, ""},
+		{"(*CurveParams).IsOnCurve", Method, 0, ""},
+		{"(*CurveParams).Params", Method, 0, ""},
+		{"(*CurveParams).ScalarBaseMult", Method, 0, ""},
+		{"(*CurveParams).ScalarMult", Method, 0, ""},
+		{"(Curve).Add", Method, 0, ""},
+		{"(Curve).Double", Method, 0, ""},
+		{"(Curve).IsOnCurve", Method, 0, ""},
+		{"(Curve).Params", Method, 0, ""},
+		{"(Curve).ScalarBaseMult", Method, 0, ""},
+		{"(Curve).ScalarMult", Method, 0, ""},
+		{"Curve", Type, 0, ""},
+		{"CurveParams", Type, 0, ""},
+		{"CurveParams.B", Field, 0, ""},
+		{"CurveParams.BitSize", Field, 0, ""},
+		{"CurveParams.Gx", Field, 0, ""},
+		{"CurveParams.Gy", Field, 0, ""},
+		{"CurveParams.N", Field, 0, ""},
+		{"CurveParams.Name", Field, 5, ""},
+		{"CurveParams.P", Field, 0, ""},
+		{"GenerateKey", Func, 0, "func(curve Curve, rand io.Reader) (priv []byte, x *big.Int, y *big.Int, err error)"},
+		{"Marshal", Func, 0, "func(curve Curve, x *big.Int, y *big.Int) []byte"},
+		{"MarshalCompressed", Func, 15, "func(curve Curve, x *big.Int, y *big.Int) []byte"},
+		{"P224", Func, 0, "func() Curve"},
+		{"P256", Func, 0, "func() Curve"},
+		{"P384", Func, 0, "func() Curve"},
+		{"P521", Func, 0, "func() Curve"},
+		{"Unmarshal", Func, 0, "func(curve Curve, data []byte) (x *big.Int, y *big.Int)"},
+		{"UnmarshalCompressed", Func, 15, "func(curve Curve, data []byte) (x *big.Int, y *big.Int)"},
+	},
+	"crypto/fips140": {
+		{"Enabled", Func, 24, "func() bool"},
+		{"Enforced", Func, 26, "func() bool"},
+		{"Version", Func, 26, "func() string"},
+		{"WithoutEnforcement", Func, 26, "func(f func())"},
+	},
+	"crypto/hkdf": {
+		{"Expand", Func, 24, "func[H hash.Hash](h func() H, pseudorandomKey []byte, info string, keyLength int) ([]byte, error)"},
+		{"Extract", Func, 24, "func[H hash.Hash](h func() H, secret []byte, salt []byte) ([]byte, error)"},
+		{"Key", Func, 24, "func[Hash hash.Hash](h func() Hash, secret []byte, salt []byte, info string, keyLength int) ([]byte, error)"},
+	},
+	"crypto/hmac": {
+		{"Equal", Func, 1, "func(mac1 []byte, mac2 []byte) bool"},
+		{"New", Func, 0, "func(h func() hash.Hash, key []byte) hash.Hash"},
+	},
+	"crypto/hpke": {
+		{"(*Recipient).Export", Method, 26, ""},
+		{"(*Recipient).Open", Method, 26, ""},
+		{"(*Sender).Export", Method, 26, ""},
+		{"(*Sender).Seal", Method, 26, ""},
+		{"(AEAD).ID", Method, 26, ""},
+		{"(KDF).ID", Method, 26, ""},
+		{"(KEM).DeriveKeyPair", Method, 26, ""},
+		{"(KEM).GenerateKey", Method, 26, ""},
+		{"(KEM).ID", Method, 26, ""},
+		{"(KEM).NewPrivateKey", Method, 26, ""},
+		{"(KEM).NewPublicKey", Method, 26, ""},
+		{"(PrivateKey).Bytes", Method, 26, ""},
+		{"(PrivateKey).KEM", Method, 26, ""},
+		{"(PrivateKey).PublicKey", Method, 26, ""},
+		{"(PublicKey).Bytes", Method, 26, ""},
+		{"(PublicKey).KEM", Method, 26, ""},
+		{"AES128GCM", Func, 26, "func() AEAD"},
+		{"AES256GCM", Func, 26, "func() AEAD"},
+		{"ChaCha20Poly1305", Func, 26, "func() AEAD"},
+		{"DHKEM", Func, 26, "func(curve ecdh.Curve) KEM"},
+		{"ExportOnly", Func, 26, "func() AEAD"},
+		{"HKDFSHA256", Func, 26, "func() KDF"},
+		{"HKDFSHA384", Func, 26, "func() KDF"},
+		{"HKDFSHA512", Func, 26, "func() KDF"},
+		{"MLKEM1024", Func, 26, "func() KEM"},
+		{"MLKEM1024P384", Func, 26, "func() KEM"},
+		{"MLKEM768", Func, 26, "func() KEM"},
+		{"MLKEM768P256", Func, 26, "func() KEM"},
+		{"MLKEM768X25519", Func, 26, "func() KEM"},
+		{"NewAEAD", Func, 26, "func(id uint16) (AEAD, error)"},
+		{"NewDHKEMPrivateKey", Func, 26, "func(priv ecdh.KeyExchanger) (PrivateKey, error)"},
+		{"NewDHKEMPublicKey", Func, 26, "func(pub *ecdh.PublicKey) (PublicKey, error)"},
+		{"NewHybridPrivateKey", Func, 26, "func(pq crypto.Decapsulator, t ecdh.KeyExchanger) (PrivateKey, error)"},
+		{"NewHybridPublicKey", Func, 26, "func(pq crypto.Encapsulator, t *ecdh.PublicKey) (PublicKey, error)"},
+		{"NewKDF", Func, 26, "func(id uint16) (KDF, error)"},
+		{"NewKEM", Func, 26, "func(id uint16) (KEM, error)"},
+		{"NewMLKEMPrivateKey", Func, 26, "func(priv crypto.Decapsulator) (PrivateKey, error)"},
+		{"NewMLKEMPublicKey", Func, 26, "func(pub crypto.Encapsulator) (PublicKey, error)"},
+		{"NewRecipient", Func, 26, "func(enc []byte, k PrivateKey, kdf KDF, aead AEAD, info []byte) (*Recipient, error)"},
+		{"NewSender", Func, 26, "func(pk PublicKey, kdf KDF, aead AEAD, info []byte) (enc []byte, s *Sender, err error)"},
+		{"Open", Func, 26, "func(k PrivateKey, kdf KDF, aead AEAD, info []byte, ciphertext []byte) ([]byte, error)"},
+		{"Recipient", Type, 26, ""},
+		{"SHAKE128", Func, 26, "func() KDF"},
+		{"SHAKE256", Func, 26, "func() KDF"},
+		{"Seal", Func, 26, "func(pk PublicKey, kdf KDF, aead AEAD, info []byte, plaintext []byte) ([]byte, error)"},
+		{"Sender", Type, 26, ""},
+	},
+	"crypto/md5": {
+		{"BlockSize", Const, 0, ""},
+		{"New", Func, 0, "func() hash.Hash"},
+		{"Size", Const, 0, ""},
+		{"Sum", Func, 2, "func(data []byte) [16]byte"},
+	},
+	"crypto/mlkem": {
+		{"(*DecapsulationKey1024).Bytes", Method, 24, ""},
+		{"(*DecapsulationKey1024).Decapsulate", Method, 24, ""},
+		{"(*DecapsulationKey1024).EncapsulationKey", Method, 24, ""},
+		{"(*DecapsulationKey1024).Encapsulator", Method, 26, ""},
+		{"(*DecapsulationKey768).Bytes", Method, 24, ""},
+		{"(*DecapsulationKey768).Decapsulate", Method, 24, ""},
+		{"(*DecapsulationKey768).EncapsulationKey", Method, 24, ""},
+		{"(*DecapsulationKey768).Encapsulator", Method, 26, ""},
+		{"(*EncapsulationKey1024).Bytes", Method, 24, ""},
+		{"(*EncapsulationKey1024).Encapsulate", Method, 24, ""},
+		{"(*EncapsulationKey768).Bytes", Method, 24, ""},
+		{"(*EncapsulationKey768).Encapsulate", Method, 24, ""},
+		{"CiphertextSize1024", Const, 24, ""},
+		{"CiphertextSize768", Const, 24, ""},
+		{"DecapsulationKey1024", Type, 24, ""},
+		{"DecapsulationKey768", Type, 24, ""},
+		{"EncapsulationKey1024", Type, 24, ""},
+		{"EncapsulationKey768", Type, 24, ""},
+		{"EncapsulationKeySize1024", Const, 24, ""},
+		{"EncapsulationKeySize768", Const, 24, ""},
+		{"GenerateKey1024", Func, 24, "func() (*DecapsulationKey1024, error)"},
+		{"GenerateKey768", Func, 24, "func() (*DecapsulationKey768, error)"},
+		{"NewDecapsulationKey1024", Func, 24, "func(seed []byte) (*DecapsulationKey1024, error)"},
+		{"NewDecapsulationKey768", Func, 24, "func(seed []byte) (*DecapsulationKey768, error)"},
+		{"NewEncapsulationKey1024", Func, 24, "func(encapsulationKey []byte) (*EncapsulationKey1024, error)"},
+		{"NewEncapsulationKey768", Func, 24, "func(encapsulationKey []byte) (*EncapsulationKey768, error)"},
+		{"SeedSize", Const, 24, ""},
+		{"SharedKeySize", Const, 24, ""},
+	},
+	"crypto/mlkem/mlkemtest": {
+		{"Encapsulate1024", Func, 26, "func(ek *mlkem.EncapsulationKey1024, random []byte) (sharedKey []byte, ciphertext []byte, err error)"},
+		{"Encapsulate768", Func, 26, "func(ek *mlkem.EncapsulationKey768, random []byte) (sharedKey []byte, ciphertext []byte, err error)"},
+	},
+	"crypto/pbkdf2": {
+		{"Key", Func, 24, "func[Hash hash.Hash](h func() Hash, password string, salt []byte, iter int, keyLength int) ([]byte, error)"},
+	},
+	"crypto/rand": {
+		{"Int", Func, 0, "func(rand io.Reader, max *big.Int) (n *big.Int, err error)"},
+		{"Prime", Func, 0, "func(r io.Reader, bits int) (*big.Int, error)"},
+		{"Read", Func, 0, "func(b []byte) (n int, err error)"},
+		{"Reader", Var, 0, ""},
+		{"Text", Func, 24, "func() string"},
+	},
+	"crypto/rc4": {
+		{"(*Cipher).Reset", Method, 0, ""},
+		{"(*Cipher).XORKeyStream", Method, 0, ""},
+		{"(KeySizeError).Error", Method, 0, ""},
+		{"Cipher", Type, 0, ""},
+		{"KeySizeError", Type, 0, ""},
+		{"NewCipher", Func, 0, "func(key []byte) (*Cipher, error)"},
+	},
+	"crypto/rsa": {
+		{"(*PSSOptions).HashFunc", Method, 4, ""},
+		{"(*PrivateKey).Decrypt", Method, 5, ""},
+		{"(*PrivateKey).Equal", Method, 15, ""},
+		{"(*PrivateKey).Precompute", Method, 0, ""},
+		{"(*PrivateKey).Public", Method, 4, ""},
+		{"(*PrivateKey).Sign", Method, 4, ""},
+		{"(*PrivateKey).Size", Method, 11, ""},
+		{"(*PrivateKey).Validate", Method, 0, ""},
+		{"(*PublicKey).Equal", Method, 15, ""},
+		{"(*PublicKey).Size", Method, 11, ""},
+		{"CRTValue", Type, 0, ""},
+		{"CRTValue.Coeff", Field, 0, ""},
+		{"CRTValue.Exp", Field, 0, ""},
+		{"CRTValue.R", Field, 0, ""},
+		{"DecryptOAEP", Func, 0, "func(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext []byte, label []byte) ([]byte, error)"},
+		{"DecryptPKCS1v15", Func, 0, "func(random io.Reader, priv *PrivateKey, ciphertext []byte) ([]byte, error)"},
+		{"DecryptPKCS1v15SessionKey", Func, 0, "func(random io.Reader, priv *PrivateKey, ciphertext []byte, key []byte) error"},
+		{"EncryptOAEP", Func, 0, "func(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) ([]byte, error)"},
+		{"EncryptOAEPWithOptions", Func, 26, "func(random io.Reader, pub *PublicKey, msg []byte, opts *OAEPOptions) ([]byte, error)"},
+		{"EncryptPKCS1v15", Func, 0, "func(random io.Reader, pub *PublicKey, msg []byte) ([]byte, error)"},
+		{"ErrDecryption", Var, 0, ""},
+		{"ErrMessageTooLong", Var, 0, ""},
+		{"ErrVerification", Var, 0, ""},
+		{"GenerateKey", Func, 0, "func(random io.Reader, bits int) (*PrivateKey, error)"},
+		{"GenerateMultiPrimeKey", Func, 0, "func(random io.Reader, nprimes int, bits int) (*PrivateKey, error)"},
+		{"OAEPOptions", Type, 5, ""},
+		{"OAEPOptions.Hash", Field, 5, ""},
+		{"OAEPOptions.Label", Field, 5, ""},
+		{"OAEPOptions.MGFHash", Field, 20, ""},
+		{"PKCS1v15DecryptOptions", Type, 5, ""},
+		{"PKCS1v15DecryptOptions.SessionKeyLen", Field, 5, ""},
+		{"PSSOptions", Type, 2, ""},
+		{"PSSOptions.Hash", Field, 4, ""},
+		{"PSSOptions.SaltLength", Field, 2, ""},
+		{"PSSSaltLengthAuto", Const, 2, ""},
+		{"PSSSaltLengthEqualsHash", Const, 2, ""},
+		{"PrecomputedValues", Type, 0, ""},
+		{"PrecomputedValues.CRTValues", Field, 0, ""},
+		{"PrecomputedValues.Dp", Field, 0, ""},
+		{"PrecomputedValues.Dq", Field, 0, ""},
+		{"PrecomputedValues.Qinv", Field, 0, ""},
+		{"PrivateKey", Type, 0, ""},
+		{"PrivateKey.D", Field, 0, ""},
+		{"PrivateKey.Precomputed", Field, 0, ""},
+		{"PrivateKey.Primes", Field, 0, ""},
+		{"PrivateKey.PublicKey", Field, 0, ""},
+		{"PublicKey", Type, 0, ""},
+		{"PublicKey.E", Field, 0, ""},
+		{"PublicKey.N", Field, 0, ""},
+		{"SignPKCS1v15", Func, 0, "func(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte) ([]byte, error)"},
+		{"SignPSS", Func, 2, "func(random io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, opts *PSSOptions) ([]byte, error)"},
+		{"VerifyPKCS1v15", Func, 0, "func(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error"},
+		{"VerifyPSS", Func, 2, "func(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error"},
+	},
+	"crypto/sha1": {
+		{"BlockSize", Const, 0, ""},
+		{"New", Func, 0, "func() hash.Hash"},
+		{"Size", Const, 0, ""},
+		{"Sum", Func, 2, "func(data []byte) [20]byte"},
+	},
+	"crypto/sha256": {
+		{"BlockSize", Const, 0, ""},
+		{"New", Func, 0, "func() hash.Hash"},
+		{"New224", Func, 0, "func() hash.Hash"},
+		{"Size", Const, 0, ""},
+		{"Size224", Const, 0, ""},
+		{"Sum224", Func, 2, "func(data []byte) [28]byte"},
+		{"Sum256", Func, 2, "func(data []byte) [32]byte"},
+	},
+	"crypto/sha3": {
+		{"(*SHA3).AppendBinary", Method, 24, ""},
+		{"(*SHA3).BlockSize", Method, 24, ""},
+		{"(*SHA3).Clone", Method, 25, ""},
+		{"(*SHA3).MarshalBinary", Method, 24, ""},
+		{"(*SHA3).Reset", Method, 24, ""},
+		{"(*SHA3).Size", Method, 24, ""},
+		{"(*SHA3).Sum", Method, 24, ""},
+		{"(*SHA3).UnmarshalBinary", Method, 24, ""},
+		{"(*SHA3).Write", Method, 24, ""},
+		{"(*SHAKE).AppendBinary", Method, 24, ""},
+		{"(*SHAKE).BlockSize", Method, 24, ""},
+		{"(*SHAKE).MarshalBinary", Method, 24, ""},
+		{"(*SHAKE).Read", Method, 24, ""},
+		{"(*SHAKE).Reset", Method, 24, ""},
+		{"(*SHAKE).UnmarshalBinary", Method, 24, ""},
+		{"(*SHAKE).Write", Method, 24, ""},
+		{"New224", Func, 24, "func() *SHA3"},
+		{"New256", Func, 24, "func() *SHA3"},
+		{"New384", Func, 24, "func() *SHA3"},
+		{"New512", Func, 24, "func() *SHA3"},
+		{"NewCSHAKE128", Func, 24, "func(N []byte, S []byte) *SHAKE"},
+		{"NewCSHAKE256", Func, 24, "func(N []byte, S []byte) *SHAKE"},
+		{"NewSHAKE128", Func, 24, "func() *SHAKE"},
+		{"NewSHAKE256", Func, 24, "func() *SHAKE"},
+		{"SHA3", Type, 24, ""},
+		{"SHAKE", Type, 24, ""},
+		{"Sum224", Func, 24, "func(data []byte) [28]byte"},
+		{"Sum256", Func, 24, "func(data []byte) [32]byte"},
+		{"Sum384", Func, 24, "func(data []byte) [48]byte"},
+		{"Sum512", Func, 24, "func(data []byte) [64]byte"},
+		{"SumSHAKE128", Func, 24, "func(data []byte, length int) []byte"},
+		{"SumSHAKE256", Func, 24, "func(data []byte, length int) []byte"},
+	},
+	"crypto/sha512": {
+		{"BlockSize", Const, 0, ""},
+		{"New", Func, 0, "func() hash.Hash"},
+		{"New384", Func, 0, "func() hash.Hash"},
+		{"New512_224", Func, 5, "func() hash.Hash"},
+		{"New512_256", Func, 5, "func() hash.Hash"},
+		{"Size", Const, 0, ""},
+		{"Size224", Const, 5, ""},
+		{"Size256", Const, 5, ""},
+		{"Size384", Const, 0, ""},
+		{"Sum384", Func, 2, "func(data []byte) [48]byte"},
+		{"Sum512", Func, 2, "func(data []byte) [64]byte"},
+		{"Sum512_224", Func, 5, "func(data []byte) [28]byte"},
+		{"Sum512_256", Func, 5, "func(data []byte) [32]byte"},
+	},
+	"crypto/subtle": {
+		{"ConstantTimeByteEq", Func, 0, "func(x uint8, y uint8) int"},
+		{"ConstantTimeCompare", Func, 0, "func(x []byte, y []byte) int"},
+		{"ConstantTimeCopy", Func, 0, "func(v int, x []byte, y []byte)"},
+		{"ConstantTimeEq", Func, 0, "func(x int32, y int32) int"},
+		{"ConstantTimeLessOrEq", Func, 2, "func(x int, y int) int"},
+		{"ConstantTimeSelect", Func, 0, "func(v int, x int, y int) int"},
+		{"WithDataIndependentTiming", Func, 24, "func(f func())"},
+		{"XORBytes", Func, 20, "func(dst []byte, x []byte, y []byte) int"},
+	},
+	"crypto/tls": {
+		{"(*CertificateRequestInfo).Context", Method, 17, ""},
+		{"(*CertificateRequestInfo).SupportsCertificate", Method, 14, ""},
+		{"(*CertificateVerificationError).Error", Method, 20, ""},
+		{"(*CertificateVerificationError).Unwrap", Method, 20, ""},
+		{"(*ClientHelloInfo).Context", Method, 17, ""},
+		{"(*ClientHelloInfo).SupportsCertificate", Method, 14, ""},
+		{"(*ClientSessionState).ResumptionState", Method, 21, ""},
+		{"(*Config).BuildNameToCertificate", Method, 0, ""},
+		{"(*Config).Clone", Method, 8, ""},
+		{"(*Config).DecryptTicket", Method, 21, ""},
+		{"(*Config).EncryptTicket", Method, 21, ""},
+		{"(*Config).SetSessionTicketKeys", Method, 5, ""},
+		{"(*Conn).Close", Method, 0, ""},
+		{"(*Conn).CloseWrite", Method, 8, ""},
+		{"(*Conn).ConnectionState", Method, 0, ""},
+		{"(*Conn).Handshake", Method, 0, ""},
+		{"(*Conn).HandshakeContext", Method, 17, ""},
+		{"(*Conn).LocalAddr", Method, 0, ""},
+		{"(*Conn).NetConn", Method, 18, ""},
+		{"(*Conn).OCSPResponse", Method, 0, ""},
+		{"(*Conn).Read", Method, 0, ""},
+		{"(*Conn).RemoteAddr", Method, 0, ""},
+		{"(*Conn).SetDeadline", Method, 0, ""},
+		{"(*Conn).SetReadDeadline", Method, 0, ""},
+		{"(*Conn).SetWriteDeadline", Method, 0, ""},
+		{"(*Conn).VerifyHostname", Method, 0, ""},
+		{"(*Conn).Write", Method, 0, ""},
+		{"(*ConnectionState).ExportKeyingMaterial", Method, 11, ""},
+		{"(*Dialer).Dial", Method, 15, ""},
+		{"(*Dialer).DialContext", Method, 15, ""},
+		{"(*ECHRejectionError).Error", Method, 23, ""},
+		{"(*QUICConn).Close", Method, 21, ""},
+		{"(*QUICConn).ConnectionState", Method, 21, ""},
+		{"(*QUICConn).HandleData", Method, 21, ""},
+		{"(*QUICConn).NextEvent", Method, 21, ""},
+		{"(*QUICConn).SendSessionTicket", Method, 21, ""},
+		{"(*QUICConn).SetTransportParameters", Method, 21, ""},
+		{"(*QUICConn).Start", Method, 21, ""},
+		{"(*QUICConn).StoreSession", Method, 23, ""},
+		{"(*SessionState).Bytes", Method, 21, ""},
+		{"(AlertError).Error", Method, 21, ""},
+		{"(ClientAuthType).String", Method, 15, ""},
+		{"(ClientSessionCache).Get", Method, 3, ""},
+		{"(ClientSessionCache).Put", Method, 3, ""},
+		{"(CurveID).String", Method, 15, ""},
+		{"(QUICEncryptionLevel).String", Method, 21, ""},
+		{"(RecordHeaderError).Error", Method, 6, ""},
+		{"(SignatureScheme).String", Method, 15, ""},
+		{"AlertError", Type, 21, ""},
+		{"Certificate", Type, 0, ""},
+		{"Certificate.Certificate", Field, 0, ""},
+		{"Certificate.Leaf", Field, 0, ""},
+		{"Certificate.OCSPStaple", Field, 0, ""},
+		{"Certificate.PrivateKey", Field, 0, ""},
+		{"Certificate.SignedCertificateTimestamps", Field, 5, ""},
+		{"Certificate.SupportedSignatureAlgorithms", Field, 14, ""},
+		{"CertificateRequestInfo", Type, 8, ""},
+		{"CertificateRequestInfo.AcceptableCAs", Field, 8, ""},
+		{"CertificateRequestInfo.SignatureSchemes", Field, 8, ""},
+		{"CertificateRequestInfo.Version", Field, 14, ""},
+		{"CertificateVerificationError", Type, 20, ""},
+		{"CertificateVerificationError.Err", Field, 20, ""},
+		{"CertificateVerificationError.UnverifiedCertificates", Field, 20, ""},
+		{"CipherSuite", Type, 14, ""},
+		{"CipherSuite.ID", Field, 14, ""},
+		{"CipherSuite.Insecure", Field, 14, ""},
+		{"CipherSuite.Name", Field, 14, ""},
+		{"CipherSuite.SupportedVersions", Field, 14, ""},
+		{"CipherSuiteName", Func, 14, "func(id uint16) string"},
+		{"CipherSuites", Func, 14, "func() []*CipherSuite"},
+		{"Client", Func, 0, "func(conn net.Conn, config *Config) *Conn"},
+		{"ClientAuthType", Type, 0, ""},
+		{"ClientHelloInfo", Type, 4, ""},
+		{"ClientHelloInfo.CipherSuites", Field, 4, ""},
+		{"ClientHelloInfo.Conn", Field, 8, ""},
+		{"ClientHelloInfo.Extensions", Field, 24, ""},
+		{"ClientHelloInfo.HelloRetryRequest", Field, 26, ""},
+		{"ClientHelloInfo.ServerName", Field, 4, ""},
+		{"ClientHelloInfo.SignatureSchemes", Field, 8, ""},
+		{"ClientHelloInfo.SupportedCurves", Field, 4, ""},
+		{"ClientHelloInfo.SupportedPoints", Field, 4, ""},
+		{"ClientHelloInfo.SupportedProtos", Field, 8, ""},
+		{"ClientHelloInfo.SupportedVersions", Field, 8, ""},
+		{"ClientSessionCache", Type, 3, ""},
+		{"ClientSessionState", Type, 3, ""},
+		{"Config", Type, 0, ""},
+		{"Config.Certificates", Field, 0, ""},
+		{"Config.CipherSuites", Field, 0, ""},
+		{"Config.ClientAuth", Field, 0, ""},
+		{"Config.ClientCAs", Field, 0, ""},
+		{"Config.ClientSessionCache", Field, 3, ""},
+		{"Config.CurvePreferences", Field, 3, ""},
+		{"Config.DynamicRecordSizingDisabled", Field, 7, ""},
+		{"Config.EncryptedClientHelloConfigList", Field, 23, ""},
+		{"Config.EncryptedClientHelloKeys", Field, 24, ""},
+		{"Config.EncryptedClientHelloRejectionVerify", Field, 23, ""},
+		{"Config.GetCertificate", Field, 4, ""},
+		{"Config.GetClientCertificate", Field, 8, ""},
+		{"Config.GetConfigForClient", Field, 8, ""},
+		{"Config.GetEncryptedClientHelloKeys", Field, 25, ""},
+		{"Config.InsecureSkipVerify", Field, 0, ""},
+		{"Config.KeyLogWriter", Field, 8, ""},
+		{"Config.MaxVersion", Field, 2, ""},
+		{"Config.MinVersion", Field, 2, ""},
+		{"Config.NameToCertificate", Field, 0, ""},
+		{"Config.NextProtos", Field, 0, ""},
+		{"Config.PreferServerCipherSuites", Field, 1, ""},
+		{"Config.Rand", Field, 0, ""},
+		{"Config.Renegotiation", Field, 7, ""},
+		{"Config.RootCAs", Field, 0, ""},
+		{"Config.ServerName", Field, 0, ""},
+		{"Config.SessionTicketKey", Field, 1, ""},
+		{"Config.SessionTicketsDisabled", Field, 1, ""},
+		{"Config.Time", Field, 0, ""},
+		{"Config.UnwrapSession", Field, 21, ""},
+		{"Config.VerifyConnection", Field, 15, ""},
+		{"Config.VerifyPeerCertificate", Field, 8, ""},
+		{"Config.WrapSession", Field, 21, ""},
+		{"Conn", Type, 0, ""},
+		{"ConnectionState", Type, 0, ""},
+		{"ConnectionState.CipherSuite", Field, 0, ""},
+		{"ConnectionState.CurveID", Field, 25, ""},
+		{"ConnectionState.DidResume", Field, 1, ""},
+		{"ConnectionState.ECHAccepted", Field, 23, ""},
+		{"ConnectionState.HandshakeComplete", Field, 0, ""},
+		{"ConnectionState.HelloRetryRequest", Field, 26, ""},
+		{"ConnectionState.NegotiatedProtocol", Field, 0, ""},
+		{"ConnectionState.NegotiatedProtocolIsMutual", Field, 0, ""},
+		{"ConnectionState.OCSPResponse", Field, 5, ""},
+		{"ConnectionState.PeerCertificates", Field, 0, ""},
+		{"ConnectionState.ServerName", Field, 0, ""},
+		{"ConnectionState.SignedCertificateTimestamps", Field, 5, ""},
+		{"ConnectionState.TLSUnique", Field, 4, ""},
+		{"ConnectionState.VerifiedChains", Field, 0, ""},
+		{"ConnectionState.Version", Field, 3, ""},
+		{"CurveID", Type, 3, ""},
+		{"CurveP256", Const, 3, ""},
+		{"CurveP384", Const, 3, ""},
+		{"CurveP521", Const, 3, ""},
+		{"Dial", Func, 0, "func(network string, addr string, config *Config) (*Conn, error)"},
+		{"DialWithDialer", Func, 3, "func(dialer *net.Dialer, network string, addr string, config *Config) (*Conn, error)"},
+		{"Dialer", Type, 15, ""},
+		{"Dialer.Config", Field, 15, ""},
+		{"Dialer.NetDialer", Field, 15, ""},
+		{"ECDSAWithP256AndSHA256", Const, 8, ""},
+		{"ECDSAWithP384AndSHA384", Const, 8, ""},
+		{"ECDSAWithP521AndSHA512", Const, 8, ""},
+		{"ECDSAWithSHA1", Const, 10, ""},
+		{"ECHRejectionError", Type, 23, ""},
+		{"ECHRejectionError.RetryConfigList", Field, 23, ""},
+		{"Ed25519", Const, 13, ""},
+		{"EncryptedClientHelloKey", Type, 24, ""},
+		{"EncryptedClientHelloKey.Config", Field, 24, ""},
+		{"EncryptedClientHelloKey.PrivateKey", Field, 24, ""},
+		{"EncryptedClientHelloKey.SendAsRetry", Field, 24, ""},
+		{"InsecureCipherSuites", Func, 14, "func() []*CipherSuite"},
+		{"Listen", Func, 0, "func(network string, laddr string, config *Config) (net.Listener, error)"},
+		{"LoadX509KeyPair", Func, 0, "func(certFile string, keyFile string) (Certificate, error)"},
+		{"NewLRUClientSessionCache", Func, 3, "func(capacity int) ClientSessionCache"},
+		{"NewListener", Func, 0, "func(inner net.Listener, config *Config) net.Listener"},
+		{"NewResumptionState", Func, 21, "func(ticket []byte, state *SessionState) (*ClientSessionState, error)"},
+		{"NoClientCert", Const, 0, ""},
+		{"PKCS1WithSHA1", Const, 8, ""},
+		{"PKCS1WithSHA256", Const, 8, ""},
+		{"PKCS1WithSHA384", Const, 8, ""},
+		{"PKCS1WithSHA512", Const, 8, ""},
+		{"PSSWithSHA256", Const, 8, ""},
+		{"PSSWithSHA384", Const, 8, ""},
+		{"PSSWithSHA512", Const, 8, ""},
+		{"ParseSessionState", Func, 21, "func(data []byte) (*SessionState, error)"},
+		{"QUICClient", Func, 21, "func(config *QUICConfig) *QUICConn"},
+		{"QUICConfig", Type, 21, ""},
+		{"QUICConfig.EnableSessionEvents", Field, 23, ""},
+		{"QUICConfig.TLSConfig", Field, 21, ""},
+		{"QUICConn", Type, 21, ""},
+		{"QUICEncryptionLevel", Type, 21, ""},
+		{"QUICEncryptionLevelApplication", Const, 21, ""},
+		{"QUICEncryptionLevelEarly", Const, 21, ""},
+		{"QUICEncryptionLevelHandshake", Const, 21, ""},
+		{"QUICEncryptionLevelInitial", Const, 21, ""},
+		{"QUICErrorEvent", Const, 26, ""},
+		{"QUICEvent", Type, 21, ""},
+		{"QUICEvent.Data", Field, 21, ""},
+		{"QUICEvent.Err", Field, 26, ""},
+		{"QUICEvent.Kind", Field, 21, ""},
+		{"QUICEvent.Level", Field, 21, ""},
+		{"QUICEvent.SessionState", Field, 23, ""},
+		{"QUICEvent.Suite", Field, 21, ""},
+		{"QUICEventKind", Type, 21, ""},
+		{"QUICHandshakeDone", Const, 21, ""},
+		{"QUICNoEvent", Const, 21, ""},
+		{"QUICRejectedEarlyData", Const, 21, ""},
+		{"QUICResumeSession", Const, 23, ""},
+		{"QUICServer", Func, 21, "func(config *QUICConfig) *QUICConn"},
+		{"QUICSessionTicketOptions", Type, 21, ""},
+		{"QUICSessionTicketOptions.EarlyData", Field, 21, ""},
+		{"QUICSessionTicketOptions.Extra", Field, 23, ""},
+		{"QUICSetReadSecret", Const, 21, ""},
+		{"QUICSetWriteSecret", Const, 21, ""},
+		{"QUICStoreSession", Const, 23, ""},
+		{"QUICTransportParameters", Const, 21, ""},
+		{"QUICTransportParametersRequired", Const, 21, ""},
+		{"QUICWriteData", Const, 21, ""},
+		{"RecordHeaderError", Type, 6, ""},
+		{"RecordHeaderError.Conn", Field, 12, ""},
+		{"RecordHeaderError.Msg", Field, 6, ""},
+		{"RecordHeaderError.RecordHeader", Field, 6, ""},
+		{"RenegotiateFreelyAsClient", Const, 7, ""},
+		{"RenegotiateNever", Const, 7, ""},
+		{"RenegotiateOnceAsClient", Const, 7, ""},
+		{"RenegotiationSupport", Type, 7, ""},
+		{"RequestClientCert", Const, 0, ""},
+		{"RequireAndVerifyClientCert", Const, 0, ""},
+		{"RequireAnyClientCert", Const, 0, ""},
+		{"SecP256r1MLKEM768", Const, 26, ""},
+		{"SecP384r1MLKEM1024", Const, 26, ""},
+		{"Server", Func, 0, "func(conn net.Conn, config *Config) *Conn"},
+		{"SessionState", Type, 21, ""},
+		{"SessionState.EarlyData", Field, 21, ""},
+		{"SessionState.Extra", Field, 21, ""},
+		{"SignatureScheme", Type, 8, ""},
+		{"TLS_AES_128_GCM_SHA256", Const, 12, ""},
+		{"TLS_AES_256_GCM_SHA384", Const, 12, ""},
+		{"TLS_CHACHA20_POLY1305_SHA256", Const, 12, ""},
+		{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", Const, 2, ""},
+		{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", Const, 8, ""},
+		{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", Const, 2, ""},
+		{"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", Const, 2, ""},
+		{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", Const, 5, ""},
+		{"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", Const, 8, ""},
+		{"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", Const, 14, ""},
+		{"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", Const, 2, ""},
+		{"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", Const, 0, ""},
+		{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", Const, 0, ""},
+		{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", Const, 8, ""},
+		{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", Const, 2, ""},
+		{"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", Const, 1, ""},
+		{"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", Const, 5, ""},
+		{"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", Const, 8, ""},
+		{"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", Const, 14, ""},
+		{"TLS_ECDHE_RSA_WITH_RC4_128_SHA", Const, 0, ""},
+		{"TLS_FALLBACK_SCSV", Const, 4, ""},
+		{"TLS_RSA_WITH_3DES_EDE_CBC_SHA", Const, 0, ""},
+		{"TLS_RSA_WITH_AES_128_CBC_SHA", Const, 0, ""},
+		{"TLS_RSA_WITH_AES_128_CBC_SHA256", Const, 8, ""},
+		{"TLS_RSA_WITH_AES_128_GCM_SHA256", Const, 6, ""},
+		{"TLS_RSA_WITH_AES_256_CBC_SHA", Const, 1, ""},
+		{"TLS_RSA_WITH_AES_256_GCM_SHA384", Const, 6, ""},
+		{"TLS_RSA_WITH_RC4_128_SHA", Const, 0, ""},
+		{"VerifyClientCertIfGiven", Const, 0, ""},
+		{"VersionName", Func, 21, "func(version uint16) string"},
+		{"VersionSSL30", Const, 2, ""},
+		{"VersionTLS10", Const, 2, ""},
+		{"VersionTLS11", Const, 2, ""},
+		{"VersionTLS12", Const, 2, ""},
+		{"VersionTLS13", Const, 12, ""},
+		{"X25519", Const, 8, ""},
+		{"X25519MLKEM768", Const, 24, ""},
+		{"X509KeyPair", Func, 0, "func(certPEMBlock []byte, keyPEMBlock []byte) (Certificate, error)"},
+	},
+	"crypto/x509": {
+		{"(*CertPool).AddCert", Method, 0, ""},
+		{"(*CertPool).AddCertWithConstraint", Method, 22, ""},
+		{"(*CertPool).AppendCertsFromPEM", Method, 0, ""},
+		{"(*CertPool).Clone", Method, 19, ""},
+		{"(*CertPool).Equal", Method, 19, ""},
+		{"(*CertPool).Subjects", Method, 0, ""},
+		{"(*Certificate).CheckCRLSignature", Method, 0, ""},
+		{"(*Certificate).CheckSignature", Method, 0, ""},
+		{"(*Certificate).CheckSignatureFrom", Method, 0, ""},
+		{"(*Certificate).CreateCRL", Method, 0, ""},
+		{"(*Certificate).Equal", Method, 0, ""},
+		{"(*Certificate).Verify", Method, 0, ""},
+		{"(*Certificate).VerifyHostname", Method, 0, ""},
+		{"(*CertificateRequest).CheckSignature", Method, 5, ""},
+		{"(*OID).UnmarshalBinary", Method, 23, ""},
+		{"(*OID).UnmarshalText", Method, 23, ""},
+		{"(*RevocationList).CheckSignatureFrom", Method, 19, ""},
+		{"(CertificateInvalidError).Error", Method, 0, ""},
+		{"(ConstraintViolationError).Error", Method, 0, ""},
+		{"(ExtKeyUsage).OID", Method, 26, ""},
+		{"(ExtKeyUsage).String", Method, 26, ""},
+		{"(HostnameError).Error", Method, 0, ""},
+		{"(InsecureAlgorithmError).Error", Method, 6, ""},
+		{"(KeyUsage).String", Method, 26, ""},
+		{"(OID).AppendBinary", Method, 24, ""},
+		{"(OID).AppendText", Method, 24, ""},
+		{"(OID).Equal", Method, 22, ""},
+		{"(OID).EqualASN1OID", Method, 22, ""},
+		{"(OID).MarshalBinary", Method, 23, ""},
+		{"(OID).MarshalText", Method, 23, ""},
+		{"(OID).String", Method, 22, ""},
+		{"(PublicKeyAlgorithm).String", Method, 10, ""},
+		{"(SignatureAlgorithm).String", Method, 6, ""},
+		{"(SystemRootsError).Error", Method, 1, ""},
+		{"(SystemRootsError).Unwrap", Method, 16, ""},
+		{"(UnhandledCriticalExtension).Error", Method, 0, ""},
+		{"(UnknownAuthorityError).Error", Method, 0, ""},
+		{"CANotAuthorizedForExtKeyUsage", Const, 10, ""},
+		{"CANotAuthorizedForThisName", Const, 0, ""},
+		{"CertPool", Type, 0, ""},
+		{"Certificate", Type, 0, ""},
+		{"Certificate.AuthorityKeyId", Field, 0, ""},
+		{"Certificate.BasicConstraintsValid", Field, 0, ""},
+		{"Certificate.CRLDistributionPoints", Field, 2, ""},
+		{"Certificate.DNSNames", Field, 0, ""},
+		{"Certificate.EmailAddresses", Field, 0, ""},
+		{"Certificate.ExcludedDNSDomains", Field, 9, ""},
+		{"Certificate.ExcludedEmailAddresses", Field, 10, ""},
+		{"Certificate.ExcludedIPRanges", Field, 10, ""},
+		{"Certificate.ExcludedURIDomains", Field, 10, ""},
+		{"Certificate.ExtKeyUsage", Field, 0, ""},
+		{"Certificate.Extensions", Field, 2, ""},
+		{"Certificate.ExtraExtensions", Field, 2, ""},
+		{"Certificate.IPAddresses", Field, 1, ""},
+		{"Certificate.InhibitAnyPolicy", Field, 24, ""},
+		{"Certificate.InhibitAnyPolicyZero", Field, 24, ""},
+		{"Certificate.InhibitPolicyMapping", Field, 24, ""},
+		{"Certificate.InhibitPolicyMappingZero", Field, 24, ""},
+		{"Certificate.IsCA", Field, 0, ""},
+		{"Certificate.Issuer", Field, 0, ""},
+		{"Certificate.IssuingCertificateURL", Field, 2, ""},
+		{"Certificate.KeyUsage", Field, 0, ""},
+		{"Certificate.MaxPathLen", Field, 0, ""},
+		{"Certificate.MaxPathLenZero", Field, 4, ""},
+		{"Certificate.NotAfter", Field, 0, ""},
+		{"Certificate.NotBefore", Field, 0, ""},
+		{"Certificate.OCSPServer", Field, 2, ""},
+		{"Certificate.PermittedDNSDomains", Field, 0, ""},
+		{"Certificate.PermittedDNSDomainsCritical", Field, 0, ""},
+		{"Certificate.PermittedEmailAddresses", Field, 10, ""},
+		{"Certificate.PermittedIPRanges", Field, 10, ""},
+		{"Certificate.PermittedURIDomains", Field, 10, ""},
+		{"Certificate.Policies", Field, 22, ""},
+		{"Certificate.PolicyIdentifiers", Field, 0, ""},
+		{"Certificate.PolicyMappings", Field, 24, ""},
+		{"Certificate.PublicKey", Field, 0, ""},
+		{"Certificate.PublicKeyAlgorithm", Field, 0, ""},
+		{"Certificate.Raw", Field, 0, ""},
+		{"Certificate.RawIssuer", Field, 0, ""},
+		{"Certificate.RawSubject", Field, 0, ""},
+		{"Certificate.RawSubjectPublicKeyInfo", Field, 0, ""},
+		{"Certificate.RawTBSCertificate", Field, 0, ""},
+		{"Certificate.RequireExplicitPolicy", Field, 24, ""},
+		{"Certificate.RequireExplicitPolicyZero", Field, 24, ""},
+		{"Certificate.SerialNumber", Field, 0, ""},
+		{"Certificate.Signature", Field, 0, ""},
+		{"Certificate.SignatureAlgorithm", Field, 0, ""},
+		{"Certificate.Subject", Field, 0, ""},
+		{"Certificate.SubjectKeyId", Field, 0, ""},
+		{"Certificate.URIs", Field, 10, ""},
+		{"Certificate.UnhandledCriticalExtensions", Field, 5, ""},
+		{"Certificate.UnknownExtKeyUsage", Field, 0, ""},
+		{"Certificate.Version", Field, 0, ""},
+		{"CertificateInvalidError", Type, 0, ""},
+		{"CertificateInvalidError.Cert", Field, 0, ""},
+		{"CertificateInvalidError.Detail", Field, 10, ""},
+		{"CertificateInvalidError.Reason", Field, 0, ""},
+		{"CertificateRequest", Type, 3, ""},
+		{"CertificateRequest.Attributes", Field, 3, ""},
+		{"CertificateRequest.DNSNames", Field, 3, ""},
+		{"CertificateRequest.EmailAddresses", Field, 3, ""},
+		{"CertificateRequest.Extensions", Field, 3, ""},
+		{"CertificateRequest.ExtraExtensions", Field, 3, ""},
+		{"CertificateRequest.IPAddresses", Field, 3, ""},
+		{"CertificateRequest.PublicKey", Field, 3, ""},
+		{"CertificateRequest.PublicKeyAlgorithm", Field, 3, ""},
+		{"CertificateRequest.Raw", Field, 3, ""},
+		{"CertificateRequest.RawSubject", Field, 3, ""},
+		{"CertificateRequest.RawSubjectPublicKeyInfo", Field, 3, ""},
+		{"CertificateRequest.RawTBSCertificateRequest", Field, 3, ""},
+		{"CertificateRequest.Signature", Field, 3, ""},
+		{"CertificateRequest.SignatureAlgorithm", Field, 3, ""},
+		{"CertificateRequest.Subject", Field, 3, ""},
+		{"CertificateRequest.URIs", Field, 10, ""},
+		{"CertificateRequest.Version", Field, 3, ""},
+		{"ConstraintViolationError", Type, 0, ""},
+		{"CreateCertificate", Func, 0, "func(rand io.Reader, template *Certificate, parent *Certificate, pub any, priv any) ([]byte, error)"},
+		{"CreateCertificateRequest", Func, 3, "func(rand io.Reader, template *CertificateRequest, priv any) (csr []byte, err error)"},
+		{"CreateRevocationList", Func, 15, "func(rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error)"},
+		{"DSA", Const, 0, ""},
+		{"DSAWithSHA1", Const, 0, ""},
+		{"DSAWithSHA256", Const, 0, ""},
+		{"DecryptPEMBlock", Func, 1, "func(b *pem.Block, password []byte) ([]byte, error)"},
+		{"ECDSA", Const, 1, ""},
+		{"ECDSAWithSHA1", Const, 1, ""},
+		{"ECDSAWithSHA256", Const, 1, ""},
+		{"ECDSAWithSHA384", Const, 1, ""},
+		{"ECDSAWithSHA512", Const, 1, ""},
+		{"Ed25519", Const, 13, ""},
+		{"EncryptPEMBlock", Func, 1, "func(rand io.Reader, blockType string, data []byte, password []byte, alg PEMCipher) (*pem.Block, error)"},
+		{"ErrUnsupportedAlgorithm", Var, 0, ""},
+		{"Expired", Const, 0, ""},
+		{"ExtKeyUsage", Type, 0, ""},
+		{"ExtKeyUsageAny", Const, 0, ""},
+		{"ExtKeyUsageClientAuth", Const, 0, ""},
+		{"ExtKeyUsageCodeSigning", Const, 0, ""},
+		{"ExtKeyUsageEmailProtection", Const, 0, ""},
+		{"ExtKeyUsageIPSECEndSystem", Const, 1, ""},
+		{"ExtKeyUsageIPSECTunnel", Const, 1, ""},
+		{"ExtKeyUsageIPSECUser", Const, 1, ""},
+		{"ExtKeyUsageMicrosoftCommercialCodeSigning", Const, 10, ""},
+		{"ExtKeyUsageMicrosoftKernelCodeSigning", Const, 10, ""},
+		{"ExtKeyUsageMicrosoftServerGatedCrypto", Const, 1, ""},
+		{"ExtKeyUsageNetscapeServerGatedCrypto", Const, 1, ""},
+		{"ExtKeyUsageOCSPSigning", Const, 0, ""},
+		{"ExtKeyUsageServerAuth", Const, 0, ""},
+		{"ExtKeyUsageTimeStamping", Const, 0, ""},
+		{"HostnameError", Type, 0, ""},
+		{"HostnameError.Certificate", Field, 0, ""},
+		{"HostnameError.Host", Field, 0, ""},
+		{"IncompatibleUsage", Const, 1, ""},
+		{"IncorrectPasswordError", Var, 1, ""},
+		{"InsecureAlgorithmError", Type, 6, ""},
+		{"InvalidReason", Type, 0, ""},
+		{"IsEncryptedPEMBlock", Func, 1, "func(b *pem.Block) bool"},
+		{"KeyUsage", Type, 0, ""},
+		{"KeyUsageCRLSign", Const, 0, ""},
+		{"KeyUsageCertSign", Const, 0, ""},
+		{"KeyUsageContentCommitment", Const, 0, ""},
+		{"KeyUsageDataEncipherment", Const, 0, ""},
+		{"KeyUsageDecipherOnly", Const, 0, ""},
+		{"KeyUsageDigitalSignature", Const, 0, ""},
+		{"KeyUsageEncipherOnly", Const, 0, ""},
+		{"KeyUsageKeyAgreement", Const, 0, ""},
+		{"KeyUsageKeyEncipherment", Const, 0, ""},
+		{"MD2WithRSA", Const, 0, ""},
+		{"MD5WithRSA", Const, 0, ""},
+		{"MarshalECPrivateKey", Func, 2, "func(key *ecdsa.PrivateKey) ([]byte, error)"},
+		{"MarshalPKCS1PrivateKey", Func, 0, "func(key *rsa.PrivateKey) []byte"},
+		{"MarshalPKCS1PublicKey", Func, 10, "func(key *rsa.PublicKey) []byte"},
+		{"MarshalPKCS8PrivateKey", Func, 10, "func(key any) ([]byte, error)"},
+		{"MarshalPKIXPublicKey", Func, 0, "func(pub any) ([]byte, error)"},
+		{"NameConstraintsWithoutSANs", Const, 10, ""},
+		{"NameMismatch", Const, 8, ""},
+		{"NewCertPool", Func, 0, "func() *CertPool"},
+		{"NoValidChains", Const, 24, ""},
+		{"NotAuthorizedToSign", Const, 0, ""},
+		{"OID", Type, 22, ""},
+		{"OIDFromASN1OID", Func, 26, "func(asn1OID asn1.ObjectIdentifier) (OID, error)"},
+		{"OIDFromInts", Func, 22, "func(oid []uint64) (OID, error)"},
+		{"PEMCipher", Type, 1, ""},
+		{"PEMCipher3DES", Const, 1, ""},
+		{"PEMCipherAES128", Const, 1, ""},
+		{"PEMCipherAES192", Const, 1, ""},
+		{"PEMCipherAES256", Const, 1, ""},
+		{"PEMCipherDES", Const, 1, ""},
+		{"ParseCRL", Func, 0, "func(crlBytes []byte) (*pkix.CertificateList, error)"},
+		{"ParseCertificate", Func, 0, "func(der []byte) (*Certificate, error)"},
+		{"ParseCertificateRequest", Func, 3, "func(asn1Data []byte) (*CertificateRequest, error)"},
+		{"ParseCertificates", Func, 0, "func(der []byte) ([]*Certificate, error)"},
+		{"ParseDERCRL", Func, 0, "func(derBytes []byte) (*pkix.CertificateList, error)"},
+		{"ParseECPrivateKey", Func, 1, "func(der []byte) (*ecdsa.PrivateKey, error)"},
+		{"ParseOID", Func, 23, "func(oid string) (OID, error)"},
+		{"ParsePKCS1PrivateKey", Func, 0, "func(der []byte) (*rsa.PrivateKey, error)"},
+		{"ParsePKCS1PublicKey", Func, 10, "func(der []byte) (*rsa.PublicKey, error)"},
+		{"ParsePKCS8PrivateKey", Func, 0, "func(der []byte) (key any, err error)"},
+		{"ParsePKIXPublicKey", Func, 0, "func(derBytes []byte) (pub any, err error)"},
+		{"ParseRevocationList", Func, 19, "func(der []byte) (*RevocationList, error)"},
+		{"PolicyMapping", Type, 24, ""},
+		{"PolicyMapping.IssuerDomainPolicy", Field, 24, ""},
+		{"PolicyMapping.SubjectDomainPolicy", Field, 24, ""},
+		{"PublicKeyAlgorithm", Type, 0, ""},
+		{"PureEd25519", Const, 13, ""},
+		{"RSA", Const, 0, ""},
+		{"RevocationList", Type, 15, ""},
+		{"RevocationList.AuthorityKeyId", Field, 19, ""},
+		{"RevocationList.Extensions", Field, 19, ""},
+		{"RevocationList.ExtraExtensions", Field, 15, ""},
+		{"RevocationList.Issuer", Field, 19, ""},
+		{"RevocationList.NextUpdate", Field, 15, ""},
+		{"RevocationList.Number", Field, 15, ""},
+		{"RevocationList.Raw", Field, 19, ""},
+		{"RevocationList.RawIssuer", Field, 19, ""},
+		{"RevocationList.RawTBSRevocationList", Field, 19, ""},
+		{"RevocationList.RevokedCertificateEntries", Field, 21, ""},
+		{"RevocationList.RevokedCertificates", Field, 15, ""},
+		{"RevocationList.Signature", Field, 19, ""},
+		{"RevocationList.SignatureAlgorithm", Field, 15, ""},
+		{"RevocationList.ThisUpdate", Field, 15, ""},
+		{"RevocationListEntry", Type, 21, ""},
+		{"RevocationListEntry.Extensions", Field, 21, ""},
+		{"RevocationListEntry.ExtraExtensions", Field, 21, ""},
+		{"RevocationListEntry.Raw", Field, 21, ""},
+		{"RevocationListEntry.ReasonCode", Field, 21, ""},
+		{"RevocationListEntry.RevocationTime", Field, 21, ""},
+		{"RevocationListEntry.SerialNumber", Field, 21, ""},
+		{"SHA1WithRSA", Const, 0, ""},
+		{"SHA256WithRSA", Const, 0, ""},
+		{"SHA256WithRSAPSS", Const, 8, ""},
+		{"SHA384WithRSA", Const, 0, ""},
+		{"SHA384WithRSAPSS", Const, 8, ""},
+		{"SHA512WithRSA", Const, 0, ""},
+		{"SHA512WithRSAPSS", Const, 8, ""},
+		{"SetFallbackRoots", Func, 20, "func(roots *CertPool)"},
+		{"SignatureAlgorithm", Type, 0, ""},
+		{"SystemCertPool", Func, 7, "func() (*CertPool, error)"},
+		{"SystemRootsError", Type, 1, ""},
+		{"SystemRootsError.Err", Field, 7, ""},
+		{"TooManyConstraints", Const, 10, ""},
+		{"TooManyIntermediates", Const, 0, ""},
+		{"UnconstrainedName", Const, 10, ""},
+		{"UnhandledCriticalExtension", Type, 0, ""},
+		{"UnknownAuthorityError", Type, 0, ""},
+		{"UnknownAuthorityError.Cert", Field, 8, ""},
+		{"UnknownPublicKeyAlgorithm", Const, 0, ""},
+		{"UnknownSignatureAlgorithm", Const, 0, ""},
+		{"VerifyOptions", Type, 0, ""},
+		{"VerifyOptions.CertificatePolicies", Field, 24, ""},
+		{"VerifyOptions.CurrentTime", Field, 0, ""},
+		{"VerifyOptions.DNSName", Field, 0, ""},
+		{"VerifyOptions.Intermediates", Field, 0, ""},
+		{"VerifyOptions.KeyUsages", Field, 1, ""},
+		{"VerifyOptions.MaxConstraintComparisions", Field, 10, ""},
+		{"VerifyOptions.Roots", Field, 0, ""},
+	},
+	"crypto/x509/pkix": {
+		{"(*CertificateList).HasExpired", Method, 0, ""},
+		{"(*Name).FillFromRDNSequence", Method, 0, ""},
+		{"(Name).String", Method, 10, ""},
+		{"(Name).ToRDNSequence", Method, 0, ""},
+		{"(RDNSequence).String", Method, 10, ""},
+		{"AlgorithmIdentifier", Type, 0, ""},
+		{"AlgorithmIdentifier.Algorithm", Field, 0, ""},
+		{"AlgorithmIdentifier.Parameters", Field, 0, ""},
+		{"AttributeTypeAndValue", Type, 0, ""},
+		{"AttributeTypeAndValue.Type", Field, 0, ""},
+		{"AttributeTypeAndValue.Value", Field, 0, ""},
+		{"AttributeTypeAndValueSET", Type, 3, ""},
+		{"AttributeTypeAndValueSET.Type", Field, 3, ""},
+		{"AttributeTypeAndValueSET.Value", Field, 3, ""},
+		{"CertificateList", Type, 0, ""},
+		{"CertificateList.SignatureAlgorithm", Field, 0, ""},
+		{"CertificateList.SignatureValue", Field, 0, ""},
+		{"CertificateList.TBSCertList", Field, 0, ""},
+		{"Extension", Type, 0, ""},
+		{"Extension.Critical", Field, 0, ""},
+		{"Extension.Id", Field, 0, ""},
+		{"Extension.Value", Field, 0, ""},
+		{"Name", Type, 0, ""},
+		{"Name.CommonName", Field, 0, ""},
+		{"Name.Country", Field, 0, ""},
+		{"Name.ExtraNames", Field, 5, ""},
+		{"Name.Locality", Field, 0, ""},
+		{"Name.Names", Field, 0, ""},
+		{"Name.Organization", Field, 0, ""},
+		{"Name.OrganizationalUnit", Field, 0, ""},
+		{"Name.PostalCode", Field, 0, ""},
+		{"Name.Province", Field, 0, ""},
+		{"Name.SerialNumber", Field, 0, ""},
+		{"Name.StreetAddress", Field, 0, ""},
+		{"RDNSequence", Type, 0, ""},
+		{"RelativeDistinguishedNameSET", Type, 0, ""},
+		{"RevokedCertificate", Type, 0, ""},
+		{"RevokedCertificate.Extensions", Field, 0, ""},
+		{"RevokedCertificate.RevocationTime", Field, 0, ""},
+		{"RevokedCertificate.SerialNumber", Field, 0, ""},
+		{"TBSCertificateList", Type, 0, ""},
+		{"TBSCertificateList.Extensions", Field, 0, ""},
+		{"TBSCertificateList.Issuer", Field, 0, ""},
+		{"TBSCertificateList.NextUpdate", Field, 0, ""},
+		{"TBSCertificateList.Raw", Field, 0, ""},
+		{"TBSCertificateList.RevokedCertificates", Field, 0, ""},
+		{"TBSCertificateList.Signature", Field, 0, ""},
+		{"TBSCertificateList.ThisUpdate", Field, 0, ""},
+		{"TBSCertificateList.Version", Field, 0, ""},
+	},
+	"database/sql": {
+		{"(*ColumnType).DatabaseTypeName", Method, 8, ""},
+		{"(*ColumnType).DecimalSize", Method, 8, ""},
+		{"(*ColumnType).Length", Method, 8, ""},
+		{"(*ColumnType).Name", Method, 8, ""},
+		{"(*ColumnType).Nullable", Method, 8, ""},
+		{"(*ColumnType).ScanType", Method, 8, ""},
+		{"(*Conn).BeginTx", Method, 9, ""},
+		{"(*Conn).Close", Method, 9, ""},
+		{"(*Conn).ExecContext", Method, 9, ""},
+		{"(*Conn).PingContext", Method, 9, ""},
+		{"(*Conn).PrepareContext", Method, 9, ""},
+		{"(*Conn).QueryContext", Method, 9, ""},
+		{"(*Conn).QueryRowContext", Method, 9, ""},
+		{"(*Conn).Raw", Method, 13, ""},
+		{"(*DB).Begin", Method, 0, ""},
+		{"(*DB).BeginTx", Method, 8, ""},
+		{"(*DB).Close", Method, 0, ""},
+		{"(*DB).Conn", Method, 9, ""},
+		{"(*DB).Driver", Method, 0, ""},
+		{"(*DB).Exec", Method, 0, ""},
+		{"(*DB).ExecContext", Method, 8, ""},
+		{"(*DB).Ping", Method, 1, ""},
+		{"(*DB).PingContext", Method, 8, ""},
+		{"(*DB).Prepare", Method, 0, ""},
+		{"(*DB).PrepareContext", Method, 8, ""},
+		{"(*DB).Query", Method, 0, ""},
+		{"(*DB).QueryContext", Method, 8, ""},
+		{"(*DB).QueryRow", Method, 0, ""},
+		{"(*DB).QueryRowContext", Method, 8, ""},
+		{"(*DB).SetConnMaxIdleTime", Method, 15, ""},
+		{"(*DB).SetConnMaxLifetime", Method, 6, ""},
+		{"(*DB).SetMaxIdleConns", Method, 1, ""},
+		{"(*DB).SetMaxOpenConns", Method, 2, ""},
+		{"(*DB).Stats", Method, 5, ""},
+		{"(*Null).Scan", Method, 22, ""},
+		{"(*NullBool).Scan", Method, 0, ""},
+		{"(*NullByte).Scan", Method, 17, ""},
+		{"(*NullFloat64).Scan", Method, 0, ""},
+		{"(*NullInt16).Scan", Method, 17, ""},
+		{"(*NullInt32).Scan", Method, 13, ""},
+		{"(*NullInt64).Scan", Method, 0, ""},
+		{"(*NullString).Scan", Method, 0, ""},
+		{"(*NullTime).Scan", Method, 13, ""},
+		{"(*Row).Err", Method, 15, ""},
+		{"(*Row).Scan", Method, 0, ""},
+		{"(*Rows).Close", Method, 0, ""},
+		{"(*Rows).ColumnTypes", Method, 8, ""},
+		{"(*Rows).Columns", Method, 0, ""},
+		{"(*Rows).Err", Method, 0, ""},
+		{"(*Rows).Next", Method, 0, ""},
+		{"(*Rows).NextResultSet", Method, 8, ""},
+		{"(*Rows).Scan", Method, 0, ""},
+		{"(*Stmt).Close", Method, 0, ""},
+		{"(*Stmt).Exec", Method, 0, ""},
+		{"(*Stmt).ExecContext", Method, 8, ""},
+		{"(*Stmt).Query", Method, 0, ""},
+		{"(*Stmt).QueryContext", Method, 8, ""},
+		{"(*Stmt).QueryRow", Method, 0, ""},
+		{"(*Stmt).QueryRowContext", Method, 8, ""},
+		{"(*Tx).Commit", Method, 0, ""},
+		{"(*Tx).Exec", Method, 0, ""},
+		{"(*Tx).ExecContext", Method, 8, ""},
+		{"(*Tx).Prepare", Method, 0, ""},
+		{"(*Tx).PrepareContext", Method, 8, ""},
+		{"(*Tx).Query", Method, 0, ""},
+		{"(*Tx).QueryContext", Method, 8, ""},
+		{"(*Tx).QueryRow", Method, 0, ""},
+		{"(*Tx).QueryRowContext", Method, 8, ""},
+		{"(*Tx).Rollback", Method, 0, ""},
+		{"(*Tx).Stmt", Method, 0, ""},
+		{"(*Tx).StmtContext", Method, 8, ""},
+		{"(IsolationLevel).String", Method, 11, ""},
+		{"(Null).Value", Method, 22, ""},
+		{"(NullBool).Value", Method, 0, ""},
+		{"(NullByte).Value", Method, 17, ""},
+		{"(NullFloat64).Value", Method, 0, ""},
+		{"(NullInt16).Value", Method, 17, ""},
+		{"(NullInt32).Value", Method, 13, ""},
+		{"(NullInt64).Value", Method, 0, ""},
+		{"(NullString).Value", Method, 0, ""},
+		{"(NullTime).Value", Method, 13, ""},
+		{"(Result).LastInsertId", Method, 0, ""},
+		{"(Result).RowsAffected", Method, 0, ""},
+		{"(Scanner).Scan", Method, 0, ""},
+		{"ColumnType", Type, 8, ""},
+		{"Conn", Type, 9, ""},
+		{"DB", Type, 0, ""},
+		{"DBStats", Type, 5, ""},
+		{"DBStats.Idle", Field, 11, ""},
+		{"DBStats.InUse", Field, 11, ""},
+		{"DBStats.MaxIdleClosed", Field, 11, ""},
+		{"DBStats.MaxIdleTimeClosed", Field, 15, ""},
+		{"DBStats.MaxLifetimeClosed", Field, 11, ""},
+		{"DBStats.MaxOpenConnections", Field, 11, ""},
+		{"DBStats.OpenConnections", Field, 5, ""},
+		{"DBStats.WaitCount", Field, 11, ""},
+		{"DBStats.WaitDuration", Field, 11, ""},
+		{"Drivers", Func, 4, "func() []string"},
+		{"ErrConnDone", Var, 9, ""},
+		{"ErrNoRows", Var, 0, ""},
+		{"ErrTxDone", Var, 0, ""},
+		{"IsolationLevel", Type, 8, ""},
+		{"LevelDefault", Const, 8, ""},
+		{"LevelLinearizable", Const, 8, ""},
+		{"LevelReadCommitted", Const, 8, ""},
+		{"LevelReadUncommitted", Const, 8, ""},
+		{"LevelRepeatableRead", Const, 8, ""},
+		{"LevelSerializable", Const, 8, ""},
+		{"LevelSnapshot", Const, 8, ""},
+		{"LevelWriteCommitted", Const, 8, ""},
+		{"Named", Func, 8, "func(name string, value any) NamedArg"},
+		{"NamedArg", Type, 8, ""},
+		{"NamedArg.Name", Field, 8, ""},
+		{"NamedArg.Value", Field, 8, ""},
+		{"Null", Type, 22, ""},
+		{"NullBool", Type, 0, ""},
+		{"NullBool.Bool", Field, 0, ""},
+		{"NullBool.Valid", Field, 0, ""},
+		{"NullByte", Type, 17, ""},
+		{"NullByte.Byte", Field, 17, ""},
+		{"NullByte.Valid", Field, 17, ""},
+		{"NullFloat64", Type, 0, ""},
+		{"NullFloat64.Float64", Field, 0, ""},
+		{"NullFloat64.Valid", Field, 0, ""},
+		{"NullInt16", Type, 17, ""},
+		{"NullInt16.Int16", Field, 17, ""},
+		{"NullInt16.Valid", Field, 17, ""},
+		{"NullInt32", Type, 13, ""},
+		{"NullInt32.Int32", Field, 13, ""},
+		{"NullInt32.Valid", Field, 13, ""},
+		{"NullInt64", Type, 0, ""},
+		{"NullInt64.Int64", Field, 0, ""},
+		{"NullInt64.Valid", Field, 0, ""},
+		{"NullString", Type, 0, ""},
+		{"NullString.String", Field, 0, ""},
+		{"NullString.Valid", Field, 0, ""},
+		{"NullTime", Type, 13, ""},
+		{"NullTime.Time", Field, 13, ""},
+		{"NullTime.Valid", Field, 13, ""},
+		{"Open", Func, 0, "func(driverName string, dataSourceName string) (*DB, error)"},
+		{"OpenDB", Func, 10, "func(c driver.Connector) *DB"},
+		{"Out", Type, 9, ""},
+		{"Out.Dest", Field, 9, ""},
+		{"Out.In", Field, 9, ""},
+		{"RawBytes", Type, 0, ""},
+		{"Register", Func, 0, "func(name string, driver driver.Driver)"},
+		{"Result", Type, 0, ""},
+		{"Row", Type, 0, ""},
+		{"Rows", Type, 0, ""},
+		{"Scanner", Type, 0, ""},
+		{"Stmt", Type, 0, ""},
+		{"Tx", Type, 0, ""},
+		{"TxOptions", Type, 8, ""},
+		{"TxOptions.Isolation", Field, 8, ""},
+		{"TxOptions.ReadOnly", Field, 8, ""},
+	},
+	"database/sql/driver": {
+		{"(ColumnConverter).ColumnConverter", Method, 0, ""},
+		{"(Conn).Begin", Method, 0, ""},
+		{"(Conn).Close", Method, 0, ""},
+		{"(Conn).Prepare", Method, 0, ""},
+		{"(ConnBeginTx).BeginTx", Method, 8, ""},
+		{"(ConnPrepareContext).PrepareContext", Method, 8, ""},
+		{"(Connector).Connect", Method, 10, ""},
+		{"(Connector).Driver", Method, 10, ""},
+		{"(Driver).Open", Method, 0, ""},
+		{"(DriverContext).OpenConnector", Method, 10, ""},
+		{"(Execer).Exec", Method, 0, ""},
+		{"(ExecerContext).ExecContext", Method, 8, ""},
+		{"(NamedValueChecker).CheckNamedValue", Method, 9, ""},
+		{"(NotNull).ConvertValue", Method, 0, ""},
+		{"(Null).ConvertValue", Method, 0, ""},
+		{"(Pinger).Ping", Method, 8, ""},
+		{"(Queryer).Query", Method, 1, ""},
+		{"(QueryerContext).QueryContext", Method, 8, ""},
+		{"(Result).LastInsertId", Method, 0, ""},
+		{"(Result).RowsAffected", Method, 0, ""},
+		{"(Rows).Close", Method, 0, ""},
+		{"(Rows).Columns", Method, 0, ""},
+		{"(Rows).Next", Method, 0, ""},
+		{"(RowsAffected).LastInsertId", Method, 0, ""},
+		{"(RowsAffected).RowsAffected", Method, 0, ""},
+		{"(RowsColumnTypeDatabaseTypeName).Close", Method, 8, ""},
+		{"(RowsColumnTypeDatabaseTypeName).ColumnTypeDatabaseTypeName", Method, 8, ""},
+		{"(RowsColumnTypeDatabaseTypeName).Columns", Method, 8, ""},
+		{"(RowsColumnTypeDatabaseTypeName).Next", Method, 8, ""},
+		{"(RowsColumnTypeLength).Close", Method, 8, ""},
+		{"(RowsColumnTypeLength).ColumnTypeLength", Method, 8, ""},
+		{"(RowsColumnTypeLength).Columns", Method, 8, ""},
+		{"(RowsColumnTypeLength).Next", Method, 8, ""},
+		{"(RowsColumnTypeNullable).Close", Method, 8, ""},
+		{"(RowsColumnTypeNullable).ColumnTypeNullable", Method, 8, ""},
+		{"(RowsColumnTypeNullable).Columns", Method, 8, ""},
+		{"(RowsColumnTypeNullable).Next", Method, 8, ""},
+		{"(RowsColumnTypePrecisionScale).Close", Method, 8, ""},
+		{"(RowsColumnTypePrecisionScale).ColumnTypePrecisionScale", Method, 8, ""},
+		{"(RowsColumnTypePrecisionScale).Columns", Method, 8, ""},
+		{"(RowsColumnTypePrecisionScale).Next", Method, 8, ""},
+		{"(RowsColumnTypeScanType).Close", Method, 8, ""},
+		{"(RowsColumnTypeScanType).ColumnTypeScanType", Method, 8, ""},
+		{"(RowsColumnTypeScanType).Columns", Method, 8, ""},
+		{"(RowsColumnTypeScanType).Next", Method, 8, ""},
+		{"(RowsNextResultSet).Close", Method, 8, ""},
+		{"(RowsNextResultSet).Columns", Method, 8, ""},
+		{"(RowsNextResultSet).HasNextResultSet", Method, 8, ""},
+		{"(RowsNextResultSet).Next", Method, 8, ""},
+		{"(RowsNextResultSet).NextResultSet", Method, 8, ""},
+		{"(SessionResetter).ResetSession", Method, 10, ""},
+		{"(Stmt).Close", Method, 0, ""},
+		{"(Stmt).Exec", Method, 0, ""},
+		{"(Stmt).NumInput", Method, 0, ""},
+		{"(Stmt).Query", Method, 0, ""},
+		{"(StmtExecContext).ExecContext", Method, 8, ""},
+		{"(StmtQueryContext).QueryContext", Method, 8, ""},
+		{"(Tx).Commit", Method, 0, ""},
+		{"(Tx).Rollback", Method, 0, ""},
+		{"(Validator).IsValid", Method, 15, ""},
+		{"(ValueConverter).ConvertValue", Method, 0, ""},
+		{"(Valuer).Value", Method, 0, ""},
+		{"Bool", Var, 0, ""},
+		{"ColumnConverter", Type, 0, ""},
+		{"Conn", Type, 0, ""},
+		{"ConnBeginTx", Type, 8, ""},
+		{"ConnPrepareContext", Type, 8, ""},
+		{"Connector", Type, 10, ""},
+		{"DefaultParameterConverter", Var, 0, ""},
+		{"Driver", Type, 0, ""},
+		{"DriverContext", Type, 10, ""},
+		{"ErrBadConn", Var, 0, ""},
+		{"ErrRemoveArgument", Var, 9, ""},
+		{"ErrSkip", Var, 0, ""},
+		{"Execer", Type, 0, ""},
+		{"ExecerContext", Type, 8, ""},
+		{"Int32", Var, 0, ""},
+		{"IsScanValue", Func, 0, "func(v any) bool"},
+		{"IsValue", Func, 0, "func(v any) bool"},
+		{"IsolationLevel", Type, 8, ""},
+		{"NamedValue", Type, 8, ""},
+		{"NamedValue.Name", Field, 8, ""},
+		{"NamedValue.Ordinal", Field, 8, ""},
+		{"NamedValue.Value", Field, 8, ""},
+		{"NamedValueChecker", Type, 9, ""},
+		{"NotNull", Type, 0, ""},
+		{"NotNull.Converter", Field, 0, ""},
+		{"Null", Type, 0, ""},
+		{"Null.Converter", Field, 0, ""},
+		{"Pinger", Type, 8, ""},
+		{"Queryer", Type, 1, ""},
+		{"QueryerContext", Type, 8, ""},
+		{"Result", Type, 0, ""},
+		{"ResultNoRows", Var, 0, ""},
+		{"Rows", Type, 0, ""},
+		{"RowsAffected", Type, 0, ""},
+		{"RowsColumnTypeDatabaseTypeName", Type, 8, ""},
+		{"RowsColumnTypeLength", Type, 8, ""},
+		{"RowsColumnTypeNullable", Type, 8, ""},
+		{"RowsColumnTypePrecisionScale", Type, 8, ""},
+		{"RowsColumnTypeScanType", Type, 8, ""},
+		{"RowsNextResultSet", Type, 8, ""},
+		{"SessionResetter", Type, 10, ""},
+		{"Stmt", Type, 0, ""},
+		{"StmtExecContext", Type, 8, ""},
+		{"StmtQueryContext", Type, 8, ""},
+		{"String", Var, 0, ""},
+		{"Tx", Type, 0, ""},
+		{"TxOptions", Type, 8, ""},
+		{"TxOptions.Isolation", Field, 8, ""},
+		{"TxOptions.ReadOnly", Field, 8, ""},
+		{"Validator", Type, 15, ""},
+		{"Value", Type, 0, ""},
+		{"ValueConverter", Type, 0, ""},
+		{"Valuer", Type, 0, ""},
+	},
+	"debug/buildinfo": {
+		{"BuildInfo", Type, 18, ""},
+		{"Read", Func, 18, "func(r io.ReaderAt) (*BuildInfo, error)"},
+		{"ReadFile", Func, 18, "func(name string) (info *BuildInfo, err error)"},
+	},
+	"debug/dwarf": {
+		{"(*AddrType).Basic", Method, 0, ""},
+		{"(*AddrType).Common", Method, 0, ""},
+		{"(*AddrType).Size", Method, 0, ""},
+		{"(*AddrType).String", Method, 0, ""},
+		{"(*ArrayType).Common", Method, 0, ""},
+		{"(*ArrayType).Size", Method, 0, ""},
+		{"(*ArrayType).String", Method, 0, ""},
+		{"(*BasicType).Basic", Method, 0, ""},
+		{"(*BasicType).Common", Method, 0, ""},
+		{"(*BasicType).Size", Method, 0, ""},
+		{"(*BasicType).String", Method, 0, ""},
+		{"(*BoolType).Basic", Method, 0, ""},
+		{"(*BoolType).Common", Method, 0, ""},
+		{"(*BoolType).Size", Method, 0, ""},
+		{"(*BoolType).String", Method, 0, ""},
+		{"(*CharType).Basic", Method, 0, ""},
+		{"(*CharType).Common", Method, 0, ""},
+		{"(*CharType).Size", Method, 0, ""},
+		{"(*CharType).String", Method, 0, ""},
+		{"(*CommonType).Common", Method, 0, ""},
+		{"(*CommonType).Size", Method, 0, ""},
+		{"(*ComplexType).Basic", Method, 0, ""},
+		{"(*ComplexType).Common", Method, 0, ""},
+		{"(*ComplexType).Size", Method, 0, ""},
+		{"(*ComplexType).String", Method, 0, ""},
+		{"(*Data).AddSection", Method, 14, ""},
+		{"(*Data).AddTypes", Method, 3, ""},
+		{"(*Data).LineReader", Method, 5, ""},
+		{"(*Data).Ranges", Method, 7, ""},
+		{"(*Data).Reader", Method, 0, ""},
+		{"(*Data).Type", Method, 0, ""},
+		{"(*DotDotDotType).Common", Method, 0, ""},
+		{"(*DotDotDotType).Size", Method, 0, ""},
+		{"(*DotDotDotType).String", Method, 0, ""},
+		{"(*Entry).AttrField", Method, 5, ""},
+		{"(*Entry).Val", Method, 0, ""},
+		{"(*EnumType).Common", Method, 0, ""},
+		{"(*EnumType).Size", Method, 0, ""},
+		{"(*EnumType).String", Method, 0, ""},
+		{"(*FloatType).Basic", Method, 0, ""},
+		{"(*FloatType).Common", Method, 0, ""},
+		{"(*FloatType).Size", Method, 0, ""},
+		{"(*FloatType).String", Method, 0, ""},
+		{"(*FuncType).Common", Method, 0, ""},
+		{"(*FuncType).Size", Method, 0, ""},
+		{"(*FuncType).String", Method, 0, ""},
+		{"(*IntType).Basic", Method, 0, ""},
+		{"(*IntType).Common", Method, 0, ""},
+		{"(*IntType).Size", Method, 0, ""},
+		{"(*IntType).String", Method, 0, ""},
+		{"(*LineReader).Files", Method, 14, ""},
+		{"(*LineReader).Next", Method, 5, ""},
+		{"(*LineReader).Reset", Method, 5, ""},
+		{"(*LineReader).Seek", Method, 5, ""},
+		{"(*LineReader).SeekPC", Method, 5, ""},
+		{"(*LineReader).Tell", Method, 5, ""},
+		{"(*PtrType).Common", Method, 0, ""},
+		{"(*PtrType).Size", Method, 0, ""},
+		{"(*PtrType).String", Method, 0, ""},
+		{"(*QualType).Common", Method, 0, ""},
+		{"(*QualType).Size", Method, 0, ""},
+		{"(*QualType).String", Method, 0, ""},
+		{"(*Reader).AddressSize", Method, 5, ""},
+		{"(*Reader).ByteOrder", Method, 14, ""},
+		{"(*Reader).Next", Method, 0, ""},
+		{"(*Reader).Seek", Method, 0, ""},
+		{"(*Reader).SeekPC", Method, 7, ""},
+		{"(*Reader).SkipChildren", Method, 0, ""},
+		{"(*StructType).Common", Method, 0, ""},
+		{"(*StructType).Defn", Method, 0, ""},
+		{"(*StructType).Size", Method, 0, ""},
+		{"(*StructType).String", Method, 0, ""},
+		{"(*TypedefType).Common", Method, 0, ""},
+		{"(*TypedefType).Size", Method, 0, ""},
+		{"(*TypedefType).String", Method, 0, ""},
+		{"(*UcharType).Basic", Method, 0, ""},
+		{"(*UcharType).Common", Method, 0, ""},
+		{"(*UcharType).Size", Method, 0, ""},
+		{"(*UcharType).String", Method, 0, ""},
+		{"(*UintType).Basic", Method, 0, ""},
+		{"(*UintType).Common", Method, 0, ""},
+		{"(*UintType).Size", Method, 0, ""},
+		{"(*UintType).String", Method, 0, ""},
+		{"(*UnspecifiedType).Basic", Method, 4, ""},
+		{"(*UnspecifiedType).Common", Method, 4, ""},
+		{"(*UnspecifiedType).Size", Method, 4, ""},
+		{"(*UnspecifiedType).String", Method, 4, ""},
+		{"(*UnsupportedType).Common", Method, 13, ""},
+		{"(*UnsupportedType).Size", Method, 13, ""},
+		{"(*UnsupportedType).String", Method, 13, ""},
+		{"(*VoidType).Common", Method, 0, ""},
+		{"(*VoidType).Size", Method, 0, ""},
+		{"(*VoidType).String", Method, 0, ""},
+		{"(Attr).GoString", Method, 0, ""},
+		{"(Attr).String", Method, 0, ""},
+		{"(Class).GoString", Method, 5, ""},
+		{"(Class).String", Method, 5, ""},
+		{"(DecodeError).Error", Method, 0, ""},
+		{"(Tag).GoString", Method, 0, ""},
+		{"(Tag).String", Method, 0, ""},
+		{"(Type).Common", Method, 0, ""},
+		{"(Type).Size", Method, 0, ""},
+		{"(Type).String", Method, 0, ""},
+		{"AddrType", Type, 0, ""},
+		{"AddrType.BasicType", Field, 0, ""},
+		{"ArrayType", Type, 0, ""},
+		{"ArrayType.CommonType", Field, 0, ""},
+		{"ArrayType.Count", Field, 0, ""},
+		{"ArrayType.StrideBitSize", Field, 0, ""},
+		{"ArrayType.Type", Field, 0, ""},
+		{"Attr", Type, 0, ""},
+		{"AttrAbstractOrigin", Const, 0, ""},
+		{"AttrAccessibility", Const, 0, ""},
+		{"AttrAddrBase", Const, 14, ""},
+		{"AttrAddrClass", Const, 0, ""},
+		{"AttrAlignment", Const, 14, ""},
+		{"AttrAllocated", Const, 0, ""},
+		{"AttrArtificial", Const, 0, ""},
+		{"AttrAssociated", Const, 0, ""},
+		{"AttrBaseTypes", Const, 0, ""},
+		{"AttrBinaryScale", Const, 14, ""},
+		{"AttrBitOffset", Const, 0, ""},
+		{"AttrBitSize", Const, 0, ""},
+		{"AttrByteSize", Const, 0, ""},
+		{"AttrCallAllCalls", Const, 14, ""},
+		{"AttrCallAllSourceCalls", Const, 14, ""},
+		{"AttrCallAllTailCalls", Const, 14, ""},
+		{"AttrCallColumn", Const, 0, ""},
+		{"AttrCallDataLocation", Const, 14, ""},
+		{"AttrCallDataValue", Const, 14, ""},
+		{"AttrCallFile", Const, 0, ""},
+		{"AttrCallLine", Const, 0, ""},
+		{"AttrCallOrigin", Const, 14, ""},
+		{"AttrCallPC", Const, 14, ""},
+		{"AttrCallParameter", Const, 14, ""},
+		{"AttrCallReturnPC", Const, 14, ""},
+		{"AttrCallTailCall", Const, 14, ""},
+		{"AttrCallTarget", Const, 14, ""},
+		{"AttrCallTargetClobbered", Const, 14, ""},
+		{"AttrCallValue", Const, 14, ""},
+		{"AttrCalling", Const, 0, ""},
+		{"AttrCommonRef", Const, 0, ""},
+		{"AttrCompDir", Const, 0, ""},
+		{"AttrConstExpr", Const, 14, ""},
+		{"AttrConstValue", Const, 0, ""},
+		{"AttrContainingType", Const, 0, ""},
+		{"AttrCount", Const, 0, ""},
+		{"AttrDataBitOffset", Const, 14, ""},
+		{"AttrDataLocation", Const, 0, ""},
+		{"AttrDataMemberLoc", Const, 0, ""},
+		{"AttrDecimalScale", Const, 14, ""},
+		{"AttrDecimalSign", Const, 14, ""},
+		{"AttrDeclColumn", Const, 0, ""},
+		{"AttrDeclFile", Const, 0, ""},
+		{"AttrDeclLine", Const, 0, ""},
+		{"AttrDeclaration", Const, 0, ""},
+		{"AttrDefaultValue", Const, 0, ""},
+		{"AttrDefaulted", Const, 14, ""},
+		{"AttrDeleted", Const, 14, ""},
+		{"AttrDescription", Const, 0, ""},
+		{"AttrDigitCount", Const, 14, ""},
+		{"AttrDiscr", Const, 0, ""},
+		{"AttrDiscrList", Const, 0, ""},
+		{"AttrDiscrValue", Const, 0, ""},
+		{"AttrDwoName", Const, 14, ""},
+		{"AttrElemental", Const, 14, ""},
+		{"AttrEncoding", Const, 0, ""},
+		{"AttrEndianity", Const, 14, ""},
+		{"AttrEntrypc", Const, 0, ""},
+		{"AttrEnumClass", Const, 14, ""},
+		{"AttrExplicit", Const, 14, ""},
+		{"AttrExportSymbols", Const, 14, ""},
+		{"AttrExtension", Const, 0, ""},
+		{"AttrExternal", Const, 0, ""},
+		{"AttrFrameBase", Const, 0, ""},
+		{"AttrFriend", Const, 0, ""},
+		{"AttrHighpc", Const, 0, ""},
+		{"AttrIdentifierCase", Const, 0, ""},
+		{"AttrImport", Const, 0, ""},
+		{"AttrInline", Const, 0, ""},
+		{"AttrIsOptional", Const, 0, ""},
+		{"AttrLanguage", Const, 0, ""},
+		{"AttrLinkageName", Const, 14, ""},
+		{"AttrLocation", Const, 0, ""},
+		{"AttrLoclistsBase", Const, 14, ""},
+		{"AttrLowerBound", Const, 0, ""},
+		{"AttrLowpc", Const, 0, ""},
+		{"AttrMacroInfo", Const, 0, ""},
+		{"AttrMacros", Const, 14, ""},
+		{"AttrMainSubprogram", Const, 14, ""},
+		{"AttrMutable", Const, 14, ""},
+		{"AttrName", Const, 0, ""},
+		{"AttrNamelistItem", Const, 0, ""},
+		{"AttrNoreturn", Const, 14, ""},
+		{"AttrObjectPointer", Const, 14, ""},
+		{"AttrOrdering", Const, 0, ""},
+		{"AttrPictureString", Const, 14, ""},
+		{"AttrPriority", Const, 0, ""},
+		{"AttrProducer", Const, 0, ""},
+		{"AttrPrototyped", Const, 0, ""},
+		{"AttrPure", Const, 14, ""},
+		{"AttrRanges", Const, 0, ""},
+		{"AttrRank", Const, 14, ""},
+		{"AttrRecursive", Const, 14, ""},
+		{"AttrReference", Const, 14, ""},
+		{"AttrReturnAddr", Const, 0, ""},
+		{"AttrRnglistsBase", Const, 14, ""},
+		{"AttrRvalueReference", Const, 14, ""},
+		{"AttrSegment", Const, 0, ""},
+		{"AttrSibling", Const, 0, ""},
+		{"AttrSignature", Const, 14, ""},
+		{"AttrSmall", Const, 14, ""},
+		{"AttrSpecification", Const, 0, ""},
+		{"AttrStartScope", Const, 0, ""},
+		{"AttrStaticLink", Const, 0, ""},
+		{"AttrStmtList", Const, 0, ""},
+		{"AttrStrOffsetsBase", Const, 14, ""},
+		{"AttrStride", Const, 0, ""},
+		{"AttrStrideSize", Const, 0, ""},
+		{"AttrStringLength", Const, 0, ""},
+		{"AttrStringLengthBitSize", Const, 14, ""},
+		{"AttrStringLengthByteSize", Const, 14, ""},
+		{"AttrThreadsScaled", Const, 14, ""},
+		{"AttrTrampoline", Const, 0, ""},
+		{"AttrType", Const, 0, ""},
+		{"AttrUpperBound", Const, 0, ""},
+		{"AttrUseLocation", Const, 0, ""},
+		{"AttrUseUTF8", Const, 0, ""},
+		{"AttrVarParam", Const, 0, ""},
+		{"AttrVirtuality", Const, 0, ""},
+		{"AttrVisibility", Const, 0, ""},
+		{"AttrVtableElemLoc", Const, 0, ""},
+		{"BasicType", Type, 0, ""},
+		{"BasicType.BitOffset", Field, 0, ""},
+		{"BasicType.BitSize", Field, 0, ""},
+		{"BasicType.CommonType", Field, 0, ""},
+		{"BasicType.DataBitOffset", Field, 18, ""},
+		{"BoolType", Type, 0, ""},
+		{"BoolType.BasicType", Field, 0, ""},
+		{"CharType", Type, 0, ""},
+		{"CharType.BasicType", Field, 0, ""},
+		{"Class", Type, 5, ""},
+		{"ClassAddrPtr", Const, 14, ""},
+		{"ClassAddress", Const, 5, ""},
+		{"ClassBlock", Const, 5, ""},
+		{"ClassConstant", Const, 5, ""},
+		{"ClassExprLoc", Const, 5, ""},
+		{"ClassFlag", Const, 5, ""},
+		{"ClassLinePtr", Const, 5, ""},
+		{"ClassLocList", Const, 14, ""},
+		{"ClassLocListPtr", Const, 5, ""},
+		{"ClassMacPtr", Const, 5, ""},
+		{"ClassRangeListPtr", Const, 5, ""},
+		{"ClassReference", Const, 5, ""},
+		{"ClassReferenceAlt", Const, 5, ""},
+		{"ClassReferenceSig", Const, 5, ""},
+		{"ClassRngList", Const, 14, ""},
+		{"ClassRngListsPtr", Const, 14, ""},
+		{"ClassStrOffsetsPtr", Const, 14, ""},
+		{"ClassString", Const, 5, ""},
+		{"ClassStringAlt", Const, 5, ""},
+		{"ClassUnknown", Const, 6, ""},
+		{"CommonType", Type, 0, ""},
+		{"CommonType.ByteSize", Field, 0, ""},
+		{"CommonType.Name", Field, 0, ""},
+		{"ComplexType", Type, 0, ""},
+		{"ComplexType.BasicType", Field, 0, ""},
+		{"Data", Type, 0, ""},
+		{"DecodeError", Type, 0, ""},
+		{"DecodeError.Err", Field, 0, ""},
+		{"DecodeError.Name", Field, 0, ""},
+		{"DecodeError.Offset", Field, 0, ""},
+		{"DotDotDotType", Type, 0, ""},
+		{"DotDotDotType.CommonType", Field, 0, ""},
+		{"Entry", Type, 0, ""},
+		{"Entry.Children", Field, 0, ""},
+		{"Entry.Field", Field, 0, ""},
+		{"Entry.Offset", Field, 0, ""},
+		{"Entry.Tag", Field, 0, ""},
+		{"EnumType", Type, 0, ""},
+		{"EnumType.CommonType", Field, 0, ""},
+		{"EnumType.EnumName", Field, 0, ""},
+		{"EnumType.Val", Field, 0, ""},
+		{"EnumValue", Type, 0, ""},
+		{"EnumValue.Name", Field, 0, ""},
+		{"EnumValue.Val", Field, 0, ""},
+		{"ErrUnknownPC", Var, 5, ""},
+		{"Field", Type, 0, ""},
+		{"Field.Attr", Field, 0, ""},
+		{"Field.Class", Field, 5, ""},
+		{"Field.Val", Field, 0, ""},
+		{"FloatType", Type, 0, ""},
+		{"FloatType.BasicType", Field, 0, ""},
+		{"FuncType", Type, 0, ""},
+		{"FuncType.CommonType", Field, 0, ""},
+		{"FuncType.ParamType", Field, 0, ""},
+		{"FuncType.ReturnType", Field, 0, ""},
+		{"IntType", Type, 0, ""},
+		{"IntType.BasicType", Field, 0, ""},
+		{"LineEntry", Type, 5, ""},
+		{"LineEntry.Address", Field, 5, ""},
+		{"LineEntry.BasicBlock", Field, 5, ""},
+		{"LineEntry.Column", Field, 5, ""},
+		{"LineEntry.Discriminator", Field, 5, ""},
+		{"LineEntry.EndSequence", Field, 5, ""},
+		{"LineEntry.EpilogueBegin", Field, 5, ""},
+		{"LineEntry.File", Field, 5, ""},
+		{"LineEntry.ISA", Field, 5, ""},
+		{"LineEntry.IsStmt", Field, 5, ""},
+		{"LineEntry.Line", Field, 5, ""},
+		{"LineEntry.OpIndex", Field, 5, ""},
+		{"LineEntry.PrologueEnd", Field, 5, ""},
+		{"LineFile", Type, 5, ""},
+		{"LineFile.Length", Field, 5, ""},
+		{"LineFile.Mtime", Field, 5, ""},
+		{"LineFile.Name", Field, 5, ""},
+		{"LineReader", Type, 5, ""},
+		{"LineReaderPos", Type, 5, ""},
+		{"New", Func, 0, "func(abbrev []byte, aranges []byte, frame []byte, info []byte, line []byte, pubnames []byte, ranges []byte, str []byte) (*Data, error)"},
+		{"Offset", Type, 0, ""},
+		{"PtrType", Type, 0, ""},
+		{"PtrType.CommonType", Field, 0, ""},
+		{"PtrType.Type", Field, 0, ""},
+		{"QualType", Type, 0, ""},
+		{"QualType.CommonType", Field, 0, ""},
+		{"QualType.Qual", Field, 0, ""},
+		{"QualType.Type", Field, 0, ""},
+		{"Reader", Type, 0, ""},
+		{"StructField", Type, 0, ""},
+		{"StructField.BitOffset", Field, 0, ""},
+		{"StructField.BitSize", Field, 0, ""},
+		{"StructField.ByteOffset", Field, 0, ""},
+		{"StructField.ByteSize", Field, 0, ""},
+		{"StructField.DataBitOffset", Field, 18, ""},
+		{"StructField.Name", Field, 0, ""},
+		{"StructField.Type", Field, 0, ""},
+		{"StructType", Type, 0, ""},
+		{"StructType.CommonType", Field, 0, ""},
+		{"StructType.Field", Field, 0, ""},
+		{"StructType.Incomplete", Field, 0, ""},
+		{"StructType.Kind", Field, 0, ""},
+		{"StructType.StructName", Field, 0, ""},
+		{"Tag", Type, 0, ""},
+		{"TagAccessDeclaration", Const, 0, ""},
+		{"TagArrayType", Const, 0, ""},
+		{"TagAtomicType", Const, 14, ""},
+		{"TagBaseType", Const, 0, ""},
+		{"TagCallSite", Const, 14, ""},
+		{"TagCallSiteParameter", Const, 14, ""},
+		{"TagCatchDwarfBlock", Const, 0, ""},
+		{"TagClassType", Const, 0, ""},
+		{"TagCoarrayType", Const, 14, ""},
+		{"TagCommonDwarfBlock", Const, 0, ""},
+		{"TagCommonInclusion", Const, 0, ""},
+		{"TagCompileUnit", Const, 0, ""},
+		{"TagCondition", Const, 3, ""},
+		{"TagConstType", Const, 0, ""},
+		{"TagConstant", Const, 0, ""},
+		{"TagDwarfProcedure", Const, 0, ""},
+		{"TagDynamicType", Const, 14, ""},
+		{"TagEntryPoint", Const, 0, ""},
+		{"TagEnumerationType", Const, 0, ""},
+		{"TagEnumerator", Const, 0, ""},
+		{"TagFileType", Const, 0, ""},
+		{"TagFormalParameter", Const, 0, ""},
+		{"TagFriend", Const, 0, ""},
+		{"TagGenericSubrange", Const, 14, ""},
+		{"TagImmutableType", Const, 14, ""},
+		{"TagImportedDeclaration", Const, 0, ""},
+		{"TagImportedModule", Const, 0, ""},
+		{"TagImportedUnit", Const, 0, ""},
+		{"TagInheritance", Const, 0, ""},
+		{"TagInlinedSubroutine", Const, 0, ""},
+		{"TagInterfaceType", Const, 0, ""},
+		{"TagLabel", Const, 0, ""},
+		{"TagLexDwarfBlock", Const, 0, ""},
+		{"TagMember", Const, 0, ""},
+		{"TagModule", Const, 0, ""},
+		{"TagMutableType", Const, 0, ""},
+		{"TagNamelist", Const, 0, ""},
+		{"TagNamelistItem", Const, 0, ""},
+		{"TagNamespace", Const, 0, ""},
+		{"TagPackedType", Const, 0, ""},
+		{"TagPartialUnit", Const, 0, ""},
+		{"TagPointerType", Const, 0, ""},
+		{"TagPtrToMemberType", Const, 0, ""},
+		{"TagReferenceType", Const, 0, ""},
+		{"TagRestrictType", Const, 0, ""},
+		{"TagRvalueReferenceType", Const, 3, ""},
+		{"TagSetType", Const, 0, ""},
+		{"TagSharedType", Const, 3, ""},
+		{"TagSkeletonUnit", Const, 14, ""},
+		{"TagStringType", Const, 0, ""},
+		{"TagStructType", Const, 0, ""},
+		{"TagSubprogram", Const, 0, ""},
+		{"TagSubrangeType", Const, 0, ""},
+		{"TagSubroutineType", Const, 0, ""},
+		{"TagTemplateAlias", Const, 3, ""},
+		{"TagTemplateTypeParameter", Const, 0, ""},
+		{"TagTemplateValueParameter", Const, 0, ""},
+		{"TagThrownType", Const, 0, ""},
+		{"TagTryDwarfBlock", Const, 0, ""},
+		{"TagTypeUnit", Const, 3, ""},
+		{"TagTypedef", Const, 0, ""},
+		{"TagUnionType", Const, 0, ""},
+		{"TagUnspecifiedParameters", Const, 0, ""},
+		{"TagUnspecifiedType", Const, 0, ""},
+		{"TagVariable", Const, 0, ""},
+		{"TagVariant", Const, 0, ""},
+		{"TagVariantPart", Const, 0, ""},
+		{"TagVolatileType", Const, 0, ""},
+		{"TagWithStmt", Const, 0, ""},
+		{"Type", Type, 0, ""},
+		{"TypedefType", Type, 0, ""},
+		{"TypedefType.CommonType", Field, 0, ""},
+		{"TypedefType.Type", Field, 0, ""},
+		{"UcharType", Type, 0, ""},
+		{"UcharType.BasicType", Field, 0, ""},
+		{"UintType", Type, 0, ""},
+		{"UintType.BasicType", Field, 0, ""},
+		{"UnspecifiedType", Type, 4, ""},
+		{"UnspecifiedType.BasicType", Field, 4, ""},
+		{"UnsupportedType", Type, 13, ""},
+		{"UnsupportedType.CommonType", Field, 13, ""},
+		{"UnsupportedType.Tag", Field, 13, ""},
+		{"VoidType", Type, 0, ""},
+		{"VoidType.CommonType", Field, 0, ""},
+	},
+	"debug/elf": {
+		{"(*File).Close", Method, 0, ""},
+		{"(*File).DWARF", Method, 0, ""},
+		{"(*File).DynString", Method, 1, ""},
+		{"(*File).DynValue", Method, 21, ""},
+		{"(*File).DynamicSymbols", Method, 4, ""},
+		{"(*File).DynamicVersionNeeds", Method, 24, ""},
+		{"(*File).DynamicVersions", Method, 24, ""},
+		{"(*File).ImportedLibraries", Method, 0, ""},
+		{"(*File).ImportedSymbols", Method, 0, ""},
+		{"(*File).Section", Method, 0, ""},
+		{"(*File).SectionByType", Method, 0, ""},
+		{"(*File).Symbols", Method, 0, ""},
+		{"(*FormatError).Error", Method, 0, ""},
+		{"(*Prog).Open", Method, 0, ""},
+		{"(*Section).Data", Method, 0, ""},
+		{"(*Section).Open", Method, 0, ""},
+		{"(Class).GoString", Method, 0, ""},
+		{"(Class).String", Method, 0, ""},
+		{"(CompressionType).GoString", Method, 6, ""},
+		{"(CompressionType).String", Method, 6, ""},
+		{"(Data).GoString", Method, 0, ""},
+		{"(Data).String", Method, 0, ""},
+		{"(DynFlag).GoString", Method, 0, ""},
+		{"(DynFlag).String", Method, 0, ""},
+		{"(DynFlag1).GoString", Method, 21, ""},
+		{"(DynFlag1).String", Method, 21, ""},
+		{"(DynTag).GoString", Method, 0, ""},
+		{"(DynTag).String", Method, 0, ""},
+		{"(Machine).GoString", Method, 0, ""},
+		{"(Machine).String", Method, 0, ""},
+		{"(NType).GoString", Method, 0, ""},
+		{"(NType).String", Method, 0, ""},
+		{"(OSABI).GoString", Method, 0, ""},
+		{"(OSABI).String", Method, 0, ""},
+		{"(Prog).ReadAt", Method, 0, ""},
+		{"(ProgFlag).GoString", Method, 0, ""},
+		{"(ProgFlag).String", Method, 0, ""},
+		{"(ProgType).GoString", Method, 0, ""},
+		{"(ProgType).String", Method, 0, ""},
+		{"(R_386).GoString", Method, 0, ""},
+		{"(R_386).String", Method, 0, ""},
+		{"(R_390).GoString", Method, 7, ""},
+		{"(R_390).String", Method, 7, ""},
+		{"(R_AARCH64).GoString", Method, 4, ""},
+		{"(R_AARCH64).String", Method, 4, ""},
+		{"(R_ALPHA).GoString", Method, 0, ""},
+		{"(R_ALPHA).String", Method, 0, ""},
+		{"(R_ARM).GoString", Method, 0, ""},
+		{"(R_ARM).String", Method, 0, ""},
+		{"(R_LARCH).GoString", Method, 19, ""},
+		{"(R_LARCH).String", Method, 19, ""},
+		{"(R_MIPS).GoString", Method, 6, ""},
+		{"(R_MIPS).String", Method, 6, ""},
+		{"(R_PPC).GoString", Method, 0, ""},
+		{"(R_PPC).String", Method, 0, ""},
+		{"(R_PPC64).GoString", Method, 5, ""},
+		{"(R_PPC64).String", Method, 5, ""},
+		{"(R_RISCV).GoString", Method, 11, ""},
+		{"(R_RISCV).String", Method, 11, ""},
+		{"(R_SPARC).GoString", Method, 0, ""},
+		{"(R_SPARC).String", Method, 0, ""},
+		{"(R_X86_64).GoString", Method, 0, ""},
+		{"(R_X86_64).String", Method, 0, ""},
+		{"(Section).ReadAt", Method, 0, ""},
+		{"(SectionFlag).GoString", Method, 0, ""},
+		{"(SectionFlag).String", Method, 0, ""},
+		{"(SectionIndex).GoString", Method, 0, ""},
+		{"(SectionIndex).String", Method, 0, ""},
+		{"(SectionType).GoString", Method, 0, ""},
+		{"(SectionType).String", Method, 0, ""},
+		{"(SymBind).GoString", Method, 0, ""},
+		{"(SymBind).String", Method, 0, ""},
+		{"(SymType).GoString", Method, 0, ""},
+		{"(SymType).String", Method, 0, ""},
+		{"(SymVis).GoString", Method, 0, ""},
+		{"(SymVis).String", Method, 0, ""},
+		{"(Type).GoString", Method, 0, ""},
+		{"(Type).String", Method, 0, ""},
+		{"(Version).GoString", Method, 0, ""},
+		{"(Version).String", Method, 0, ""},
+		{"(VersionIndex).Index", Method, 24, ""},
+		{"(VersionIndex).IsHidden", Method, 24, ""},
+		{"ARM_MAGIC_TRAMP_NUMBER", Const, 0, ""},
+		{"COMPRESS_HIOS", Const, 6, ""},
+		{"COMPRESS_HIPROC", Const, 6, ""},
+		{"COMPRESS_LOOS", Const, 6, ""},
+		{"COMPRESS_LOPROC", Const, 6, ""},
+		{"COMPRESS_ZLIB", Const, 6, ""},
+		{"COMPRESS_ZSTD", Const, 21, ""},
+		{"Chdr32", Type, 6, ""},
+		{"Chdr32.Addralign", Field, 6, ""},
+		{"Chdr32.Size", Field, 6, ""},
+		{"Chdr32.Type", Field, 6, ""},
+		{"Chdr64", Type, 6, ""},
+		{"Chdr64.Addralign", Field, 6, ""},
+		{"Chdr64.Size", Field, 6, ""},
+		{"Chdr64.Type", Field, 6, ""},
+		{"Class", Type, 0, ""},
+		{"CompressionType", Type, 6, ""},
+		{"DF_1_CONFALT", Const, 21, ""},
+		{"DF_1_DIRECT", Const, 21, ""},
+		{"DF_1_DISPRELDNE", Const, 21, ""},
+		{"DF_1_DISPRELPND", Const, 21, ""},
+		{"DF_1_EDITED", Const, 21, ""},
+		{"DF_1_ENDFILTEE", Const, 21, ""},
+		{"DF_1_GLOBAL", Const, 21, ""},
+		{"DF_1_GLOBAUDIT", Const, 21, ""},
+		{"DF_1_GROUP", Const, 21, ""},
+		{"DF_1_IGNMULDEF", Const, 21, ""},
+		{"DF_1_INITFIRST", Const, 21, ""},
+		{"DF_1_INTERPOSE", Const, 21, ""},
+		{"DF_1_KMOD", Const, 21, ""},
+		{"DF_1_LOADFLTR", Const, 21, ""},
+		{"DF_1_NOCOMMON", Const, 21, ""},
+		{"DF_1_NODEFLIB", Const, 21, ""},
+		{"DF_1_NODELETE", Const, 21, ""},
+		{"DF_1_NODIRECT", Const, 21, ""},
+		{"DF_1_NODUMP", Const, 21, ""},
+		{"DF_1_NOHDR", Const, 21, ""},
+		{"DF_1_NOKSYMS", Const, 21, ""},
+		{"DF_1_NOOPEN", Const, 21, ""},
+		{"DF_1_NORELOC", Const, 21, ""},
+		{"DF_1_NOW", Const, 21, ""},
+		{"DF_1_ORIGIN", Const, 21, ""},
+		{"DF_1_PIE", Const, 21, ""},
+		{"DF_1_SINGLETON", Const, 21, ""},
+		{"DF_1_STUB", Const, 21, ""},
+		{"DF_1_SYMINTPOSE", Const, 21, ""},
+		{"DF_1_TRANS", Const, 21, ""},
+		{"DF_1_WEAKFILTER", Const, 21, ""},
+		{"DF_BIND_NOW", Const, 0, ""},
+		{"DF_ORIGIN", Const, 0, ""},
+		{"DF_STATIC_TLS", Const, 0, ""},
+		{"DF_SYMBOLIC", Const, 0, ""},
+		{"DF_TEXTREL", Const, 0, ""},
+		{"DT_ADDRRNGHI", Const, 16, ""},
+		{"DT_ADDRRNGLO", Const, 16, ""},
+		{"DT_AUDIT", Const, 16, ""},
+		{"DT_AUXILIARY", Const, 16, ""},
+		{"DT_BIND_NOW", Const, 0, ""},
+		{"DT_CHECKSUM", Const, 16, ""},
+		{"DT_CONFIG", Const, 16, ""},
+		{"DT_DEBUG", Const, 0, ""},
+		{"DT_DEPAUDIT", Const, 16, ""},
+		{"DT_ENCODING", Const, 0, ""},
+		{"DT_FEATURE", Const, 16, ""},
+		{"DT_FILTER", Const, 16, ""},
+		{"DT_FINI", Const, 0, ""},
+		{"DT_FINI_ARRAY", Const, 0, ""},
+		{"DT_FINI_ARRAYSZ", Const, 0, ""},
+		{"DT_FLAGS", Const, 0, ""},
+		{"DT_FLAGS_1", Const, 16, ""},
+		{"DT_GNU_CONFLICT", Const, 16, ""},
+		{"DT_GNU_CONFLICTSZ", Const, 16, ""},
+		{"DT_GNU_HASH", Const, 16, ""},
+		{"DT_GNU_LIBLIST", Const, 16, ""},
+		{"DT_GNU_LIBLISTSZ", Const, 16, ""},
+		{"DT_GNU_PRELINKED", Const, 16, ""},
+		{"DT_HASH", Const, 0, ""},
+		{"DT_HIOS", Const, 0, ""},
+		{"DT_HIPROC", Const, 0, ""},
+		{"DT_INIT", Const, 0, ""},
+		{"DT_INIT_ARRAY", Const, 0, ""},
+		{"DT_INIT_ARRAYSZ", Const, 0, ""},
+		{"DT_JMPREL", Const, 0, ""},
+		{"DT_LOOS", Const, 0, ""},
+		{"DT_LOPROC", Const, 0, ""},
+		{"DT_MIPS_AUX_DYNAMIC", Const, 16, ""},
+		{"DT_MIPS_BASE_ADDRESS", Const, 16, ""},
+		{"DT_MIPS_COMPACT_SIZE", Const, 16, ""},
+		{"DT_MIPS_CONFLICT", Const, 16, ""},
+		{"DT_MIPS_CONFLICTNO", Const, 16, ""},
+		{"DT_MIPS_CXX_FLAGS", Const, 16, ""},
+		{"DT_MIPS_DELTA_CLASS", Const, 16, ""},
+		{"DT_MIPS_DELTA_CLASSSYM", Const, 16, ""},
+		{"DT_MIPS_DELTA_CLASSSYM_NO", Const, 16, ""},
+		{"DT_MIPS_DELTA_CLASS_NO", Const, 16, ""},
+		{"DT_MIPS_DELTA_INSTANCE", Const, 16, ""},
+		{"DT_MIPS_DELTA_INSTANCE_NO", Const, 16, ""},
+		{"DT_MIPS_DELTA_RELOC", Const, 16, ""},
+		{"DT_MIPS_DELTA_RELOC_NO", Const, 16, ""},
+		{"DT_MIPS_DELTA_SYM", Const, 16, ""},
+		{"DT_MIPS_DELTA_SYM_NO", Const, 16, ""},
+		{"DT_MIPS_DYNSTR_ALIGN", Const, 16, ""},
+		{"DT_MIPS_FLAGS", Const, 16, ""},
+		{"DT_MIPS_GOTSYM", Const, 16, ""},
+		{"DT_MIPS_GP_VALUE", Const, 16, ""},
+		{"DT_MIPS_HIDDEN_GOTIDX", Const, 16, ""},
+		{"DT_MIPS_HIPAGENO", Const, 16, ""},
+		{"DT_MIPS_ICHECKSUM", Const, 16, ""},
+		{"DT_MIPS_INTERFACE", Const, 16, ""},
+		{"DT_MIPS_INTERFACE_SIZE", Const, 16, ""},
+		{"DT_MIPS_IVERSION", Const, 16, ""},
+		{"DT_MIPS_LIBLIST", Const, 16, ""},
+		{"DT_MIPS_LIBLISTNO", Const, 16, ""},
+		{"DT_MIPS_LOCALPAGE_GOTIDX", Const, 16, ""},
+		{"DT_MIPS_LOCAL_GOTIDX", Const, 16, ""},
+		{"DT_MIPS_LOCAL_GOTNO", Const, 16, ""},
+		{"DT_MIPS_MSYM", Const, 16, ""},
+		{"DT_MIPS_OPTIONS", Const, 16, ""},
+		{"DT_MIPS_PERF_SUFFIX", Const, 16, ""},
+		{"DT_MIPS_PIXIE_INIT", Const, 16, ""},
+		{"DT_MIPS_PLTGOT", Const, 16, ""},
+		{"DT_MIPS_PROTECTED_GOTIDX", Const, 16, ""},
+		{"DT_MIPS_RLD_MAP", Const, 16, ""},
+		{"DT_MIPS_RLD_MAP_REL", Const, 16, ""},
+		{"DT_MIPS_RLD_TEXT_RESOLVE_ADDR", Const, 16, ""},
+		{"DT_MIPS_RLD_VERSION", Const, 16, ""},
+		{"DT_MIPS_RWPLT", Const, 16, ""},
+		{"DT_MIPS_SYMBOL_LIB", Const, 16, ""},
+		{"DT_MIPS_SYMTABNO", Const, 16, ""},
+		{"DT_MIPS_TIME_STAMP", Const, 16, ""},
+		{"DT_MIPS_UNREFEXTNO", Const, 16, ""},
+		{"DT_MOVEENT", Const, 16, ""},
+		{"DT_MOVESZ", Const, 16, ""},
+		{"DT_MOVETAB", Const, 16, ""},
+		{"DT_NEEDED", Const, 0, ""},
+		{"DT_NULL", Const, 0, ""},
+		{"DT_PLTGOT", Const, 0, ""},
+		{"DT_PLTPAD", Const, 16, ""},
+		{"DT_PLTPADSZ", Const, 16, ""},
+		{"DT_PLTREL", Const, 0, ""},
+		{"DT_PLTRELSZ", Const, 0, ""},
+		{"DT_POSFLAG_1", Const, 16, ""},
+		{"DT_PPC64_GLINK", Const, 16, ""},
+		{"DT_PPC64_OPD", Const, 16, ""},
+		{"DT_PPC64_OPDSZ", Const, 16, ""},
+		{"DT_PPC64_OPT", Const, 16, ""},
+		{"DT_PPC_GOT", Const, 16, ""},
+		{"DT_PPC_OPT", Const, 16, ""},
+		{"DT_PREINIT_ARRAY", Const, 0, ""},
+		{"DT_PREINIT_ARRAYSZ", Const, 0, ""},
+		{"DT_REL", Const, 0, ""},
+		{"DT_RELA", Const, 0, ""},
+		{"DT_RELACOUNT", Const, 16, ""},
+		{"DT_RELAENT", Const, 0, ""},
+		{"DT_RELASZ", Const, 0, ""},
+		{"DT_RELCOUNT", Const, 16, ""},
+		{"DT_RELENT", Const, 0, ""},
+		{"DT_RELSZ", Const, 0, ""},
+		{"DT_RPATH", Const, 0, ""},
+		{"DT_RUNPATH", Const, 0, ""},
+		{"DT_SONAME", Const, 0, ""},
+		{"DT_SPARC_REGISTER", Const, 16, ""},
+		{"DT_STRSZ", Const, 0, ""},
+		{"DT_STRTAB", Const, 0, ""},
+		{"DT_SYMBOLIC", Const, 0, ""},
+		{"DT_SYMENT", Const, 0, ""},
+		{"DT_SYMINENT", Const, 16, ""},
+		{"DT_SYMINFO", Const, 16, ""},
+		{"DT_SYMINSZ", Const, 16, ""},
+		{"DT_SYMTAB", Const, 0, ""},
+		{"DT_SYMTAB_SHNDX", Const, 16, ""},
+		{"DT_TEXTREL", Const, 0, ""},
+		{"DT_TLSDESC_GOT", Const, 16, ""},
+		{"DT_TLSDESC_PLT", Const, 16, ""},
+		{"DT_USED", Const, 16, ""},
+		{"DT_VALRNGHI", Const, 16, ""},
+		{"DT_VALRNGLO", Const, 16, ""},
+		{"DT_VERDEF", Const, 16, ""},
+		{"DT_VERDEFNUM", Const, 16, ""},
+		{"DT_VERNEED", Const, 0, ""},
+		{"DT_VERNEEDNUM", Const, 0, ""},
+		{"DT_VERSYM", Const, 0, ""},
+		{"Data", Type, 0, ""},
+		{"Dyn32", Type, 0, ""},
+		{"Dyn32.Tag", Field, 0, ""},
+		{"Dyn32.Val", Field, 0, ""},
+		{"Dyn64", Type, 0, ""},
+		{"Dyn64.Tag", Field, 0, ""},
+		{"Dyn64.Val", Field, 0, ""},
+		{"DynFlag", Type, 0, ""},
+		{"DynFlag1", Type, 21, ""},
+		{"DynTag", Type, 0, ""},
+		{"DynamicVersion", Type, 24, ""},
+		{"DynamicVersion.Deps", Field, 24, ""},
+		{"DynamicVersion.Flags", Field, 24, ""},
+		{"DynamicVersion.Index", Field, 24, ""},
+		{"DynamicVersion.Name", Field, 24, ""},
+		{"DynamicVersionDep", Type, 24, ""},
+		{"DynamicVersionDep.Dep", Field, 24, ""},
+		{"DynamicVersionDep.Flags", Field, 24, ""},
+		{"DynamicVersionDep.Index", Field, 24, ""},
+		{"DynamicVersionFlag", Type, 24, ""},
+		{"DynamicVersionNeed", Type, 24, ""},
+		{"DynamicVersionNeed.Name", Field, 24, ""},
+		{"DynamicVersionNeed.Needs", Field, 24, ""},
+		{"EI_ABIVERSION", Const, 0, ""},
+		{"EI_CLASS", Const, 0, ""},
+		{"EI_DATA", Const, 0, ""},
+		{"EI_NIDENT", Const, 0, ""},
+		{"EI_OSABI", Const, 0, ""},
+		{"EI_PAD", Const, 0, ""},
+		{"EI_VERSION", Const, 0, ""},
+		{"ELFCLASS32", Const, 0, ""},
+		{"ELFCLASS64", Const, 0, ""},
+		{"ELFCLASSNONE", Const, 0, ""},
+		{"ELFDATA2LSB", Const, 0, ""},
+		{"ELFDATA2MSB", Const, 0, ""},
+		{"ELFDATANONE", Const, 0, ""},
+		{"ELFMAG", Const, 0, ""},
+		{"ELFOSABI_86OPEN", Const, 0, ""},
+		{"ELFOSABI_AIX", Const, 0, ""},
+		{"ELFOSABI_ARM", Const, 0, ""},
+		{"ELFOSABI_AROS", Const, 11, ""},
+		{"ELFOSABI_CLOUDABI", Const, 11, ""},
+		{"ELFOSABI_FENIXOS", Const, 11, ""},
+		{"ELFOSABI_FREEBSD", Const, 0, ""},
+		{"ELFOSABI_HPUX", Const, 0, ""},
+		{"ELFOSABI_HURD", Const, 0, ""},
+		{"ELFOSABI_IRIX", Const, 0, ""},
+		{"ELFOSABI_LINUX", Const, 0, ""},
+		{"ELFOSABI_MODESTO", Const, 0, ""},
+		{"ELFOSABI_NETBSD", Const, 0, ""},
+		{"ELFOSABI_NONE", Const, 0, ""},
+		{"ELFOSABI_NSK", Const, 0, ""},
+		{"ELFOSABI_OPENBSD", Const, 0, ""},
+		{"ELFOSABI_OPENVMS", Const, 0, ""},
+		{"ELFOSABI_SOLARIS", Const, 0, ""},
+		{"ELFOSABI_STANDALONE", Const, 0, ""},
+		{"ELFOSABI_TRU64", Const, 0, ""},
+		{"EM_386", Const, 0, ""},
+		{"EM_486", Const, 0, ""},
+		{"EM_56800EX", Const, 11, ""},
+		{"EM_68HC05", Const, 11, ""},
+		{"EM_68HC08", Const, 11, ""},
+		{"EM_68HC11", Const, 11, ""},
+		{"EM_68HC12", Const, 0, ""},
+		{"EM_68HC16", Const, 11, ""},
+		{"EM_68K", Const, 0, ""},
+		{"EM_78KOR", Const, 11, ""},
+		{"EM_8051", Const, 11, ""},
+		{"EM_860", Const, 0, ""},
+		{"EM_88K", Const, 0, ""},
+		{"EM_960", Const, 0, ""},
+		{"EM_AARCH64", Const, 4, ""},
+		{"EM_ALPHA", Const, 0, ""},
+		{"EM_ALPHA_STD", Const, 0, ""},
+		{"EM_ALTERA_NIOS2", Const, 11, ""},
+		{"EM_AMDGPU", Const, 11, ""},
+		{"EM_ARC", Const, 0, ""},
+		{"EM_ARCA", Const, 11, ""},
+		{"EM_ARC_COMPACT", Const, 11, ""},
+		{"EM_ARC_COMPACT2", Const, 11, ""},
+		{"EM_ARM", Const, 0, ""},
+		{"EM_AVR", Const, 11, ""},
+		{"EM_AVR32", Const, 11, ""},
+		{"EM_BA1", Const, 11, ""},
+		{"EM_BA2", Const, 11, ""},
+		{"EM_BLACKFIN", Const, 11, ""},
+		{"EM_BPF", Const, 11, ""},
+		{"EM_C166", Const, 11, ""},
+		{"EM_CDP", Const, 11, ""},
+		{"EM_CE", Const, 11, ""},
+		{"EM_CLOUDSHIELD", Const, 11, ""},
+		{"EM_COGE", Const, 11, ""},
+		{"EM_COLDFIRE", Const, 0, ""},
+		{"EM_COOL", Const, 11, ""},
+		{"EM_COREA_1ST", Const, 11, ""},
+		{"EM_COREA_2ND", Const, 11, ""},
+		{"EM_CR", Const, 11, ""},
+		{"EM_CR16", Const, 11, ""},
+		{"EM_CRAYNV2", Const, 11, ""},
+		{"EM_CRIS", Const, 11, ""},
+		{"EM_CRX", Const, 11, ""},
+		{"EM_CSR_KALIMBA", Const, 11, ""},
+		{"EM_CUDA", Const, 11, ""},
+		{"EM_CYPRESS_M8C", Const, 11, ""},
+		{"EM_D10V", Const, 11, ""},
+		{"EM_D30V", Const, 11, ""},
+		{"EM_DSP24", Const, 11, ""},
+		{"EM_DSPIC30F", Const, 11, ""},
+		{"EM_DXP", Const, 11, ""},
+		{"EM_ECOG1", Const, 11, ""},
+		{"EM_ECOG16", Const, 11, ""},
+		{"EM_ECOG1X", Const, 11, ""},
+		{"EM_ECOG2", Const, 11, ""},
+		{"EM_ETPU", Const, 11, ""},
+		{"EM_EXCESS", Const, 11, ""},
+		{"EM_F2MC16", Const, 11, ""},
+		{"EM_FIREPATH", Const, 11, ""},
+		{"EM_FR20", Const, 0, ""},
+		{"EM_FR30", Const, 11, ""},
+		{"EM_FT32", Const, 11, ""},
+		{"EM_FX66", Const, 11, ""},
+		{"EM_H8S", Const, 0, ""},
+		{"EM_H8_300", Const, 0, ""},
+		{"EM_H8_300H", Const, 0, ""},
+		{"EM_H8_500", Const, 0, ""},
+		{"EM_HUANY", Const, 11, ""},
+		{"EM_IA_64", Const, 0, ""},
+		{"EM_INTEL205", Const, 11, ""},
+		{"EM_INTEL206", Const, 11, ""},
+		{"EM_INTEL207", Const, 11, ""},
+		{"EM_INTEL208", Const, 11, ""},
+		{"EM_INTEL209", Const, 11, ""},
+		{"EM_IP2K", Const, 11, ""},
+		{"EM_JAVELIN", Const, 11, ""},
+		{"EM_K10M", Const, 11, ""},
+		{"EM_KM32", Const, 11, ""},
+		{"EM_KMX16", Const, 11, ""},
+		{"EM_KMX32", Const, 11, ""},
+		{"EM_KMX8", Const, 11, ""},
+		{"EM_KVARC", Const, 11, ""},
+		{"EM_L10M", Const, 11, ""},
+		{"EM_LANAI", Const, 11, ""},
+		{"EM_LATTICEMICO32", Const, 11, ""},
+		{"EM_LOONGARCH", Const, 19, ""},
+		{"EM_M16C", Const, 11, ""},
+		{"EM_M32", Const, 0, ""},
+		{"EM_M32C", Const, 11, ""},
+		{"EM_M32R", Const, 11, ""},
+		{"EM_MANIK", Const, 11, ""},
+		{"EM_MAX", Const, 11, ""},
+		{"EM_MAXQ30", Const, 11, ""},
+		{"EM_MCHP_PIC", Const, 11, ""},
+		{"EM_MCST_ELBRUS", Const, 11, ""},
+		{"EM_ME16", Const, 0, ""},
+		{"EM_METAG", Const, 11, ""},
+		{"EM_MICROBLAZE", Const, 11, ""},
+		{"EM_MIPS", Const, 0, ""},
+		{"EM_MIPS_RS3_LE", Const, 0, ""},
+		{"EM_MIPS_RS4_BE", Const, 0, ""},
+		{"EM_MIPS_X", Const, 0, ""},
+		{"EM_MMA", Const, 0, ""},
+		{"EM_MMDSP_PLUS", Const, 11, ""},
+		{"EM_MMIX", Const, 11, ""},
+		{"EM_MN10200", Const, 11, ""},
+		{"EM_MN10300", Const, 11, ""},
+		{"EM_MOXIE", Const, 11, ""},
+		{"EM_MSP430", Const, 11, ""},
+		{"EM_NCPU", Const, 0, ""},
+		{"EM_NDR1", Const, 0, ""},
+		{"EM_NDS32", Const, 11, ""},
+		{"EM_NONE", Const, 0, ""},
+		{"EM_NORC", Const, 11, ""},
+		{"EM_NS32K", Const, 11, ""},
+		{"EM_OPEN8", Const, 11, ""},
+		{"EM_OPENRISC", Const, 11, ""},
+		{"EM_PARISC", Const, 0, ""},
+		{"EM_PCP", Const, 0, ""},
+		{"EM_PDP10", Const, 11, ""},
+		{"EM_PDP11", Const, 11, ""},
+		{"EM_PDSP", Const, 11, ""},
+		{"EM_PJ", Const, 11, ""},
+		{"EM_PPC", Const, 0, ""},
+		{"EM_PPC64", Const, 0, ""},
+		{"EM_PRISM", Const, 11, ""},
+		{"EM_QDSP6", Const, 11, ""},
+		{"EM_R32C", Const, 11, ""},
+		{"EM_RCE", Const, 0, ""},
+		{"EM_RH32", Const, 0, ""},
+		{"EM_RISCV", Const, 11, ""},
+		{"EM_RL78", Const, 11, ""},
+		{"EM_RS08", Const, 11, ""},
+		{"EM_RX", Const, 11, ""},
+		{"EM_S370", Const, 0, ""},
+		{"EM_S390", Const, 0, ""},
+		{"EM_SCORE7", Const, 11, ""},
+		{"EM_SEP", Const, 11, ""},
+		{"EM_SE_C17", Const, 11, ""},
+		{"EM_SE_C33", Const, 11, ""},
+		{"EM_SH", Const, 0, ""},
+		{"EM_SHARC", Const, 11, ""},
+		{"EM_SLE9X", Const, 11, ""},
+		{"EM_SNP1K", Const, 11, ""},
+		{"EM_SPARC", Const, 0, ""},
+		{"EM_SPARC32PLUS", Const, 0, ""},
+		{"EM_SPARCV9", Const, 0, ""},
+		{"EM_ST100", Const, 0, ""},
+		{"EM_ST19", Const, 11, ""},
+		{"EM_ST200", Const, 11, ""},
+		{"EM_ST7", Const, 11, ""},
+		{"EM_ST9PLUS", Const, 11, ""},
+		{"EM_STARCORE", Const, 0, ""},
+		{"EM_STM8", Const, 11, ""},
+		{"EM_STXP7X", Const, 11, ""},
+		{"EM_SVX", Const, 11, ""},
+		{"EM_TILE64", Const, 11, ""},
+		{"EM_TILEGX", Const, 11, ""},
+		{"EM_TILEPRO", Const, 11, ""},
+		{"EM_TINYJ", Const, 0, ""},
+		{"EM_TI_ARP32", Const, 11, ""},
+		{"EM_TI_C2000", Const, 11, ""},
+		{"EM_TI_C5500", Const, 11, ""},
+		{"EM_TI_C6000", Const, 11, ""},
+		{"EM_TI_PRU", Const, 11, ""},
+		{"EM_TMM_GPP", Const, 11, ""},
+		{"EM_TPC", Const, 11, ""},
+		{"EM_TRICORE", Const, 0, ""},
+		{"EM_TRIMEDIA", Const, 11, ""},
+		{"EM_TSK3000", Const, 11, ""},
+		{"EM_UNICORE", Const, 11, ""},
+		{"EM_V800", Const, 0, ""},
+		{"EM_V850", Const, 11, ""},
+		{"EM_VAX", Const, 11, ""},
+		{"EM_VIDEOCORE", Const, 11, ""},
+		{"EM_VIDEOCORE3", Const, 11, ""},
+		{"EM_VIDEOCORE5", Const, 11, ""},
+		{"EM_VISIUM", Const, 11, ""},
+		{"EM_VPP500", Const, 0, ""},
+		{"EM_X86_64", Const, 0, ""},
+		{"EM_XCORE", Const, 11, ""},
+		{"EM_XGATE", Const, 11, ""},
+		{"EM_XIMO16", Const, 11, ""},
+		{"EM_XTENSA", Const, 11, ""},
+		{"EM_Z80", Const, 11, ""},
+		{"EM_ZSP", Const, 11, ""},
+		{"ET_CORE", Const, 0, ""},
+		{"ET_DYN", Const, 0, ""},
+		{"ET_EXEC", Const, 0, ""},
+		{"ET_HIOS", Const, 0, ""},
+		{"ET_HIPROC", Const, 0, ""},
+		{"ET_LOOS", Const, 0, ""},
+		{"ET_LOPROC", Const, 0, ""},
+		{"ET_NONE", Const, 0, ""},
+		{"ET_REL", Const, 0, ""},
+		{"EV_CURRENT", Const, 0, ""},
+		{"EV_NONE", Const, 0, ""},
+		{"ErrNoSymbols", Var, 4, ""},
+		{"File", Type, 0, ""},
+		{"File.FileHeader", Field, 0, ""},
+		{"File.Progs", Field, 0, ""},
+		{"File.Sections", Field, 0, ""},
+		{"FileHeader", Type, 0, ""},
+		{"FileHeader.ABIVersion", Field, 0, ""},
+		{"FileHeader.ByteOrder", Field, 0, ""},
+		{"FileHeader.Class", Field, 0, ""},
+		{"FileHeader.Data", Field, 0, ""},
+		{"FileHeader.Entry", Field, 1, ""},
+		{"FileHeader.Machine", Field, 0, ""},
+		{"FileHeader.OSABI", Field, 0, ""},
+		{"FileHeader.Type", Field, 0, ""},
+		{"FileHeader.Version", Field, 0, ""},
+		{"FormatError", Type, 0, ""},
+		{"Header32", Type, 0, ""},
+		{"Header32.Ehsize", Field, 0, ""},
+		{"Header32.Entry", Field, 0, ""},
+		{"Header32.Flags", Field, 0, ""},
+		{"Header32.Ident", Field, 0, ""},
+		{"Header32.Machine", Field, 0, ""},
+		{"Header32.Phentsize", Field, 0, ""},
+		{"Header32.Phnum", Field, 0, ""},
+		{"Header32.Phoff", Field, 0, ""},
+		{"Header32.Shentsize", Field, 0, ""},
+		{"Header32.Shnum", Field, 0, ""},
+		{"Header32.Shoff", Field, 0, ""},
+		{"Header32.Shstrndx", Field, 0, ""},
+		{"Header32.Type", Field, 0, ""},
+		{"Header32.Version", Field, 0, ""},
+		{"Header64", Type, 0, ""},
+		{"Header64.Ehsize", Field, 0, ""},
+		{"Header64.Entry", Field, 0, ""},
+		{"Header64.Flags", Field, 0, ""},
+		{"Header64.Ident", Field, 0, ""},
+		{"Header64.Machine", Field, 0, ""},
+		{"Header64.Phentsize", Field, 0, ""},
+		{"Header64.Phnum", Field, 0, ""},
+		{"Header64.Phoff", Field, 0, ""},
+		{"Header64.Shentsize", Field, 0, ""},
+		{"Header64.Shnum", Field, 0, ""},
+		{"Header64.Shoff", Field, 0, ""},
+		{"Header64.Shstrndx", Field, 0, ""},
+		{"Header64.Type", Field, 0, ""},
+		{"Header64.Version", Field, 0, ""},
+		{"ImportedSymbol", Type, 0, ""},
+		{"ImportedSymbol.Library", Field, 0, ""},
+		{"ImportedSymbol.Name", Field, 0, ""},
+		{"ImportedSymbol.Version", Field, 0, ""},
+		{"Machine", Type, 0, ""},
+		{"NT_FPREGSET", Const, 0, ""},
+		{"NT_PRPSINFO", Const, 0, ""},
+		{"NT_PRSTATUS", Const, 0, ""},
+		{"NType", Type, 0, ""},
+		{"NewFile", Func, 0, "func(r io.ReaderAt) (*File, error)"},
+		{"OSABI", Type, 0, ""},
+		{"Open", Func, 0, "func(name string) (*File, error)"},
+		{"PF_MASKOS", Const, 0, ""},
+		{"PF_MASKPROC", Const, 0, ""},
+		{"PF_R", Const, 0, ""},
+		{"PF_W", Const, 0, ""},
+		{"PF_X", Const, 0, ""},
+		{"PT_AARCH64_ARCHEXT", Const, 16, ""},
+		{"PT_AARCH64_UNWIND", Const, 16, ""},
+		{"PT_ARM_ARCHEXT", Const, 16, ""},
+		{"PT_ARM_EXIDX", Const, 16, ""},
+		{"PT_DYNAMIC", Const, 0, ""},
+		{"PT_GNU_EH_FRAME", Const, 16, ""},
+		{"PT_GNU_MBIND_HI", Const, 16, ""},
+		{"PT_GNU_MBIND_LO", Const, 16, ""},
+		{"PT_GNU_PROPERTY", Const, 16, ""},
+		{"PT_GNU_RELRO", Const, 16, ""},
+		{"PT_GNU_STACK", Const, 16, ""},
+		{"PT_HIOS", Const, 0, ""},
+		{"PT_HIPROC", Const, 0, ""},
+		{"PT_INTERP", Const, 0, ""},
+		{"PT_LOAD", Const, 0, ""},
+		{"PT_LOOS", Const, 0, ""},
+		{"PT_LOPROC", Const, 0, ""},
+		{"PT_MIPS_ABIFLAGS", Const, 16, ""},
+		{"PT_MIPS_OPTIONS", Const, 16, ""},
+		{"PT_MIPS_REGINFO", Const, 16, ""},
+		{"PT_MIPS_RTPROC", Const, 16, ""},
+		{"PT_NOTE", Const, 0, ""},
+		{"PT_NULL", Const, 0, ""},
+		{"PT_OPENBSD_BOOTDATA", Const, 16, ""},
+		{"PT_OPENBSD_NOBTCFI", Const, 23, ""},
+		{"PT_OPENBSD_RANDOMIZE", Const, 16, ""},
+		{"PT_OPENBSD_WXNEEDED", Const, 16, ""},
+		{"PT_PAX_FLAGS", Const, 16, ""},
+		{"PT_PHDR", Const, 0, ""},
+		{"PT_RISCV_ATTRIBUTES", Const, 25, ""},
+		{"PT_S390_PGSTE", Const, 16, ""},
+		{"PT_SHLIB", Const, 0, ""},
+		{"PT_SUNWSTACK", Const, 16, ""},
+		{"PT_SUNW_EH_FRAME", Const, 16, ""},
+		{"PT_TLS", Const, 0, ""},
+		{"Prog", Type, 0, ""},
+		{"Prog.ProgHeader", Field, 0, ""},
+		{"Prog.ReaderAt", Field, 0, ""},
+		{"Prog32", Type, 0, ""},
+		{"Prog32.Align", Field, 0, ""},
+		{"Prog32.Filesz", Field, 0, ""},
+		{"Prog32.Flags", Field, 0, ""},
+		{"Prog32.Memsz", Field, 0, ""},
+		{"Prog32.Off", Field, 0, ""},
+		{"Prog32.Paddr", Field, 0, ""},
+		{"Prog32.Type", Field, 0, ""},
+		{"Prog32.Vaddr", Field, 0, ""},
+		{"Prog64", Type, 0, ""},
+		{"Prog64.Align", Field, 0, ""},
+		{"Prog64.Filesz", Field, 0, ""},
+		{"Prog64.Flags", Field, 0, ""},
+		{"Prog64.Memsz", Field, 0, ""},
+		{"Prog64.Off", Field, 0, ""},
+		{"Prog64.Paddr", Field, 0, ""},
+		{"Prog64.Type", Field, 0, ""},
+		{"Prog64.Vaddr", Field, 0, ""},
+		{"ProgFlag", Type, 0, ""},
+		{"ProgHeader", Type, 0, ""},
+		{"ProgHeader.Align", Field, 0, ""},
+		{"ProgHeader.Filesz", Field, 0, ""},
+		{"ProgHeader.Flags", Field, 0, ""},
+		{"ProgHeader.Memsz", Field, 0, ""},
+		{"ProgHeader.Off", Field, 0, ""},
+		{"ProgHeader.Paddr", Field, 0, ""},
+		{"ProgHeader.Type", Field, 0, ""},
+		{"ProgHeader.Vaddr", Field, 0, ""},
+		{"ProgType", Type, 0, ""},
+		{"R_386", Type, 0, ""},
+		{"R_386_16", Const, 10, ""},
+		{"R_386_32", Const, 0, ""},
+		{"R_386_32PLT", Const, 10, ""},
+		{"R_386_8", Const, 10, ""},
+		{"R_386_COPY", Const, 0, ""},
+		{"R_386_GLOB_DAT", Const, 0, ""},
+		{"R_386_GOT32", Const, 0, ""},
+		{"R_386_GOT32X", Const, 10, ""},
+		{"R_386_GOTOFF", Const, 0, ""},
+		{"R_386_GOTPC", Const, 0, ""},
+		{"R_386_IRELATIVE", Const, 10, ""},
+		{"R_386_JMP_SLOT", Const, 0, ""},
+		{"R_386_NONE", Const, 0, ""},
+		{"R_386_PC16", Const, 10, ""},
+		{"R_386_PC32", Const, 0, ""},
+		{"R_386_PC8", Const, 10, ""},
+		{"R_386_PLT32", Const, 0, ""},
+		{"R_386_RELATIVE", Const, 0, ""},
+		{"R_386_SIZE32", Const, 10, ""},
+		{"R_386_TLS_DESC", Const, 10, ""},
+		{"R_386_TLS_DESC_CALL", Const, 10, ""},
+		{"R_386_TLS_DTPMOD32", Const, 0, ""},
+		{"R_386_TLS_DTPOFF32", Const, 0, ""},
+		{"R_386_TLS_GD", Const, 0, ""},
+		{"R_386_TLS_GD_32", Const, 0, ""},
+		{"R_386_TLS_GD_CALL", Const, 0, ""},
+		{"R_386_TLS_GD_POP", Const, 0, ""},
+		{"R_386_TLS_GD_PUSH", Const, 0, ""},
+		{"R_386_TLS_GOTDESC", Const, 10, ""},
+		{"R_386_TLS_GOTIE", Const, 0, ""},
+		{"R_386_TLS_IE", Const, 0, ""},
+		{"R_386_TLS_IE_32", Const, 0, ""},
+		{"R_386_TLS_LDM", Const, 0, ""},
+		{"R_386_TLS_LDM_32", Const, 0, ""},
+		{"R_386_TLS_LDM_CALL", Const, 0, ""},
+		{"R_386_TLS_LDM_POP", Const, 0, ""},
+		{"R_386_TLS_LDM_PUSH", Const, 0, ""},
+		{"R_386_TLS_LDO_32", Const, 0, ""},
+		{"R_386_TLS_LE", Const, 0, ""},
+		{"R_386_TLS_LE_32", Const, 0, ""},
+		{"R_386_TLS_TPOFF", Const, 0, ""},
+		{"R_386_TLS_TPOFF32", Const, 0, ""},
+		{"R_390", Type, 7, ""},
+		{"R_390_12", Const, 7, ""},
+		{"R_390_16", Const, 7, ""},
+		{"R_390_20", Const, 7, ""},
+		{"R_390_32", Const, 7, ""},
+		{"R_390_64", Const, 7, ""},
+		{"R_390_8", Const, 7, ""},
+		{"R_390_COPY", Const, 7, ""},
+		{"R_390_GLOB_DAT", Const, 7, ""},
+		{"R_390_GOT12", Const, 7, ""},
+		{"R_390_GOT16", Const, 7, ""},
+		{"R_390_GOT20", Const, 7, ""},
+		{"R_390_GOT32", Const, 7, ""},
+		{"R_390_GOT64", Const, 7, ""},
+		{"R_390_GOTENT", Const, 7, ""},
+		{"R_390_GOTOFF", Const, 7, ""},
+		{"R_390_GOTOFF16", Const, 7, ""},
+		{"R_390_GOTOFF64", Const, 7, ""},
+		{"R_390_GOTPC", Const, 7, ""},
+		{"R_390_GOTPCDBL", Const, 7, ""},
+		{"R_390_GOTPLT12", Const, 7, ""},
+		{"R_390_GOTPLT16", Const, 7, ""},
+		{"R_390_GOTPLT20", Const, 7, ""},
+		{"R_390_GOTPLT32", Const, 7, ""},
+		{"R_390_GOTPLT64", Const, 7, ""},
+		{"R_390_GOTPLTENT", Const, 7, ""},
+		{"R_390_GOTPLTOFF16", Const, 7, ""},
+		{"R_390_GOTPLTOFF32", Const, 7, ""},
+		{"R_390_GOTPLTOFF64", Const, 7, ""},
+		{"R_390_JMP_SLOT", Const, 7, ""},
+		{"R_390_NONE", Const, 7, ""},
+		{"R_390_PC16", Const, 7, ""},
+		{"R_390_PC16DBL", Const, 7, ""},
+		{"R_390_PC32", Const, 7, ""},
+		{"R_390_PC32DBL", Const, 7, ""},
+		{"R_390_PC64", Const, 7, ""},
+		{"R_390_PLT16DBL", Const, 7, ""},
+		{"R_390_PLT32", Const, 7, ""},
+		{"R_390_PLT32DBL", Const, 7, ""},
+		{"R_390_PLT64", Const, 7, ""},
+		{"R_390_RELATIVE", Const, 7, ""},
+		{"R_390_TLS_DTPMOD", Const, 7, ""},
+		{"R_390_TLS_DTPOFF", Const, 7, ""},
+		{"R_390_TLS_GD32", Const, 7, ""},
+		{"R_390_TLS_GD64", Const, 7, ""},
+		{"R_390_TLS_GDCALL", Const, 7, ""},
+		{"R_390_TLS_GOTIE12", Const, 7, ""},
+		{"R_390_TLS_GOTIE20", Const, 7, ""},
+		{"R_390_TLS_GOTIE32", Const, 7, ""},
+		{"R_390_TLS_GOTIE64", Const, 7, ""},
+		{"R_390_TLS_IE32", Const, 7, ""},
+		{"R_390_TLS_IE64", Const, 7, ""},
+		{"R_390_TLS_IEENT", Const, 7, ""},
+		{"R_390_TLS_LDCALL", Const, 7, ""},
+		{"R_390_TLS_LDM32", Const, 7, ""},
+		{"R_390_TLS_LDM64", Const, 7, ""},
+		{"R_390_TLS_LDO32", Const, 7, ""},
+		{"R_390_TLS_LDO64", Const, 7, ""},
+		{"R_390_TLS_LE32", Const, 7, ""},
+		{"R_390_TLS_LE64", Const, 7, ""},
+		{"R_390_TLS_LOAD", Const, 7, ""},
+		{"R_390_TLS_TPOFF", Const, 7, ""},
+		{"R_AARCH64", Type, 4, ""},
+		{"R_AARCH64_ABS16", Const, 4, ""},
+		{"R_AARCH64_ABS32", Const, 4, ""},
+		{"R_AARCH64_ABS64", Const, 4, ""},
+		{"R_AARCH64_ADD_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_ADR_GOT_PAGE", Const, 4, ""},
+		{"R_AARCH64_ADR_PREL_LO21", Const, 4, ""},
+		{"R_AARCH64_ADR_PREL_PG_HI21", Const, 4, ""},
+		{"R_AARCH64_ADR_PREL_PG_HI21_NC", Const, 4, ""},
+		{"R_AARCH64_CALL26", Const, 4, ""},
+		{"R_AARCH64_CONDBR19", Const, 4, ""},
+		{"R_AARCH64_COPY", Const, 4, ""},
+		{"R_AARCH64_GLOB_DAT", Const, 4, ""},
+		{"R_AARCH64_GOT_LD_PREL19", Const, 4, ""},
+		{"R_AARCH64_IRELATIVE", Const, 4, ""},
+		{"R_AARCH64_JUMP26", Const, 4, ""},
+		{"R_AARCH64_JUMP_SLOT", Const, 4, ""},
+		{"R_AARCH64_LD64_GOTOFF_LO15", Const, 10, ""},
+		{"R_AARCH64_LD64_GOTPAGE_LO15", Const, 10, ""},
+		{"R_AARCH64_LD64_GOT_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_LDST128_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_LDST16_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_LDST32_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_LDST64_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_LDST8_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_LD_PREL_LO19", Const, 4, ""},
+		{"R_AARCH64_MOVW_SABS_G0", Const, 4, ""},
+		{"R_AARCH64_MOVW_SABS_G1", Const, 4, ""},
+		{"R_AARCH64_MOVW_SABS_G2", Const, 4, ""},
+		{"R_AARCH64_MOVW_UABS_G0", Const, 4, ""},
+		{"R_AARCH64_MOVW_UABS_G0_NC", Const, 4, ""},
+		{"R_AARCH64_MOVW_UABS_G1", Const, 4, ""},
+		{"R_AARCH64_MOVW_UABS_G1_NC", Const, 4, ""},
+		{"R_AARCH64_MOVW_UABS_G2", Const, 4, ""},
+		{"R_AARCH64_MOVW_UABS_G2_NC", Const, 4, ""},
+		{"R_AARCH64_MOVW_UABS_G3", Const, 4, ""},
+		{"R_AARCH64_NONE", Const, 4, ""},
+		{"R_AARCH64_NULL", Const, 4, ""},
+		{"R_AARCH64_P32_ABS16", Const, 4, ""},
+		{"R_AARCH64_P32_ABS32", Const, 4, ""},
+		{"R_AARCH64_P32_ADD_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_ADR_GOT_PAGE", Const, 4, ""},
+		{"R_AARCH64_P32_ADR_PREL_LO21", Const, 4, ""},
+		{"R_AARCH64_P32_ADR_PREL_PG_HI21", Const, 4, ""},
+		{"R_AARCH64_P32_CALL26", Const, 4, ""},
+		{"R_AARCH64_P32_CONDBR19", Const, 4, ""},
+		{"R_AARCH64_P32_COPY", Const, 4, ""},
+		{"R_AARCH64_P32_GLOB_DAT", Const, 4, ""},
+		{"R_AARCH64_P32_GOT_LD_PREL19", Const, 4, ""},
+		{"R_AARCH64_P32_IRELATIVE", Const, 4, ""},
+		{"R_AARCH64_P32_JUMP26", Const, 4, ""},
+		{"R_AARCH64_P32_JUMP_SLOT", Const, 4, ""},
+		{"R_AARCH64_P32_LD32_GOT_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_LDST128_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_LDST16_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_LDST32_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_LDST64_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_LDST8_ABS_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_LD_PREL_LO19", Const, 4, ""},
+		{"R_AARCH64_P32_MOVW_SABS_G0", Const, 4, ""},
+		{"R_AARCH64_P32_MOVW_UABS_G0", Const, 4, ""},
+		{"R_AARCH64_P32_MOVW_UABS_G0_NC", Const, 4, ""},
+		{"R_AARCH64_P32_MOVW_UABS_G1", Const, 4, ""},
+		{"R_AARCH64_P32_PREL16", Const, 4, ""},
+		{"R_AARCH64_P32_PREL32", Const, 4, ""},
+		{"R_AARCH64_P32_RELATIVE", Const, 4, ""},
+		{"R_AARCH64_P32_TLSDESC", Const, 4, ""},
+		{"R_AARCH64_P32_TLSDESC_ADD_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_TLSDESC_ADR_PAGE21", Const, 4, ""},
+		{"R_AARCH64_P32_TLSDESC_ADR_PREL21", Const, 4, ""},
+		{"R_AARCH64_P32_TLSDESC_CALL", Const, 4, ""},
+		{"R_AARCH64_P32_TLSDESC_LD32_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_TLSDESC_LD_PREL19", Const, 4, ""},
+		{"R_AARCH64_P32_TLSGD_ADD_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_TLSGD_ADR_PAGE21", Const, 4, ""},
+		{"R_AARCH64_P32_TLSIE_ADR_GOTTPREL_PAGE21", Const, 4, ""},
+		{"R_AARCH64_P32_TLSIE_LD32_GOTTPREL_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_TLSIE_LD_GOTTPREL_PREL19", Const, 4, ""},
+		{"R_AARCH64_P32_TLSLE_ADD_TPREL_HI12", Const, 4, ""},
+		{"R_AARCH64_P32_TLSLE_ADD_TPREL_LO12", Const, 4, ""},
+		{"R_AARCH64_P32_TLSLE_ADD_TPREL_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_P32_TLSLE_MOVW_TPREL_G0", Const, 4, ""},
+		{"R_AARCH64_P32_TLSLE_MOVW_TPREL_G0_NC", Const, 4, ""},
+		{"R_AARCH64_P32_TLSLE_MOVW_TPREL_G1", Const, 4, ""},
+		{"R_AARCH64_P32_TLS_DTPMOD", Const, 4, ""},
+		{"R_AARCH64_P32_TLS_DTPREL", Const, 4, ""},
+		{"R_AARCH64_P32_TLS_TPREL", Const, 4, ""},
+		{"R_AARCH64_P32_TSTBR14", Const, 4, ""},
+		{"R_AARCH64_PREL16", Const, 4, ""},
+		{"R_AARCH64_PREL32", Const, 4, ""},
+		{"R_AARCH64_PREL64", Const, 4, ""},
+		{"R_AARCH64_RELATIVE", Const, 4, ""},
+		{"R_AARCH64_TLSDESC", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_ADD", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_ADD_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_ADR_PAGE21", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_ADR_PREL21", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_CALL", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_LD64_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_LDR", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_LD_PREL19", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_OFF_G0_NC", Const, 4, ""},
+		{"R_AARCH64_TLSDESC_OFF_G1", Const, 4, ""},
+		{"R_AARCH64_TLSGD_ADD_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_TLSGD_ADR_PAGE21", Const, 4, ""},
+		{"R_AARCH64_TLSGD_ADR_PREL21", Const, 10, ""},
+		{"R_AARCH64_TLSGD_MOVW_G0_NC", Const, 10, ""},
+		{"R_AARCH64_TLSGD_MOVW_G1", Const, 10, ""},
+		{"R_AARCH64_TLSIE_ADR_GOTTPREL_PAGE21", Const, 4, ""},
+		{"R_AARCH64_TLSIE_LD64_GOTTPREL_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_TLSIE_LD_GOTTPREL_PREL19", Const, 4, ""},
+		{"R_AARCH64_TLSIE_MOVW_GOTTPREL_G0_NC", Const, 4, ""},
+		{"R_AARCH64_TLSIE_MOVW_GOTTPREL_G1", Const, 4, ""},
+		{"R_AARCH64_TLSLD_ADR_PAGE21", Const, 10, ""},
+		{"R_AARCH64_TLSLD_ADR_PREL21", Const, 10, ""},
+		{"R_AARCH64_TLSLD_LDST128_DTPREL_LO12", Const, 10, ""},
+		{"R_AARCH64_TLSLD_LDST128_DTPREL_LO12_NC", Const, 10, ""},
+		{"R_AARCH64_TLSLE_ADD_TPREL_HI12", Const, 4, ""},
+		{"R_AARCH64_TLSLE_ADD_TPREL_LO12", Const, 4, ""},
+		{"R_AARCH64_TLSLE_ADD_TPREL_LO12_NC", Const, 4, ""},
+		{"R_AARCH64_TLSLE_LDST128_TPREL_LO12", Const, 10, ""},
+		{"R_AARCH64_TLSLE_LDST128_TPREL_LO12_NC", Const, 10, ""},
+		{"R_AARCH64_TLSLE_MOVW_TPREL_G0", Const, 4, ""},
+		{"R_AARCH64_TLSLE_MOVW_TPREL_G0_NC", Const, 4, ""},
+		{"R_AARCH64_TLSLE_MOVW_TPREL_G1", Const, 4, ""},
+		{"R_AARCH64_TLSLE_MOVW_TPREL_G1_NC", Const, 4, ""},
+		{"R_AARCH64_TLSLE_MOVW_TPREL_G2", Const, 4, ""},
+		{"R_AARCH64_TLS_DTPMOD64", Const, 4, ""},
+		{"R_AARCH64_TLS_DTPREL64", Const, 4, ""},
+		{"R_AARCH64_TLS_TPREL64", Const, 4, ""},
+		{"R_AARCH64_TSTBR14", Const, 4, ""},
+		{"R_ALPHA", Type, 0, ""},
+		{"R_ALPHA_BRADDR", Const, 0, ""},
+		{"R_ALPHA_COPY", Const, 0, ""},
+		{"R_ALPHA_GLOB_DAT", Const, 0, ""},
+		{"R_ALPHA_GPDISP", Const, 0, ""},
+		{"R_ALPHA_GPREL32", Const, 0, ""},
+		{"R_ALPHA_GPRELHIGH", Const, 0, ""},
+		{"R_ALPHA_GPRELLOW", Const, 0, ""},
+		{"R_ALPHA_GPVALUE", Const, 0, ""},
+		{"R_ALPHA_HINT", Const, 0, ""},
+		{"R_ALPHA_IMMED_BR_HI32", Const, 0, ""},
+		{"R_ALPHA_IMMED_GP_16", Const, 0, ""},
+		{"R_ALPHA_IMMED_GP_HI32", Const, 0, ""},
+		{"R_ALPHA_IMMED_LO32", Const, 0, ""},
+		{"R_ALPHA_IMMED_SCN_HI32", Const, 0, ""},
+		{"R_ALPHA_JMP_SLOT", Const, 0, ""},
+		{"R_ALPHA_LITERAL", Const, 0, ""},
+		{"R_ALPHA_LITUSE", Const, 0, ""},
+		{"R_ALPHA_NONE", Const, 0, ""},
+		{"R_ALPHA_OP_PRSHIFT", Const, 0, ""},
+		{"R_ALPHA_OP_PSUB", Const, 0, ""},
+		{"R_ALPHA_OP_PUSH", Const, 0, ""},
+		{"R_ALPHA_OP_STORE", Const, 0, ""},
+		{"R_ALPHA_REFLONG", Const, 0, ""},
+		{"R_ALPHA_REFQUAD", Const, 0, ""},
+		{"R_ALPHA_RELATIVE", Const, 0, ""},
+		{"R_ALPHA_SREL16", Const, 0, ""},
+		{"R_ALPHA_SREL32", Const, 0, ""},
+		{"R_ALPHA_SREL64", Const, 0, ""},
+		{"R_ARM", Type, 0, ""},
+		{"R_ARM_ABS12", Const, 0, ""},
+		{"R_ARM_ABS16", Const, 0, ""},
+		{"R_ARM_ABS32", Const, 0, ""},
+		{"R_ARM_ABS32_NOI", Const, 10, ""},
+		{"R_ARM_ABS8", Const, 0, ""},
+		{"R_ARM_ALU_PCREL_15_8", Const, 10, ""},
+		{"R_ARM_ALU_PCREL_23_15", Const, 10, ""},
+		{"R_ARM_ALU_PCREL_7_0", Const, 10, ""},
+		{"R_ARM_ALU_PC_G0", Const, 10, ""},
+		{"R_ARM_ALU_PC_G0_NC", Const, 10, ""},
+		{"R_ARM_ALU_PC_G1", Const, 10, ""},
+		{"R_ARM_ALU_PC_G1_NC", Const, 10, ""},
+		{"R_ARM_ALU_PC_G2", Const, 10, ""},
+		{"R_ARM_ALU_SBREL_19_12_NC", Const, 10, ""},
+		{"R_ARM_ALU_SBREL_27_20_CK", Const, 10, ""},
+		{"R_ARM_ALU_SB_G0", Const, 10, ""},
+		{"R_ARM_ALU_SB_G0_NC", Const, 10, ""},
+		{"R_ARM_ALU_SB_G1", Const, 10, ""},
+		{"R_ARM_ALU_SB_G1_NC", Const, 10, ""},
+		{"R_ARM_ALU_SB_G2", Const, 10, ""},
+		{"R_ARM_AMP_VCALL9", Const, 0, ""},
+		{"R_ARM_BASE_ABS", Const, 10, ""},
+		{"R_ARM_CALL", Const, 10, ""},
+		{"R_ARM_COPY", Const, 0, ""},
+		{"R_ARM_GLOB_DAT", Const, 0, ""},
+		{"R_ARM_GNU_VTENTRY", Const, 0, ""},
+		{"R_ARM_GNU_VTINHERIT", Const, 0, ""},
+		{"R_ARM_GOT32", Const, 0, ""},
+		{"R_ARM_GOTOFF", Const, 0, ""},
+		{"R_ARM_GOTOFF12", Const, 10, ""},
+		{"R_ARM_GOTPC", Const, 0, ""},
+		{"R_ARM_GOTRELAX", Const, 10, ""},
+		{"R_ARM_GOT_ABS", Const, 10, ""},
+		{"R_ARM_GOT_BREL12", Const, 10, ""},
+		{"R_ARM_GOT_PREL", Const, 10, ""},
+		{"R_ARM_IRELATIVE", Const, 10, ""},
+		{"R_ARM_JUMP24", Const, 10, ""},
+		{"R_ARM_JUMP_SLOT", Const, 0, ""},
+		{"R_ARM_LDC_PC_G0", Const, 10, ""},
+		{"R_ARM_LDC_PC_G1", Const, 10, ""},
+		{"R_ARM_LDC_PC_G2", Const, 10, ""},
+		{"R_ARM_LDC_SB_G0", Const, 10, ""},
+		{"R_ARM_LDC_SB_G1", Const, 10, ""},
+		{"R_ARM_LDC_SB_G2", Const, 10, ""},
+		{"R_ARM_LDRS_PC_G0", Const, 10, ""},
+		{"R_ARM_LDRS_PC_G1", Const, 10, ""},
+		{"R_ARM_LDRS_PC_G2", Const, 10, ""},
+		{"R_ARM_LDRS_SB_G0", Const, 10, ""},
+		{"R_ARM_LDRS_SB_G1", Const, 10, ""},
+		{"R_ARM_LDRS_SB_G2", Const, 10, ""},
+		{"R_ARM_LDR_PC_G1", Const, 10, ""},
+		{"R_ARM_LDR_PC_G2", Const, 10, ""},
+		{"R_ARM_LDR_SBREL_11_10_NC", Const, 10, ""},
+		{"R_ARM_LDR_SB_G0", Const, 10, ""},
+		{"R_ARM_LDR_SB_G1", Const, 10, ""},
+		{"R_ARM_LDR_SB_G2", Const, 10, ""},
+		{"R_ARM_ME_TOO", Const, 10, ""},
+		{"R_ARM_MOVT_ABS", Const, 10, ""},
+		{"R_ARM_MOVT_BREL", Const, 10, ""},
+		{"R_ARM_MOVT_PREL", Const, 10, ""},
+		{"R_ARM_MOVW_ABS_NC", Const, 10, ""},
+		{"R_ARM_MOVW_BREL", Const, 10, ""},
+		{"R_ARM_MOVW_BREL_NC", Const, 10, ""},
+		{"R_ARM_MOVW_PREL_NC", Const, 10, ""},
+		{"R_ARM_NONE", Const, 0, ""},
+		{"R_ARM_PC13", Const, 0, ""},
+		{"R_ARM_PC24", Const, 0, ""},
+		{"R_ARM_PLT32", Const, 0, ""},
+		{"R_ARM_PLT32_ABS", Const, 10, ""},
+		{"R_ARM_PREL31", Const, 10, ""},
+		{"R_ARM_PRIVATE_0", Const, 10, ""},
+		{"R_ARM_PRIVATE_1", Const, 10, ""},
+		{"R_ARM_PRIVATE_10", Const, 10, ""},
+		{"R_ARM_PRIVATE_11", Const, 10, ""},
+		{"R_ARM_PRIVATE_12", Const, 10, ""},
+		{"R_ARM_PRIVATE_13", Const, 10, ""},
+		{"R_ARM_PRIVATE_14", Const, 10, ""},
+		{"R_ARM_PRIVATE_15", Const, 10, ""},
+		{"R_ARM_PRIVATE_2", Const, 10, ""},
+		{"R_ARM_PRIVATE_3", Const, 10, ""},
+		{"R_ARM_PRIVATE_4", Const, 10, ""},
+		{"R_ARM_PRIVATE_5", Const, 10, ""},
+		{"R_ARM_PRIVATE_6", Const, 10, ""},
+		{"R_ARM_PRIVATE_7", Const, 10, ""},
+		{"R_ARM_PRIVATE_8", Const, 10, ""},
+		{"R_ARM_PRIVATE_9", Const, 10, ""},
+		{"R_ARM_RABS32", Const, 0, ""},
+		{"R_ARM_RBASE", Const, 0, ""},
+		{"R_ARM_REL32", Const, 0, ""},
+		{"R_ARM_REL32_NOI", Const, 10, ""},
+		{"R_ARM_RELATIVE", Const, 0, ""},
+		{"R_ARM_RPC24", Const, 0, ""},
+		{"R_ARM_RREL32", Const, 0, ""},
+		{"R_ARM_RSBREL32", Const, 0, ""},
+		{"R_ARM_RXPC25", Const, 10, ""},
+		{"R_ARM_SBREL31", Const, 10, ""},
+		{"R_ARM_SBREL32", Const, 0, ""},
+		{"R_ARM_SWI24", Const, 0, ""},
+		{"R_ARM_TARGET1", Const, 10, ""},
+		{"R_ARM_TARGET2", Const, 10, ""},
+		{"R_ARM_THM_ABS5", Const, 0, ""},
+		{"R_ARM_THM_ALU_ABS_G0_NC", Const, 10, ""},
+		{"R_ARM_THM_ALU_ABS_G1_NC", Const, 10, ""},
+		{"R_ARM_THM_ALU_ABS_G2_NC", Const, 10, ""},
+		{"R_ARM_THM_ALU_ABS_G3", Const, 10, ""},
+		{"R_ARM_THM_ALU_PREL_11_0", Const, 10, ""},
+		{"R_ARM_THM_GOT_BREL12", Const, 10, ""},
+		{"R_ARM_THM_JUMP11", Const, 10, ""},
+		{"R_ARM_THM_JUMP19", Const, 10, ""},
+		{"R_ARM_THM_JUMP24", Const, 10, ""},
+		{"R_ARM_THM_JUMP6", Const, 10, ""},
+		{"R_ARM_THM_JUMP8", Const, 10, ""},
+		{"R_ARM_THM_MOVT_ABS", Const, 10, ""},
+		{"R_ARM_THM_MOVT_BREL", Const, 10, ""},
+		{"R_ARM_THM_MOVT_PREL", Const, 10, ""},
+		{"R_ARM_THM_MOVW_ABS_NC", Const, 10, ""},
+		{"R_ARM_THM_MOVW_BREL", Const, 10, ""},
+		{"R_ARM_THM_MOVW_BREL_NC", Const, 10, ""},
+		{"R_ARM_THM_MOVW_PREL_NC", Const, 10, ""},
+		{"R_ARM_THM_PC12", Const, 10, ""},
+		{"R_ARM_THM_PC22", Const, 0, ""},
+		{"R_ARM_THM_PC8", Const, 0, ""},
+		{"R_ARM_THM_RPC22", Const, 0, ""},
+		{"R_ARM_THM_SWI8", Const, 0, ""},
+		{"R_ARM_THM_TLS_CALL", Const, 10, ""},
+		{"R_ARM_THM_TLS_DESCSEQ16", Const, 10, ""},
+		{"R_ARM_THM_TLS_DESCSEQ32", Const, 10, ""},
+		{"R_ARM_THM_XPC22", Const, 0, ""},
+		{"R_ARM_TLS_CALL", Const, 10, ""},
+		{"R_ARM_TLS_DESCSEQ", Const, 10, ""},
+		{"R_ARM_TLS_DTPMOD32", Const, 10, ""},
+		{"R_ARM_TLS_DTPOFF32", Const, 10, ""},
+		{"R_ARM_TLS_GD32", Const, 10, ""},
+		{"R_ARM_TLS_GOTDESC", Const, 10, ""},
+		{"R_ARM_TLS_IE12GP", Const, 10, ""},
+		{"R_ARM_TLS_IE32", Const, 10, ""},
+		{"R_ARM_TLS_LDM32", Const, 10, ""},
+		{"R_ARM_TLS_LDO12", Const, 10, ""},
+		{"R_ARM_TLS_LDO32", Const, 10, ""},
+		{"R_ARM_TLS_LE12", Const, 10, ""},
+		{"R_ARM_TLS_LE32", Const, 10, ""},
+		{"R_ARM_TLS_TPOFF32", Const, 10, ""},
+		{"R_ARM_V4BX", Const, 10, ""},
+		{"R_ARM_XPC25", Const, 0, ""},
+		{"R_INFO", Func, 0, "func(sym uint32, typ uint32) uint64"},
+		{"R_INFO32", Func, 0, "func(sym uint32, typ uint32) uint32"},
+		{"R_LARCH", Type, 19, ""},
+		{"R_LARCH_32", Const, 19, ""},
+		{"R_LARCH_32_PCREL", Const, 20, ""},
+		{"R_LARCH_64", Const, 19, ""},
+		{"R_LARCH_64_PCREL", Const, 22, ""},
+		{"R_LARCH_ABS64_HI12", Const, 20, ""},
+		{"R_LARCH_ABS64_LO20", Const, 20, ""},
+		{"R_LARCH_ABS_HI20", Const, 20, ""},
+		{"R_LARCH_ABS_LO12", Const, 20, ""},
+		{"R_LARCH_ADD16", Const, 19, ""},
+		{"R_LARCH_ADD24", Const, 19, ""},
+		{"R_LARCH_ADD32", Const, 19, ""},
+		{"R_LARCH_ADD6", Const, 22, ""},
+		{"R_LARCH_ADD64", Const, 19, ""},
+		{"R_LARCH_ADD8", Const, 19, ""},
+		{"R_LARCH_ADD_ULEB128", Const, 22, ""},
+		{"R_LARCH_ALIGN", Const, 22, ""},
+		{"R_LARCH_B16", Const, 20, ""},
+		{"R_LARCH_B21", Const, 20, ""},
+		{"R_LARCH_B26", Const, 20, ""},
+		{"R_LARCH_CALL36", Const, 26, ""},
+		{"R_LARCH_CFA", Const, 22, ""},
+		{"R_LARCH_COPY", Const, 19, ""},
+		{"R_LARCH_DELETE", Const, 22, ""},
+		{"R_LARCH_GNU_VTENTRY", Const, 20, ""},
+		{"R_LARCH_GNU_VTINHERIT", Const, 20, ""},
+		{"R_LARCH_GOT64_HI12", Const, 20, ""},
+		{"R_LARCH_GOT64_LO20", Const, 20, ""},
+		{"R_LARCH_GOT64_PC_HI12", Const, 20, ""},
+		{"R_LARCH_GOT64_PC_LO20", Const, 20, ""},
+		{"R_LARCH_GOT_HI20", Const, 20, ""},
+		{"R_LARCH_GOT_LO12", Const, 20, ""},
+		{"R_LARCH_GOT_PC_HI20", Const, 20, ""},
+		{"R_LARCH_GOT_PC_LO12", Const, 20, ""},
+		{"R_LARCH_IRELATIVE", Const, 19, ""},
+		{"R_LARCH_JUMP_SLOT", Const, 19, ""},
+		{"R_LARCH_MARK_LA", Const, 19, ""},
+		{"R_LARCH_MARK_PCREL", Const, 19, ""},
+		{"R_LARCH_NONE", Const, 19, ""},
+		{"R_LARCH_PCALA64_HI12", Const, 20, ""},
+		{"R_LARCH_PCALA64_LO20", Const, 20, ""},
+		{"R_LARCH_PCALA_HI20", Const, 20, ""},
+		{"R_LARCH_PCALA_LO12", Const, 20, ""},
+		{"R_LARCH_PCREL20_S2", Const, 22, ""},
+		{"R_LARCH_RELATIVE", Const, 19, ""},
+		{"R_LARCH_RELAX", Const, 20, ""},
+		{"R_LARCH_SOP_ADD", Const, 19, ""},
+		{"R_LARCH_SOP_AND", Const, 19, ""},
+		{"R_LARCH_SOP_ASSERT", Const, 19, ""},
+		{"R_LARCH_SOP_IF_ELSE", Const, 19, ""},
+		{"R_LARCH_SOP_NOT", Const, 19, ""},
+		{"R_LARCH_SOP_POP_32_S_0_10_10_16_S2", Const, 19, ""},
+		{"R_LARCH_SOP_POP_32_S_0_5_10_16_S2", Const, 19, ""},
+		{"R_LARCH_SOP_POP_32_S_10_12", Const, 19, ""},
+		{"R_LARCH_SOP_POP_32_S_10_16", Const, 19, ""},
+		{"R_LARCH_SOP_POP_32_S_10_16_S2", Const, 19, ""},
+		{"R_LARCH_SOP_POP_32_S_10_5", Const, 19, ""},
+		{"R_LARCH_SOP_POP_32_S_5_20", Const, 19, ""},
+		{"R_LARCH_SOP_POP_32_U", Const, 19, ""},
+		{"R_LARCH_SOP_POP_32_U_10_12", Const, 19, ""},
+		{"R_LARCH_SOP_PUSH_ABSOLUTE", Const, 19, ""},
+		{"R_LARCH_SOP_PUSH_DUP", Const, 19, ""},
+		{"R_LARCH_SOP_PUSH_GPREL", Const, 19, ""},
+		{"R_LARCH_SOP_PUSH_PCREL", Const, 19, ""},
+		{"R_LARCH_SOP_PUSH_PLT_PCREL", Const, 19, ""},
+		{"R_LARCH_SOP_PUSH_TLS_GD", Const, 19, ""},
+		{"R_LARCH_SOP_PUSH_TLS_GOT", Const, 19, ""},
+		{"R_LARCH_SOP_PUSH_TLS_TPREL", Const, 19, ""},
+		{"R_LARCH_SOP_SL", Const, 19, ""},
+		{"R_LARCH_SOP_SR", Const, 19, ""},
+		{"R_LARCH_SOP_SUB", Const, 19, ""},
+		{"R_LARCH_SUB16", Const, 19, ""},
+		{"R_LARCH_SUB24", Const, 19, ""},
+		{"R_LARCH_SUB32", Const, 19, ""},
+		{"R_LARCH_SUB6", Const, 22, ""},
+		{"R_LARCH_SUB64", Const, 19, ""},
+		{"R_LARCH_SUB8", Const, 19, ""},
+		{"R_LARCH_SUB_ULEB128", Const, 22, ""},
+		{"R_LARCH_TLS_DESC32", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64_HI12", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64_LO20", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64_PC_HI12", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64_PC_LO20", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_CALL", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_HI20", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_LD", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_LO12", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_PCREL20_S2", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_PC_HI20", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_PC_LO12", Const, 26, ""},
+		{"R_LARCH_TLS_DTPMOD32", Const, 19, ""},
+		{"R_LARCH_TLS_DTPMOD64", Const, 19, ""},
+		{"R_LARCH_TLS_DTPREL32", Const, 19, ""},
+		{"R_LARCH_TLS_DTPREL64", Const, 19, ""},
+		{"R_LARCH_TLS_GD_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_GD_PCREL20_S2", Const, 26, ""},
+		{"R_LARCH_TLS_GD_PC_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_IE64_HI12", Const, 20, ""},
+		{"R_LARCH_TLS_IE64_LO20", Const, 20, ""},
+		{"R_LARCH_TLS_IE64_PC_HI12", Const, 20, ""},
+		{"R_LARCH_TLS_IE64_PC_LO20", Const, 20, ""},
+		{"R_LARCH_TLS_IE_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_IE_LO12", Const, 20, ""},
+		{"R_LARCH_TLS_IE_PC_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_IE_PC_LO12", Const, 20, ""},
+		{"R_LARCH_TLS_LD_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_LD_PCREL20_S2", Const, 26, ""},
+		{"R_LARCH_TLS_LD_PC_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_LE64_HI12", Const, 20, ""},
+		{"R_LARCH_TLS_LE64_LO20", Const, 20, ""},
+		{"R_LARCH_TLS_LE_ADD_R", Const, 26, ""},
+		{"R_LARCH_TLS_LE_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_LE_HI20_R", Const, 26, ""},
+		{"R_LARCH_TLS_LE_LO12", Const, 20, ""},
+		{"R_LARCH_TLS_LE_LO12_R", Const, 26, ""},
+		{"R_LARCH_TLS_TPREL32", Const, 19, ""},
+		{"R_LARCH_TLS_TPREL64", Const, 19, ""},
+		{"R_MIPS", Type, 6, ""},
+		{"R_MIPS_16", Const, 6, ""},
+		{"R_MIPS_26", Const, 6, ""},
+		{"R_MIPS_32", Const, 6, ""},
+		{"R_MIPS_64", Const, 6, ""},
+		{"R_MIPS_ADD_IMMEDIATE", Const, 6, ""},
+		{"R_MIPS_CALL16", Const, 6, ""},
+		{"R_MIPS_CALL_HI16", Const, 6, ""},
+		{"R_MIPS_CALL_LO16", Const, 6, ""},
+		{"R_MIPS_DELETE", Const, 6, ""},
+		{"R_MIPS_GOT16", Const, 6, ""},
+		{"R_MIPS_GOT_DISP", Const, 6, ""},
+		{"R_MIPS_GOT_HI16", Const, 6, ""},
+		{"R_MIPS_GOT_LO16", Const, 6, ""},
+		{"R_MIPS_GOT_OFST", Const, 6, ""},
+		{"R_MIPS_GOT_PAGE", Const, 6, ""},
+		{"R_MIPS_GPREL16", Const, 6, ""},
+		{"R_MIPS_GPREL32", Const, 6, ""},
+		{"R_MIPS_HI16", Const, 6, ""},
+		{"R_MIPS_HIGHER", Const, 6, ""},
+		{"R_MIPS_HIGHEST", Const, 6, ""},
+		{"R_MIPS_INSERT_A", Const, 6, ""},
+		{"R_MIPS_INSERT_B", Const, 6, ""},
+		{"R_MIPS_JALR", Const, 6, ""},
+		{"R_MIPS_LITERAL", Const, 6, ""},
+		{"R_MIPS_LO16", Const, 6, ""},
+		{"R_MIPS_NONE", Const, 6, ""},
+		{"R_MIPS_PC16", Const, 6, ""},
+		{"R_MIPS_PC32", Const, 22, ""},
+		{"R_MIPS_PJUMP", Const, 6, ""},
+		{"R_MIPS_REL16", Const, 6, ""},
+		{"R_MIPS_REL32", Const, 6, ""},
+		{"R_MIPS_RELGOT", Const, 6, ""},
+		{"R_MIPS_SCN_DISP", Const, 6, ""},
+		{"R_MIPS_SHIFT5", Const, 6, ""},
+		{"R_MIPS_SHIFT6", Const, 6, ""},
+		{"R_MIPS_SUB", Const, 6, ""},
+		{"R_MIPS_TLS_DTPMOD32", Const, 6, ""},
+		{"R_MIPS_TLS_DTPMOD64", Const, 6, ""},
+		{"R_MIPS_TLS_DTPREL32", Const, 6, ""},
+		{"R_MIPS_TLS_DTPREL64", Const, 6, ""},
+		{"R_MIPS_TLS_DTPREL_HI16", Const, 6, ""},
+		{"R_MIPS_TLS_DTPREL_LO16", Const, 6, ""},
+		{"R_MIPS_TLS_GD", Const, 6, ""},
+		{"R_MIPS_TLS_GOTTPREL", Const, 6, ""},
+		{"R_MIPS_TLS_LDM", Const, 6, ""},
+		{"R_MIPS_TLS_TPREL32", Const, 6, ""},
+		{"R_MIPS_TLS_TPREL64", Const, 6, ""},
+		{"R_MIPS_TLS_TPREL_HI16", Const, 6, ""},
+		{"R_MIPS_TLS_TPREL_LO16", Const, 6, ""},
+		{"R_PPC", Type, 0, ""},
+		{"R_PPC64", Type, 5, ""},
+		{"R_PPC64_ADDR14", Const, 5, ""},
+		{"R_PPC64_ADDR14_BRNTAKEN", Const, 5, ""},
+		{"R_PPC64_ADDR14_BRTAKEN", Const, 5, ""},
+		{"R_PPC64_ADDR16", Const, 5, ""},
+		{"R_PPC64_ADDR16_DS", Const, 5, ""},
+		{"R_PPC64_ADDR16_HA", Const, 5, ""},
+		{"R_PPC64_ADDR16_HI", Const, 5, ""},
+		{"R_PPC64_ADDR16_HIGH", Const, 10, ""},
+		{"R_PPC64_ADDR16_HIGHA", Const, 10, ""},
+		{"R_PPC64_ADDR16_HIGHER", Const, 5, ""},
+		{"R_PPC64_ADDR16_HIGHER34", Const, 20, ""},
+		{"R_PPC64_ADDR16_HIGHERA", Const, 5, ""},
+		{"R_PPC64_ADDR16_HIGHERA34", Const, 20, ""},
+		{"R_PPC64_ADDR16_HIGHEST", Const, 5, ""},
+		{"R_PPC64_ADDR16_HIGHEST34", Const, 20, ""},
+		{"R_PPC64_ADDR16_HIGHESTA", Const, 5, ""},
+		{"R_PPC64_ADDR16_HIGHESTA34", Const, 20, ""},
+		{"R_PPC64_ADDR16_LO", Const, 5, ""},
+		{"R_PPC64_ADDR16_LO_DS", Const, 5, ""},
+		{"R_PPC64_ADDR24", Const, 5, ""},
+		{"R_PPC64_ADDR32", Const, 5, ""},
+		{"R_PPC64_ADDR64", Const, 5, ""},
+		{"R_PPC64_ADDR64_LOCAL", Const, 10, ""},
+		{"R_PPC64_COPY", Const, 20, ""},
+		{"R_PPC64_D28", Const, 20, ""},
+		{"R_PPC64_D34", Const, 20, ""},
+		{"R_PPC64_D34_HA30", Const, 20, ""},
+		{"R_PPC64_D34_HI30", Const, 20, ""},
+		{"R_PPC64_D34_LO", Const, 20, ""},
+		{"R_PPC64_DTPMOD64", Const, 5, ""},
+		{"R_PPC64_DTPREL16", Const, 5, ""},
+		{"R_PPC64_DTPREL16_DS", Const, 5, ""},
+		{"R_PPC64_DTPREL16_HA", Const, 5, ""},
+		{"R_PPC64_DTPREL16_HI", Const, 5, ""},
+		{"R_PPC64_DTPREL16_HIGH", Const, 10, ""},
+		{"R_PPC64_DTPREL16_HIGHA", Const, 10, ""},
+		{"R_PPC64_DTPREL16_HIGHER", Const, 5, ""},
+		{"R_PPC64_DTPREL16_HIGHERA", Const, 5, ""},
+		{"R_PPC64_DTPREL16_HIGHEST", Const, 5, ""},
+		{"R_PPC64_DTPREL16_HIGHESTA", Const, 5, ""},
+		{"R_PPC64_DTPREL16_LO", Const, 5, ""},
+		{"R_PPC64_DTPREL16_LO_DS", Const, 5, ""},
+		{"R_PPC64_DTPREL34", Const, 20, ""},
+		{"R_PPC64_DTPREL64", Const, 5, ""},
+		{"R_PPC64_ENTRY", Const, 10, ""},
+		{"R_PPC64_GLOB_DAT", Const, 20, ""},
+		{"R_PPC64_GNU_VTENTRY", Const, 20, ""},
+		{"R_PPC64_GNU_VTINHERIT", Const, 20, ""},
+		{"R_PPC64_GOT16", Const, 5, ""},
+		{"R_PPC64_GOT16_DS", Const, 5, ""},
+		{"R_PPC64_GOT16_HA", Const, 5, ""},
+		{"R_PPC64_GOT16_HI", Const, 5, ""},
+		{"R_PPC64_GOT16_LO", Const, 5, ""},
+		{"R_PPC64_GOT16_LO_DS", Const, 5, ""},
+		{"R_PPC64_GOT_DTPREL16_DS", Const, 5, ""},
+		{"R_PPC64_GOT_DTPREL16_HA", Const, 5, ""},
+		{"R_PPC64_GOT_DTPREL16_HI", Const, 5, ""},
+		{"R_PPC64_GOT_DTPREL16_LO_DS", Const, 5, ""},
+		{"R_PPC64_GOT_DTPREL_PCREL34", Const, 20, ""},
+		{"R_PPC64_GOT_PCREL34", Const, 20, ""},
+		{"R_PPC64_GOT_TLSGD16", Const, 5, ""},
+		{"R_PPC64_GOT_TLSGD16_HA", Const, 5, ""},
+		{"R_PPC64_GOT_TLSGD16_HI", Const, 5, ""},
+		{"R_PPC64_GOT_TLSGD16_LO", Const, 5, ""},
+		{"R_PPC64_GOT_TLSGD_PCREL34", Const, 20, ""},
+		{"R_PPC64_GOT_TLSLD16", Const, 5, ""},
+		{"R_PPC64_GOT_TLSLD16_HA", Const, 5, ""},
+		{"R_PPC64_GOT_TLSLD16_HI", Const, 5, ""},
+		{"R_PPC64_GOT_TLSLD16_LO", Const, 5, ""},
+		{"R_PPC64_GOT_TLSLD_PCREL34", Const, 20, ""},
+		{"R_PPC64_GOT_TPREL16_DS", Const, 5, ""},
+		{"R_PPC64_GOT_TPREL16_HA", Const, 5, ""},
+		{"R_PPC64_GOT_TPREL16_HI", Const, 5, ""},
+		{"R_PPC64_GOT_TPREL16_LO_DS", Const, 5, ""},
+		{"R_PPC64_GOT_TPREL_PCREL34", Const, 20, ""},
+		{"R_PPC64_IRELATIVE", Const, 10, ""},
+		{"R_PPC64_JMP_IREL", Const, 10, ""},
+		{"R_PPC64_JMP_SLOT", Const, 5, ""},
+		{"R_PPC64_NONE", Const, 5, ""},
+		{"R_PPC64_PCREL28", Const, 20, ""},
+		{"R_PPC64_PCREL34", Const, 20, ""},
+		{"R_PPC64_PCREL_OPT", Const, 20, ""},
+		{"R_PPC64_PLT16_HA", Const, 20, ""},
+		{"R_PPC64_PLT16_HI", Const, 20, ""},
+		{"R_PPC64_PLT16_LO", Const, 20, ""},
+		{"R_PPC64_PLT16_LO_DS", Const, 10, ""},
+		{"R_PPC64_PLT32", Const, 20, ""},
+		{"R_PPC64_PLT64", Const, 20, ""},
+		{"R_PPC64_PLTCALL", Const, 20, ""},
+		{"R_PPC64_PLTCALL_NOTOC", Const, 20, ""},
+		{"R_PPC64_PLTGOT16", Const, 10, ""},
+		{"R_PPC64_PLTGOT16_DS", Const, 10, ""},
+		{"R_PPC64_PLTGOT16_HA", Const, 10, ""},
+		{"R_PPC64_PLTGOT16_HI", Const, 10, ""},
+		{"R_PPC64_PLTGOT16_LO", Const, 10, ""},
+		{"R_PPC64_PLTGOT_LO_DS", Const, 10, ""},
+		{"R_PPC64_PLTREL32", Const, 20, ""},
+		{"R_PPC64_PLTREL64", Const, 20, ""},
+		{"R_PPC64_PLTSEQ", Const, 20, ""},
+		{"R_PPC64_PLTSEQ_NOTOC", Const, 20, ""},
+		{"R_PPC64_PLT_PCREL34", Const, 20, ""},
+		{"R_PPC64_PLT_PCREL34_NOTOC", Const, 20, ""},
+		{"R_PPC64_REL14", Const, 5, ""},
+		{"R_PPC64_REL14_BRNTAKEN", Const, 5, ""},
+		{"R_PPC64_REL14_BRTAKEN", Const, 5, ""},
+		{"R_PPC64_REL16", Const, 5, ""},
+		{"R_PPC64_REL16DX_HA", Const, 10, ""},
+		{"R_PPC64_REL16_HA", Const, 5, ""},
+		{"R_PPC64_REL16_HI", Const, 5, ""},
+		{"R_PPC64_REL16_HIGH", Const, 20, ""},
+		{"R_PPC64_REL16_HIGHA", Const, 20, ""},
+		{"R_PPC64_REL16_HIGHER", Const, 20, ""},
+		{"R_PPC64_REL16_HIGHER34", Const, 20, ""},
+		{"R_PPC64_REL16_HIGHERA", Const, 20, ""},
+		{"R_PPC64_REL16_HIGHERA34", Const, 20, ""},
+		{"R_PPC64_REL16_HIGHEST", Const, 20, ""},
+		{"R_PPC64_REL16_HIGHEST34", Const, 20, ""},
+		{"R_PPC64_REL16_HIGHESTA", Const, 20, ""},
+		{"R_PPC64_REL16_HIGHESTA34", Const, 20, ""},
+		{"R_PPC64_REL16_LO", Const, 5, ""},
+		{"R_PPC64_REL24", Const, 5, ""},
+		{"R_PPC64_REL24_NOTOC", Const, 10, ""},
+		{"R_PPC64_REL24_P9NOTOC", Const, 21, ""},
+		{"R_PPC64_REL30", Const, 20, ""},
+		{"R_PPC64_REL32", Const, 5, ""},
+		{"R_PPC64_REL64", Const, 5, ""},
+		{"R_PPC64_RELATIVE", Const, 18, ""},
+		{"R_PPC64_SECTOFF", Const, 20, ""},
+		{"R_PPC64_SECTOFF_DS", Const, 10, ""},
+		{"R_PPC64_SECTOFF_HA", Const, 20, ""},
+		{"R_PPC64_SECTOFF_HI", Const, 20, ""},
+		{"R_PPC64_SECTOFF_LO", Const, 20, ""},
+		{"R_PPC64_SECTOFF_LO_DS", Const, 10, ""},
+		{"R_PPC64_TLS", Const, 5, ""},
+		{"R_PPC64_TLSGD", Const, 5, ""},
+		{"R_PPC64_TLSLD", Const, 5, ""},
+		{"R_PPC64_TOC", Const, 5, ""},
+		{"R_PPC64_TOC16", Const, 5, ""},
+		{"R_PPC64_TOC16_DS", Const, 5, ""},
+		{"R_PPC64_TOC16_HA", Const, 5, ""},
+		{"R_PPC64_TOC16_HI", Const, 5, ""},
+		{"R_PPC64_TOC16_LO", Const, 5, ""},
+		{"R_PPC64_TOC16_LO_DS", Const, 5, ""},
+		{"R_PPC64_TOCSAVE", Const, 10, ""},
+		{"R_PPC64_TPREL16", Const, 5, ""},
+		{"R_PPC64_TPREL16_DS", Const, 5, ""},
+		{"R_PPC64_TPREL16_HA", Const, 5, ""},
+		{"R_PPC64_TPREL16_HI", Const, 5, ""},
+		{"R_PPC64_TPREL16_HIGH", Const, 10, ""},
+		{"R_PPC64_TPREL16_HIGHA", Const, 10, ""},
+		{"R_PPC64_TPREL16_HIGHER", Const, 5, ""},
+		{"R_PPC64_TPREL16_HIGHERA", Const, 5, ""},
+		{"R_PPC64_TPREL16_HIGHEST", Const, 5, ""},
+		{"R_PPC64_TPREL16_HIGHESTA", Const, 5, ""},
+		{"R_PPC64_TPREL16_LO", Const, 5, ""},
+		{"R_PPC64_TPREL16_LO_DS", Const, 5, ""},
+		{"R_PPC64_TPREL34", Const, 20, ""},
+		{"R_PPC64_TPREL64", Const, 5, ""},
+		{"R_PPC64_UADDR16", Const, 20, ""},
+		{"R_PPC64_UADDR32", Const, 20, ""},
+		{"R_PPC64_UADDR64", Const, 20, ""},
+		{"R_PPC_ADDR14", Const, 0, ""},
+		{"R_PPC_ADDR14_BRNTAKEN", Const, 0, ""},
+		{"R_PPC_ADDR14_BRTAKEN", Const, 0, ""},
+		{"R_PPC_ADDR16", Const, 0, ""},
+		{"R_PPC_ADDR16_HA", Const, 0, ""},
+		{"R_PPC_ADDR16_HI", Const, 0, ""},
+		{"R_PPC_ADDR16_LO", Const, 0, ""},
+		{"R_PPC_ADDR24", Const, 0, ""},
+		{"R_PPC_ADDR32", Const, 0, ""},
+		{"R_PPC_COPY", Const, 0, ""},
+		{"R_PPC_DTPMOD32", Const, 0, ""},
+		{"R_PPC_DTPREL16", Const, 0, ""},
+		{"R_PPC_DTPREL16_HA", Const, 0, ""},
+		{"R_PPC_DTPREL16_HI", Const, 0, ""},
+		{"R_PPC_DTPREL16_LO", Const, 0, ""},
+		{"R_PPC_DTPREL32", Const, 0, ""},
+		{"R_PPC_EMB_BIT_FLD", Const, 0, ""},
+		{"R_PPC_EMB_MRKREF", Const, 0, ""},
+		{"R_PPC_EMB_NADDR16", Const, 0, ""},
+		{"R_PPC_EMB_NADDR16_HA", Const, 0, ""},
+		{"R_PPC_EMB_NADDR16_HI", Const, 0, ""},
+		{"R_PPC_EMB_NADDR16_LO", Const, 0, ""},
+		{"R_PPC_EMB_NADDR32", Const, 0, ""},
+		{"R_PPC_EMB_RELSDA", Const, 0, ""},
+		{"R_PPC_EMB_RELSEC16", Const, 0, ""},
+		{"R_PPC_EMB_RELST_HA", Const, 0, ""},
+		{"R_PPC_EMB_RELST_HI", Const, 0, ""},
+		{"R_PPC_EMB_RELST_LO", Const, 0, ""},
+		{"R_PPC_EMB_SDA21", Const, 0, ""},
+		{"R_PPC_EMB_SDA2I16", Const, 0, ""},
+		{"R_PPC_EMB_SDA2REL", Const, 0, ""},
+		{"R_PPC_EMB_SDAI16", Const, 0, ""},
+		{"R_PPC_GLOB_DAT", Const, 0, ""},
+		{"R_PPC_GOT16", Const, 0, ""},
+		{"R_PPC_GOT16_HA", Const, 0, ""},
+		{"R_PPC_GOT16_HI", Const, 0, ""},
+		{"R_PPC_GOT16_LO", Const, 0, ""},
+		{"R_PPC_GOT_TLSGD16", Const, 0, ""},
+		{"R_PPC_GOT_TLSGD16_HA", Const, 0, ""},
+		{"R_PPC_GOT_TLSGD16_HI", Const, 0, ""},
+		{"R_PPC_GOT_TLSGD16_LO", Const, 0, ""},
+		{"R_PPC_GOT_TLSLD16", Const, 0, ""},
+		{"R_PPC_GOT_TLSLD16_HA", Const, 0, ""},
+		{"R_PPC_GOT_TLSLD16_HI", Const, 0, ""},
+		{"R_PPC_GOT_TLSLD16_LO", Const, 0, ""},
+		{"R_PPC_GOT_TPREL16", Const, 0, ""},
+		{"R_PPC_GOT_TPREL16_HA", Const, 0, ""},
+		{"R_PPC_GOT_TPREL16_HI", Const, 0, ""},
+		{"R_PPC_GOT_TPREL16_LO", Const, 0, ""},
+		{"R_PPC_JMP_SLOT", Const, 0, ""},
+		{"R_PPC_LOCAL24PC", Const, 0, ""},
+		{"R_PPC_NONE", Const, 0, ""},
+		{"R_PPC_PLT16_HA", Const, 0, ""},
+		{"R_PPC_PLT16_HI", Const, 0, ""},
+		{"R_PPC_PLT16_LO", Const, 0, ""},
+		{"R_PPC_PLT32", Const, 0, ""},
+		{"R_PPC_PLTREL24", Const, 0, ""},
+		{"R_PPC_PLTREL32", Const, 0, ""},
+		{"R_PPC_REL14", Const, 0, ""},
+		{"R_PPC_REL14_BRNTAKEN", Const, 0, ""},
+		{"R_PPC_REL14_BRTAKEN", Const, 0, ""},
+		{"R_PPC_REL24", Const, 0, ""},
+		{"R_PPC_REL32", Const, 0, ""},
+		{"R_PPC_RELATIVE", Const, 0, ""},
+		{"R_PPC_SDAREL16", Const, 0, ""},
+		{"R_PPC_SECTOFF", Const, 0, ""},
+		{"R_PPC_SECTOFF_HA", Const, 0, ""},
+		{"R_PPC_SECTOFF_HI", Const, 0, ""},
+		{"R_PPC_SECTOFF_LO", Const, 0, ""},
+		{"R_PPC_TLS", Const, 0, ""},
+		{"R_PPC_TPREL16", Const, 0, ""},
+		{"R_PPC_TPREL16_HA", Const, 0, ""},
+		{"R_PPC_TPREL16_HI", Const, 0, ""},
+		{"R_PPC_TPREL16_LO", Const, 0, ""},
+		{"R_PPC_TPREL32", Const, 0, ""},
+		{"R_PPC_UADDR16", Const, 0, ""},
+		{"R_PPC_UADDR32", Const, 0, ""},
+		{"R_RISCV", Type, 11, ""},
+		{"R_RISCV_32", Const, 11, ""},
+		{"R_RISCV_32_PCREL", Const, 12, ""},
+		{"R_RISCV_64", Const, 11, ""},
+		{"R_RISCV_ADD16", Const, 11, ""},
+		{"R_RISCV_ADD32", Const, 11, ""},
+		{"R_RISCV_ADD64", Const, 11, ""},
+		{"R_RISCV_ADD8", Const, 11, ""},
+		{"R_RISCV_ALIGN", Const, 11, ""},
+		{"R_RISCV_BRANCH", Const, 11, ""},
+		{"R_RISCV_CALL", Const, 11, ""},
+		{"R_RISCV_CALL_PLT", Const, 11, ""},
+		{"R_RISCV_COPY", Const, 11, ""},
+		{"R_RISCV_GNU_VTENTRY", Const, 11, ""},
+		{"R_RISCV_GNU_VTINHERIT", Const, 11, ""},
+		{"R_RISCV_GOT_HI20", Const, 11, ""},
+		{"R_RISCV_GPREL_I", Const, 11, ""},
+		{"R_RISCV_GPREL_S", Const, 11, ""},
+		{"R_RISCV_HI20", Const, 11, ""},
+		{"R_RISCV_JAL", Const, 11, ""},
+		{"R_RISCV_JUMP_SLOT", Const, 11, ""},
+		{"R_RISCV_LO12_I", Const, 11, ""},
+		{"R_RISCV_LO12_S", Const, 11, ""},
+		{"R_RISCV_NONE", Const, 11, ""},
+		{"R_RISCV_PCREL_HI20", Const, 11, ""},
+		{"R_RISCV_PCREL_LO12_I", Const, 11, ""},
+		{"R_RISCV_PCREL_LO12_S", Const, 11, ""},
+		{"R_RISCV_RELATIVE", Const, 11, ""},
+		{"R_RISCV_RELAX", Const, 11, ""},
+		{"R_RISCV_RVC_BRANCH", Const, 11, ""},
+		{"R_RISCV_RVC_JUMP", Const, 11, ""},
+		{"R_RISCV_RVC_LUI", Const, 11, ""},
+		{"R_RISCV_SET16", Const, 11, ""},
+		{"R_RISCV_SET32", Const, 11, ""},
+		{"R_RISCV_SET6", Const, 11, ""},
+		{"R_RISCV_SET8", Const, 11, ""},
+		{"R_RISCV_SUB16", Const, 11, ""},
+		{"R_RISCV_SUB32", Const, 11, ""},
+		{"R_RISCV_SUB6", Const, 11, ""},
+		{"R_RISCV_SUB64", Const, 11, ""},
+		{"R_RISCV_SUB8", Const, 11, ""},
+		{"R_RISCV_TLS_DTPMOD32", Const, 11, ""},
+		{"R_RISCV_TLS_DTPMOD64", Const, 11, ""},
+		{"R_RISCV_TLS_DTPREL32", Const, 11, ""},
+		{"R_RISCV_TLS_DTPREL64", Const, 11, ""},
+		{"R_RISCV_TLS_GD_HI20", Const, 11, ""},
+		{"R_RISCV_TLS_GOT_HI20", Const, 11, ""},
+		{"R_RISCV_TLS_TPREL32", Const, 11, ""},
+		{"R_RISCV_TLS_TPREL64", Const, 11, ""},
+		{"R_RISCV_TPREL_ADD", Const, 11, ""},
+		{"R_RISCV_TPREL_HI20", Const, 11, ""},
+		{"R_RISCV_TPREL_I", Const, 11, ""},
+		{"R_RISCV_TPREL_LO12_I", Const, 11, ""},
+		{"R_RISCV_TPREL_LO12_S", Const, 11, ""},
+		{"R_RISCV_TPREL_S", Const, 11, ""},
+		{"R_SPARC", Type, 0, ""},
+		{"R_SPARC_10", Const, 0, ""},
+		{"R_SPARC_11", Const, 0, ""},
+		{"R_SPARC_13", Const, 0, ""},
+		{"R_SPARC_16", Const, 0, ""},
+		{"R_SPARC_22", Const, 0, ""},
+		{"R_SPARC_32", Const, 0, ""},
+		{"R_SPARC_5", Const, 0, ""},
+		{"R_SPARC_6", Const, 0, ""},
+		{"R_SPARC_64", Const, 0, ""},
+		{"R_SPARC_7", Const, 0, ""},
+		{"R_SPARC_8", Const, 0, ""},
+		{"R_SPARC_COPY", Const, 0, ""},
+		{"R_SPARC_DISP16", Const, 0, ""},
+		{"R_SPARC_DISP32", Const, 0, ""},
+		{"R_SPARC_DISP64", Const, 0, ""},
+		{"R_SPARC_DISP8", Const, 0, ""},
+		{"R_SPARC_GLOB_DAT", Const, 0, ""},
+		{"R_SPARC_GLOB_JMP", Const, 0, ""},
+		{"R_SPARC_GOT10", Const, 0, ""},
+		{"R_SPARC_GOT13", Const, 0, ""},
+		{"R_SPARC_GOT22", Const, 0, ""},
+		{"R_SPARC_H44", Const, 0, ""},
+		{"R_SPARC_HH22", Const, 0, ""},
+		{"R_SPARC_HI22", Const, 0, ""},
+		{"R_SPARC_HIPLT22", Const, 0, ""},
+		{"R_SPARC_HIX22", Const, 0, ""},
+		{"R_SPARC_HM10", Const, 0, ""},
+		{"R_SPARC_JMP_SLOT", Const, 0, ""},
+		{"R_SPARC_L44", Const, 0, ""},
+		{"R_SPARC_LM22", Const, 0, ""},
+		{"R_SPARC_LO10", Const, 0, ""},
+		{"R_SPARC_LOPLT10", Const, 0, ""},
+		{"R_SPARC_LOX10", Const, 0, ""},
+		{"R_SPARC_M44", Const, 0, ""},
+		{"R_SPARC_NONE", Const, 0, ""},
+		{"R_SPARC_OLO10", Const, 0, ""},
+		{"R_SPARC_PC10", Const, 0, ""},
+		{"R_SPARC_PC22", Const, 0, ""},
+		{"R_SPARC_PCPLT10", Const, 0, ""},
+		{"R_SPARC_PCPLT22", Const, 0, ""},
+		{"R_SPARC_PCPLT32", Const, 0, ""},
+		{"R_SPARC_PC_HH22", Const, 0, ""},
+		{"R_SPARC_PC_HM10", Const, 0, ""},
+		{"R_SPARC_PC_LM22", Const, 0, ""},
+		{"R_SPARC_PLT32", Const, 0, ""},
+		{"R_SPARC_PLT64", Const, 0, ""},
+		{"R_SPARC_REGISTER", Const, 0, ""},
+		{"R_SPARC_RELATIVE", Const, 0, ""},
+		{"R_SPARC_UA16", Const, 0, ""},
+		{"R_SPARC_UA32", Const, 0, ""},
+		{"R_SPARC_UA64", Const, 0, ""},
+		{"R_SPARC_WDISP16", Const, 0, ""},
+		{"R_SPARC_WDISP19", Const, 0, ""},
+		{"R_SPARC_WDISP22", Const, 0, ""},
+		{"R_SPARC_WDISP30", Const, 0, ""},
+		{"R_SPARC_WPLT30", Const, 0, ""},
+		{"R_SYM32", Func, 0, "func(info uint32) uint32"},
+		{"R_SYM64", Func, 0, "func(info uint64) uint32"},
+		{"R_TYPE32", Func, 0, "func(info uint32) uint32"},
+		{"R_TYPE64", Func, 0, "func(info uint64) uint32"},
+		{"R_X86_64", Type, 0, ""},
+		{"R_X86_64_16", Const, 0, ""},
+		{"R_X86_64_32", Const, 0, ""},
+		{"R_X86_64_32S", Const, 0, ""},
+		{"R_X86_64_64", Const, 0, ""},
+		{"R_X86_64_8", Const, 0, ""},
+		{"R_X86_64_COPY", Const, 0, ""},
+		{"R_X86_64_DTPMOD64", Const, 0, ""},
+		{"R_X86_64_DTPOFF32", Const, 0, ""},
+		{"R_X86_64_DTPOFF64", Const, 0, ""},
+		{"R_X86_64_GLOB_DAT", Const, 0, ""},
+		{"R_X86_64_GOT32", Const, 0, ""},
+		{"R_X86_64_GOT64", Const, 10, ""},
+		{"R_X86_64_GOTOFF64", Const, 10, ""},
+		{"R_X86_64_GOTPC32", Const, 10, ""},
+		{"R_X86_64_GOTPC32_TLSDESC", Const, 10, ""},
+		{"R_X86_64_GOTPC64", Const, 10, ""},
+		{"R_X86_64_GOTPCREL", Const, 0, ""},
+		{"R_X86_64_GOTPCREL64", Const, 10, ""},
+		{"R_X86_64_GOTPCRELX", Const, 10, ""},
+		{"R_X86_64_GOTPLT64", Const, 10, ""},
+		{"R_X86_64_GOTTPOFF", Const, 0, ""},
+		{"R_X86_64_IRELATIVE", Const, 10, ""},
+		{"R_X86_64_JMP_SLOT", Const, 0, ""},
+		{"R_X86_64_NONE", Const, 0, ""},
+		{"R_X86_64_PC16", Const, 0, ""},
+		{"R_X86_64_PC32", Const, 0, ""},
+		{"R_X86_64_PC32_BND", Const, 10, ""},
+		{"R_X86_64_PC64", Const, 10, ""},
+		{"R_X86_64_PC8", Const, 0, ""},
+		{"R_X86_64_PLT32", Const, 0, ""},
+		{"R_X86_64_PLT32_BND", Const, 10, ""},
+		{"R_X86_64_PLTOFF64", Const, 10, ""},
+		{"R_X86_64_RELATIVE", Const, 0, ""},
+		{"R_X86_64_RELATIVE64", Const, 10, ""},
+		{"R_X86_64_REX_GOTPCRELX", Const, 10, ""},
+		{"R_X86_64_SIZE32", Const, 10, ""},
+		{"R_X86_64_SIZE64", Const, 10, ""},
+		{"R_X86_64_TLSDESC", Const, 10, ""},
+		{"R_X86_64_TLSDESC_CALL", Const, 10, ""},
+		{"R_X86_64_TLSGD", Const, 0, ""},
+		{"R_X86_64_TLSLD", Const, 0, ""},
+		{"R_X86_64_TPOFF32", Const, 0, ""},
+		{"R_X86_64_TPOFF64", Const, 0, ""},
+		{"Rel32", Type, 0, ""},
+		{"Rel32.Info", Field, 0, ""},
+		{"Rel32.Off", Field, 0, ""},
+		{"Rel64", Type, 0, ""},
+		{"Rel64.Info", Field, 0, ""},
+		{"Rel64.Off", Field, 0, ""},
+		{"Rela32", Type, 0, ""},
+		{"Rela32.Addend", Field, 0, ""},
+		{"Rela32.Info", Field, 0, ""},
+		{"Rela32.Off", Field, 0, ""},
+		{"Rela64", Type, 0, ""},
+		{"Rela64.Addend", Field, 0, ""},
+		{"Rela64.Info", Field, 0, ""},
+		{"Rela64.Off", Field, 0, ""},
+		{"SHF_ALLOC", Const, 0, ""},
+		{"SHF_COMPRESSED", Const, 6, ""},
+		{"SHF_EXECINSTR", Const, 0, ""},
+		{"SHF_GROUP", Const, 0, ""},
+		{"SHF_INFO_LINK", Const, 0, ""},
+		{"SHF_LINK_ORDER", Const, 0, ""},
+		{"SHF_MASKOS", Const, 0, ""},
+		{"SHF_MASKPROC", Const, 0, ""},
+		{"SHF_MERGE", Const, 0, ""},
+		{"SHF_OS_NONCONFORMING", Const, 0, ""},
+		{"SHF_STRINGS", Const, 0, ""},
+		{"SHF_TLS", Const, 0, ""},
+		{"SHF_WRITE", Const, 0, ""},
+		{"SHN_ABS", Const, 0, ""},
+		{"SHN_COMMON", Const, 0, ""},
+		{"SHN_HIOS", Const, 0, ""},
+		{"SHN_HIPROC", Const, 0, ""},
+		{"SHN_HIRESERVE", Const, 0, ""},
+		{"SHN_LOOS", Const, 0, ""},
+		{"SHN_LOPROC", Const, 0, ""},
+		{"SHN_LORESERVE", Const, 0, ""},
+		{"SHN_UNDEF", Const, 0, ""},
+		{"SHN_XINDEX", Const, 0, ""},
+		{"SHT_DYNAMIC", Const, 0, ""},
+		{"SHT_DYNSYM", Const, 0, ""},
+		{"SHT_FINI_ARRAY", Const, 0, ""},
+		{"SHT_GNU_ATTRIBUTES", Const, 0, ""},
+		{"SHT_GNU_HASH", Const, 0, ""},
+		{"SHT_GNU_LIBLIST", Const, 0, ""},
+		{"SHT_GNU_VERDEF", Const, 0, ""},
+		{"SHT_GNU_VERNEED", Const, 0, ""},
+		{"SHT_GNU_VERSYM", Const, 0, ""},
+		{"SHT_GROUP", Const, 0, ""},
+		{"SHT_HASH", Const, 0, ""},
+		{"SHT_HIOS", Const, 0, ""},
+		{"SHT_HIPROC", Const, 0, ""},
+		{"SHT_HIUSER", Const, 0, ""},
+		{"SHT_INIT_ARRAY", Const, 0, ""},
+		{"SHT_LOOS", Const, 0, ""},
+		{"SHT_LOPROC", Const, 0, ""},
+		{"SHT_LOUSER", Const, 0, ""},
+		{"SHT_MIPS_ABIFLAGS", Const, 17, ""},
+		{"SHT_NOBITS", Const, 0, ""},
+		{"SHT_NOTE", Const, 0, ""},
+		{"SHT_NULL", Const, 0, ""},
+		{"SHT_PREINIT_ARRAY", Const, 0, ""},
+		{"SHT_PROGBITS", Const, 0, ""},
+		{"SHT_REL", Const, 0, ""},
+		{"SHT_RELA", Const, 0, ""},
+		{"SHT_RISCV_ATTRIBUTES", Const, 25, ""},
+		{"SHT_SHLIB", Const, 0, ""},
+		{"SHT_STRTAB", Const, 0, ""},
+		{"SHT_SYMTAB", Const, 0, ""},
+		{"SHT_SYMTAB_SHNDX", Const, 0, ""},
+		{"STB_GLOBAL", Const, 0, ""},
+		{"STB_HIOS", Const, 0, ""},
+		{"STB_HIPROC", Const, 0, ""},
+		{"STB_LOCAL", Const, 0, ""},
+		{"STB_LOOS", Const, 0, ""},
+		{"STB_LOPROC", Const, 0, ""},
+		{"STB_WEAK", Const, 0, ""},
+		{"STT_COMMON", Const, 0, ""},
+		{"STT_FILE", Const, 0, ""},
+		{"STT_FUNC", Const, 0, ""},
+		{"STT_GNU_IFUNC", Const, 23, ""},
+		{"STT_HIOS", Const, 0, ""},
+		{"STT_HIPROC", Const, 0, ""},
+		{"STT_LOOS", Const, 0, ""},
+		{"STT_LOPROC", Const, 0, ""},
+		{"STT_NOTYPE", Const, 0, ""},
+		{"STT_OBJECT", Const, 0, ""},
+		{"STT_RELC", Const, 23, ""},
+		{"STT_SECTION", Const, 0, ""},
+		{"STT_SRELC", Const, 23, ""},
+		{"STT_TLS", Const, 0, ""},
+		{"STV_DEFAULT", Const, 0, ""},
+		{"STV_HIDDEN", Const, 0, ""},
+		{"STV_INTERNAL", Const, 0, ""},
+		{"STV_PROTECTED", Const, 0, ""},
+		{"ST_BIND", Func, 0, "func(info uint8) SymBind"},
+		{"ST_INFO", Func, 0, "func(bind SymBind, typ SymType) uint8"},
+		{"ST_TYPE", Func, 0, "func(info uint8) SymType"},
+		{"ST_VISIBILITY", Func, 0, "func(other uint8) SymVis"},
+		{"Section", Type, 0, ""},
+		{"Section.ReaderAt", Field, 0, ""},
+		{"Section.SectionHeader", Field, 0, ""},
+		{"Section32", Type, 0, ""},
+		{"Section32.Addr", Field, 0, ""},
+		{"Section32.Addralign", Field, 0, ""},
+		{"Section32.Entsize", Field, 0, ""},
+		{"Section32.Flags", Field, 0, ""},
+		{"Section32.Info", Field, 0, ""},
+		{"Section32.Link", Field, 0, ""},
+		{"Section32.Name", Field, 0, ""},
+		{"Section32.Off", Field, 0, ""},
+		{"Section32.Size", Field, 0, ""},
+		{"Section32.Type", Field, 0, ""},
+		{"Section64", Type, 0, ""},
+		{"Section64.Addr", Field, 0, ""},
+		{"Section64.Addralign", Field, 0, ""},
+		{"Section64.Entsize", Field, 0, ""},
+		{"Section64.Flags", Field, 0, ""},
+		{"Section64.Info", Field, 0, ""},
+		{"Section64.Link", Field, 0, ""},
+		{"Section64.Name", Field, 0, ""},
+		{"Section64.Off", Field, 0, ""},
+		{"Section64.Size", Field, 0, ""},
+		{"Section64.Type", Field, 0, ""},
+		{"SectionFlag", Type, 0, ""},
+		{"SectionHeader", Type, 0, ""},
+		{"SectionHeader.Addr", Field, 0, ""},
+		{"SectionHeader.Addralign", Field, 0, ""},
+		{"SectionHeader.Entsize", Field, 0, ""},
+		{"SectionHeader.FileSize", Field, 6, ""},
+		{"SectionHeader.Flags", Field, 0, ""},
+		{"SectionHeader.Info", Field, 0, ""},
+		{"SectionHeader.Link", Field, 0, ""},
+		{"SectionHeader.Name", Field, 0, ""},
+		{"SectionHeader.Offset", Field, 0, ""},
+		{"SectionHeader.Size", Field, 0, ""},
+		{"SectionHeader.Type", Field, 0, ""},
+		{"SectionIndex", Type, 0, ""},
+		{"SectionType", Type, 0, ""},
+		{"Sym32", Type, 0, ""},
+		{"Sym32.Info", Field, 0, ""},
+		{"Sym32.Name", Field, 0, ""},
+		{"Sym32.Other", Field, 0, ""},
+		{"Sym32.Shndx", Field, 0, ""},
+		{"Sym32.Size", Field, 0, ""},
+		{"Sym32.Value", Field, 0, ""},
+		{"Sym32Size", Const, 0, ""},
+		{"Sym64", Type, 0, ""},
+		{"Sym64.Info", Field, 0, ""},
+		{"Sym64.Name", Field, 0, ""},
+		{"Sym64.Other", Field, 0, ""},
+		{"Sym64.Shndx", Field, 0, ""},
+		{"Sym64.Size", Field, 0, ""},
+		{"Sym64.Value", Field, 0, ""},
+		{"Sym64Size", Const, 0, ""},
+		{"SymBind", Type, 0, ""},
+		{"SymType", Type, 0, ""},
+		{"SymVis", Type, 0, ""},
+		{"Symbol", Type, 0, ""},
+		{"Symbol.HasVersion", Field, 24, ""},
+		{"Symbol.Info", Field, 0, ""},
+		{"Symbol.Library", Field, 13, ""},
+		{"Symbol.Name", Field, 0, ""},
+		{"Symbol.Other", Field, 0, ""},
+		{"Symbol.Section", Field, 0, ""},
+		{"Symbol.Size", Field, 0, ""},
+		{"Symbol.Value", Field, 0, ""},
+		{"Symbol.Version", Field, 13, ""},
+		{"Symbol.VersionIndex", Field, 24, ""},
+		{"Type", Type, 0, ""},
+		{"VER_FLG_BASE", Const, 24, ""},
+		{"VER_FLG_INFO", Const, 24, ""},
+		{"VER_FLG_WEAK", Const, 24, ""},
+		{"Version", Type, 0, ""},
+		{"VersionIndex", Type, 24, ""},
+	},
+	"debug/gosym": {
+		{"(*DecodingError).Error", Method, 0, ""},
+		{"(*LineTable).LineToPC", Method, 0, ""},
+		{"(*LineTable).PCToLine", Method, 0, ""},
+		{"(*Sym).BaseName", Method, 0, ""},
+		{"(*Sym).PackageName", Method, 0, ""},
+		{"(*Sym).ReceiverName", Method, 0, ""},
+		{"(*Sym).Static", Method, 0, ""},
+		{"(*Table).LineToPC", Method, 0, ""},
+		{"(*Table).LookupFunc", Method, 0, ""},
+		{"(*Table).LookupSym", Method, 0, ""},
+		{"(*Table).PCToFunc", Method, 0, ""},
+		{"(*Table).PCToLine", Method, 0, ""},
+		{"(*Table).SymByAddr", Method, 0, ""},
+		{"(*UnknownLineError).Error", Method, 0, ""},
+		{"(Func).BaseName", Method, 0, ""},
+		{"(Func).PackageName", Method, 0, ""},
+		{"(Func).ReceiverName", Method, 0, ""},
+		{"(Func).Static", Method, 0, ""},
+		{"(UnknownFileError).Error", Method, 0, ""},
+		{"DecodingError", Type, 0, ""},
+		{"Func", Type, 0, ""},
+		{"Func.End", Field, 0, ""},
+		{"Func.Entry", Field, 0, ""},
+		{"Func.FrameSize", Field, 0, ""},
+		{"Func.LineTable", Field, 0, ""},
+		{"Func.Locals", Field, 0, ""},
+		{"Func.Obj", Field, 0, ""},
+		{"Func.Params", Field, 0, ""},
+		{"Func.Sym", Field, 0, ""},
+		{"LineTable", Type, 0, ""},
+		{"LineTable.Data", Field, 0, ""},
+		{"LineTable.Line", Field, 0, ""},
+		{"LineTable.PC", Field, 0, ""},
+		{"NewLineTable", Func, 0, "func(data []byte, text uint64) *LineTable"},
+		{"NewTable", Func, 0, "func(symtab []byte, pcln *LineTable) (*Table, error)"},
+		{"Obj", Type, 0, ""},
+		{"Obj.Funcs", Field, 0, ""},
+		{"Obj.Paths", Field, 0, ""},
+		{"Sym", Type, 0, ""},
+		{"Sym.Func", Field, 0, ""},
+		{"Sym.GoType", Field, 0, ""},
+		{"Sym.Name", Field, 0, ""},
+		{"Sym.Type", Field, 0, ""},
+		{"Sym.Value", Field, 0, ""},
+		{"Table", Type, 0, ""},
+		{"Table.Files", Field, 0, ""},
+		{"Table.Funcs", Field, 0, ""},
+		{"Table.Objs", Field, 0, ""},
+		{"Table.Syms", Field, 0, ""},
+		{"UnknownFileError", Type, 0, ""},
+		{"UnknownLineError", Type, 0, ""},
+		{"UnknownLineError.File", Field, 0, ""},
+		{"UnknownLineError.Line", Field, 0, ""},
+	},
+	"debug/macho": {
+		{"(*FatFile).Close", Method, 3, ""},
+		{"(*File).Close", Method, 0, ""},
+		{"(*File).DWARF", Method, 0, ""},
+		{"(*File).ImportedLibraries", Method, 0, ""},
+		{"(*File).ImportedSymbols", Method, 0, ""},
+		{"(*File).Section", Method, 0, ""},
+		{"(*File).Segment", Method, 0, ""},
+		{"(*FormatError).Error", Method, 0, ""},
+		{"(*Section).Data", Method, 0, ""},
+		{"(*Section).Open", Method, 0, ""},
+		{"(*Segment).Data", Method, 0, ""},
+		{"(*Segment).Open", Method, 0, ""},
+		{"(Cpu).GoString", Method, 0, ""},
+		{"(Cpu).String", Method, 0, ""},
+		{"(Dylib).Raw", Method, 0, ""},
+		{"(Dysymtab).Raw", Method, 0, ""},
+		{"(FatArch).Close", Method, 3, ""},
+		{"(FatArch).DWARF", Method, 3, ""},
+		{"(FatArch).ImportedLibraries", Method, 3, ""},
+		{"(FatArch).ImportedSymbols", Method, 3, ""},
+		{"(FatArch).Section", Method, 3, ""},
+		{"(FatArch).Segment", Method, 3, ""},
+		{"(Load).Raw", Method, 0, ""},
+		{"(LoadBytes).Raw", Method, 0, ""},
+		{"(LoadCmd).GoString", Method, 0, ""},
+		{"(LoadCmd).String", Method, 0, ""},
+		{"(RelocTypeARM).GoString", Method, 10, ""},
+		{"(RelocTypeARM).String", Method, 10, ""},
+		{"(RelocTypeARM64).GoString", Method, 10, ""},
+		{"(RelocTypeARM64).String", Method, 10, ""},
+		{"(RelocTypeGeneric).GoString", Method, 10, ""},
+		{"(RelocTypeGeneric).String", Method, 10, ""},
+		{"(RelocTypeX86_64).GoString", Method, 10, ""},
+		{"(RelocTypeX86_64).String", Method, 10, ""},
+		{"(Rpath).Raw", Method, 10, ""},
+		{"(Section).ReadAt", Method, 0, ""},
+		{"(Segment).Raw", Method, 0, ""},
+		{"(Segment).ReadAt", Method, 0, ""},
+		{"(Symtab).Raw", Method, 0, ""},
+		{"(Type).GoString", Method, 10, ""},
+		{"(Type).String", Method, 10, ""},
+		{"ARM64_RELOC_ADDEND", Const, 10, ""},
+		{"ARM64_RELOC_BRANCH26", Const, 10, ""},
+		{"ARM64_RELOC_GOT_LOAD_PAGE21", Const, 10, ""},
+		{"ARM64_RELOC_GOT_LOAD_PAGEOFF12", Const, 10, ""},
+		{"ARM64_RELOC_PAGE21", Const, 10, ""},
+		{"ARM64_RELOC_PAGEOFF12", Const, 10, ""},
+		{"ARM64_RELOC_POINTER_TO_GOT", Const, 10, ""},
+		{"ARM64_RELOC_SUBTRACTOR", Const, 10, ""},
+		{"ARM64_RELOC_TLVP_LOAD_PAGE21", Const, 10, ""},
+		{"ARM64_RELOC_TLVP_LOAD_PAGEOFF12", Const, 10, ""},
+		{"ARM64_RELOC_UNSIGNED", Const, 10, ""},
+		{"ARM_RELOC_BR24", Const, 10, ""},
+		{"ARM_RELOC_HALF", Const, 10, ""},
+		{"ARM_RELOC_HALF_SECTDIFF", Const, 10, ""},
+		{"ARM_RELOC_LOCAL_SECTDIFF", Const, 10, ""},
+		{"ARM_RELOC_PAIR", Const, 10, ""},
+		{"ARM_RELOC_PB_LA_PTR", Const, 10, ""},
+		{"ARM_RELOC_SECTDIFF", Const, 10, ""},
+		{"ARM_RELOC_VANILLA", Const, 10, ""},
+		{"ARM_THUMB_32BIT_BRANCH", Const, 10, ""},
+		{"ARM_THUMB_RELOC_BR22", Const, 10, ""},
+		{"Cpu", Type, 0, ""},
+		{"Cpu386", Const, 0, ""},
+		{"CpuAmd64", Const, 0, ""},
+		{"CpuArm", Const, 3, ""},
+		{"CpuArm64", Const, 11, ""},
+		{"CpuPpc", Const, 3, ""},
+		{"CpuPpc64", Const, 3, ""},
+		{"Dylib", Type, 0, ""},
+		{"Dylib.CompatVersion", Field, 0, ""},
+		{"Dylib.CurrentVersion", Field, 0, ""},
+		{"Dylib.LoadBytes", Field, 0, ""},
+		{"Dylib.Name", Field, 0, ""},
+		{"Dylib.Time", Field, 0, ""},
+		{"DylibCmd", Type, 0, ""},
+		{"DylibCmd.Cmd", Field, 0, ""},
+		{"DylibCmd.CompatVersion", Field, 0, ""},
+		{"DylibCmd.CurrentVersion", Field, 0, ""},
+		{"DylibCmd.Len", Field, 0, ""},
+		{"DylibCmd.Name", Field, 0, ""},
+		{"DylibCmd.Time", Field, 0, ""},
+		{"Dysymtab", Type, 0, ""},
+		{"Dysymtab.DysymtabCmd", Field, 0, ""},
+		{"Dysymtab.IndirectSyms", Field, 0, ""},
+		{"Dysymtab.LoadBytes", Field, 0, ""},
+		{"DysymtabCmd", Type, 0, ""},
+		{"DysymtabCmd.Cmd", Field, 0, ""},
+		{"DysymtabCmd.Extrefsymoff", Field, 0, ""},
+		{"DysymtabCmd.Extreloff", Field, 0, ""},
+		{"DysymtabCmd.Iextdefsym", Field, 0, ""},
+		{"DysymtabCmd.Ilocalsym", Field, 0, ""},
+		{"DysymtabCmd.Indirectsymoff", Field, 0, ""},
+		{"DysymtabCmd.Iundefsym", Field, 0, ""},
+		{"DysymtabCmd.Len", Field, 0, ""},
+		{"DysymtabCmd.Locreloff", Field, 0, ""},
+		{"DysymtabCmd.Modtaboff", Field, 0, ""},
+		{"DysymtabCmd.Nextdefsym", Field, 0, ""},
+		{"DysymtabCmd.Nextrefsyms", Field, 0, ""},
+		{"DysymtabCmd.Nextrel", Field, 0, ""},
+		{"DysymtabCmd.Nindirectsyms", Field, 0, ""},
+		{"DysymtabCmd.Nlocalsym", Field, 0, ""},
+		{"DysymtabCmd.Nlocrel", Field, 0, ""},
+		{"DysymtabCmd.Nmodtab", Field, 0, ""},
+		{"DysymtabCmd.Ntoc", Field, 0, ""},
+		{"DysymtabCmd.Nundefsym", Field, 0, ""},
+		{"DysymtabCmd.Tocoffset", Field, 0, ""},
+		{"ErrNotFat", Var, 3, ""},
+		{"FatArch", Type, 3, ""},
+		{"FatArch.FatArchHeader", Field, 3, ""},
+		{"FatArch.File", Field, 3, ""},
+		{"FatArchHeader", Type, 3, ""},
+		{"FatArchHeader.Align", Field, 3, ""},
+		{"FatArchHeader.Cpu", Field, 3, ""},
+		{"FatArchHeader.Offset", Field, 3, ""},
+		{"FatArchHeader.Size", Field, 3, ""},
+		{"FatArchHeader.SubCpu", Field, 3, ""},
+		{"FatFile", Type, 3, ""},
+		{"FatFile.Arches", Field, 3, ""},
+		{"FatFile.Magic", Field, 3, ""},
+		{"File", Type, 0, ""},
+		{"File.ByteOrder", Field, 0, ""},
+		{"File.Dysymtab", Field, 0, ""},
+		{"File.FileHeader", Field, 0, ""},
+		{"File.Loads", Field, 0, ""},
+		{"File.Sections", Field, 0, ""},
+		{"File.Symtab", Field, 0, ""},
+		{"FileHeader", Type, 0, ""},
+		{"FileHeader.Cmdsz", Field, 0, ""},
+		{"FileHeader.Cpu", Field, 0, ""},
+		{"FileHeader.Flags", Field, 0, ""},
+		{"FileHeader.Magic", Field, 0, ""},
+		{"FileHeader.Ncmd", Field, 0, ""},
+		{"FileHeader.SubCpu", Field, 0, ""},
+		{"FileHeader.Type", Field, 0, ""},
+		{"FlagAllModsBound", Const, 10, ""},
+		{"FlagAllowStackExecution", Const, 10, ""},
+		{"FlagAppExtensionSafe", Const, 10, ""},
+		{"FlagBindAtLoad", Const, 10, ""},
+		{"FlagBindsToWeak", Const, 10, ""},
+		{"FlagCanonical", Const, 10, ""},
+		{"FlagDeadStrippableDylib", Const, 10, ""},
+		{"FlagDyldLink", Const, 10, ""},
+		{"FlagForceFlat", Const, 10, ""},
+		{"FlagHasTLVDescriptors", Const, 10, ""},
+		{"FlagIncrLink", Const, 10, ""},
+		{"FlagLazyInit", Const, 10, ""},
+		{"FlagNoFixPrebinding", Const, 10, ""},
+		{"FlagNoHeapExecution", Const, 10, ""},
+		{"FlagNoMultiDefs", Const, 10, ""},
+		{"FlagNoReexportedDylibs", Const, 10, ""},
+		{"FlagNoUndefs", Const, 10, ""},
+		{"FlagPIE", Const, 10, ""},
+		{"FlagPrebindable", Const, 10, ""},
+		{"FlagPrebound", Const, 10, ""},
+		{"FlagRootSafe", Const, 10, ""},
+		{"FlagSetuidSafe", Const, 10, ""},
+		{"FlagSplitSegs", Const, 10, ""},
+		{"FlagSubsectionsViaSymbols", Const, 10, ""},
+		{"FlagTwoLevel", Const, 10, ""},
+		{"FlagWeakDefines", Const, 10, ""},
+		{"FormatError", Type, 0, ""},
+		{"GENERIC_RELOC_LOCAL_SECTDIFF", Const, 10, ""},
+		{"GENERIC_RELOC_PAIR", Const, 10, ""},
+		{"GENERIC_RELOC_PB_LA_PTR", Const, 10, ""},
+		{"GENERIC_RELOC_SECTDIFF", Const, 10, ""},
+		{"GENERIC_RELOC_TLV", Const, 10, ""},
+		{"GENERIC_RELOC_VANILLA", Const, 10, ""},
+		{"Load", Type, 0, ""},
+		{"LoadBytes", Type, 0, ""},
+		{"LoadCmd", Type, 0, ""},
+		{"LoadCmdDylib", Const, 0, ""},
+		{"LoadCmdDylinker", Const, 0, ""},
+		{"LoadCmdDysymtab", Const, 0, ""},
+		{"LoadCmdRpath", Const, 10, ""},
+		{"LoadCmdSegment", Const, 0, ""},
+		{"LoadCmdSegment64", Const, 0, ""},
+		{"LoadCmdSymtab", Const, 0, ""},
+		{"LoadCmdThread", Const, 0, ""},
+		{"LoadCmdUnixThread", Const, 0, ""},
+		{"Magic32", Const, 0, ""},
+		{"Magic64", Const, 0, ""},
+		{"MagicFat", Const, 3, ""},
+		{"NewFatFile", Func, 3, "func(r io.ReaderAt) (*FatFile, error)"},
+		{"NewFile", Func, 0, "func(r io.ReaderAt) (*File, error)"},
+		{"Nlist32", Type, 0, ""},
+		{"Nlist32.Desc", Field, 0, ""},
+		{"Nlist32.Name", Field, 0, ""},
+		{"Nlist32.Sect", Field, 0, ""},
+		{"Nlist32.Type", Field, 0, ""},
+		{"Nlist32.Value", Field, 0, ""},
+		{"Nlist64", Type, 0, ""},
+		{"Nlist64.Desc", Field, 0, ""},
+		{"Nlist64.Name", Field, 0, ""},
+		{"Nlist64.Sect", Field, 0, ""},
+		{"Nlist64.Type", Field, 0, ""},
+		{"Nlist64.Value", Field, 0, ""},
+		{"Open", Func, 0, "func(name string) (*File, error)"},
+		{"OpenFat", Func, 3, "func(name string) (*FatFile, error)"},
+		{"Regs386", Type, 0, ""},
+		{"Regs386.AX", Field, 0, ""},
+		{"Regs386.BP", Field, 0, ""},
+		{"Regs386.BX", Field, 0, ""},
+		{"Regs386.CS", Field, 0, ""},
+		{"Regs386.CX", Field, 0, ""},
+		{"Regs386.DI", Field, 0, ""},
+		{"Regs386.DS", Field, 0, ""},
+		{"Regs386.DX", Field, 0, ""},
+		{"Regs386.ES", Field, 0, ""},
+		{"Regs386.FLAGS", Field, 0, ""},
+		{"Regs386.FS", Field, 0, ""},
+		{"Regs386.GS", Field, 0, ""},
+		{"Regs386.IP", Field, 0, ""},
+		{"Regs386.SI", Field, 0, ""},
+		{"Regs386.SP", Field, 0, ""},
+		{"Regs386.SS", Field, 0, ""},
+		{"RegsAMD64", Type, 0, ""},
+		{"RegsAMD64.AX", Field, 0, ""},
+		{"RegsAMD64.BP", Field, 0, ""},
+		{"RegsAMD64.BX", Field, 0, ""},
+		{"RegsAMD64.CS", Field, 0, ""},
+		{"RegsAMD64.CX", Field, 0, ""},
+		{"RegsAMD64.DI", Field, 0, ""},
+		{"RegsAMD64.DX", Field, 0, ""},
+		{"RegsAMD64.FLAGS", Field, 0, ""},
+		{"RegsAMD64.FS", Field, 0, ""},
+		{"RegsAMD64.GS", Field, 0, ""},
+		{"RegsAMD64.IP", Field, 0, ""},
+		{"RegsAMD64.R10", Field, 0, ""},
+		{"RegsAMD64.R11", Field, 0, ""},
+		{"RegsAMD64.R12", Field, 0, ""},
+		{"RegsAMD64.R13", Field, 0, ""},
+		{"RegsAMD64.R14", Field, 0, ""},
+		{"RegsAMD64.R15", Field, 0, ""},
+		{"RegsAMD64.R8", Field, 0, ""},
+		{"RegsAMD64.R9", Field, 0, ""},
+		{"RegsAMD64.SI", Field, 0, ""},
+		{"RegsAMD64.SP", Field, 0, ""},
+		{"Reloc", Type, 10, ""},
+		{"Reloc.Addr", Field, 10, ""},
+		{"Reloc.Extern", Field, 10, ""},
+		{"Reloc.Len", Field, 10, ""},
+		{"Reloc.Pcrel", Field, 10, ""},
+		{"Reloc.Scattered", Field, 10, ""},
+		{"Reloc.Type", Field, 10, ""},
+		{"Reloc.Value", Field, 10, ""},
+		{"RelocTypeARM", Type, 10, ""},
+		{"RelocTypeARM64", Type, 10, ""},
+		{"RelocTypeGeneric", Type, 10, ""},
+		{"RelocTypeX86_64", Type, 10, ""},
+		{"Rpath", Type, 10, ""},
+		{"Rpath.LoadBytes", Field, 10, ""},
+		{"Rpath.Path", Field, 10, ""},
+		{"RpathCmd", Type, 10, ""},
+		{"RpathCmd.Cmd", Field, 10, ""},
+		{"RpathCmd.Len", Field, 10, ""},
+		{"RpathCmd.Path", Field, 10, ""},
+		{"Section", Type, 0, ""},
+		{"Section.ReaderAt", Field, 0, ""},
+		{"Section.Relocs", Field, 10, ""},
+		{"Section.SectionHeader", Field, 0, ""},
+		{"Section32", Type, 0, ""},
+		{"Section32.Addr", Field, 0, ""},
+		{"Section32.Align", Field, 0, ""},
+		{"Section32.Flags", Field, 0, ""},
+		{"Section32.Name", Field, 0, ""},
+		{"Section32.Nreloc", Field, 0, ""},
+		{"Section32.Offset", Field, 0, ""},
+		{"Section32.Reloff", Field, 0, ""},
+		{"Section32.Reserve1", Field, 0, ""},
+		{"Section32.Reserve2", Field, 0, ""},
+		{"Section32.Seg", Field, 0, ""},
+		{"Section32.Size", Field, 0, ""},
+		{"Section64", Type, 0, ""},
+		{"Section64.Addr", Field, 0, ""},
+		{"Section64.Align", Field, 0, ""},
+		{"Section64.Flags", Field, 0, ""},
+		{"Section64.Name", Field, 0, ""},
+		{"Section64.Nreloc", Field, 0, ""},
+		{"Section64.Offset", Field, 0, ""},
+		{"Section64.Reloff", Field, 0, ""},
+		{"Section64.Reserve1", Field, 0, ""},
+		{"Section64.Reserve2", Field, 0, ""},
+		{"Section64.Reserve3", Field, 0, ""},
+		{"Section64.Seg", Field, 0, ""},
+		{"Section64.Size", Field, 0, ""},
+		{"SectionHeader", Type, 0, ""},
+		{"SectionHeader.Addr", Field, 0, ""},
+		{"SectionHeader.Align", Field, 0, ""},
+		{"SectionHeader.Flags", Field, 0, ""},
+		{"SectionHeader.Name", Field, 0, ""},
+		{"SectionHeader.Nreloc", Field, 0, ""},
+		{"SectionHeader.Offset", Field, 0, ""},
+		{"SectionHeader.Reloff", Field, 0, ""},
+		{"SectionHeader.Seg", Field, 0, ""},
+		{"SectionHeader.Size", Field, 0, ""},
+		{"Segment", Type, 0, ""},
+		{"Segment.LoadBytes", Field, 0, ""},
+		{"Segment.ReaderAt", Field, 0, ""},
+		{"Segment.SegmentHeader", Field, 0, ""},
+		{"Segment32", Type, 0, ""},
+		{"Segment32.Addr", Field, 0, ""},
+		{"Segment32.Cmd", Field, 0, ""},
+		{"Segment32.Filesz", Field, 0, ""},
+		{"Segment32.Flag", Field, 0, ""},
+		{"Segment32.Len", Field, 0, ""},
+		{"Segment32.Maxprot", Field, 0, ""},
+		{"Segment32.Memsz", Field, 0, ""},
+		{"Segment32.Name", Field, 0, ""},
+		{"Segment32.Nsect", Field, 0, ""},
+		{"Segment32.Offset", Field, 0, ""},
+		{"Segment32.Prot", Field, 0, ""},
+		{"Segment64", Type, 0, ""},
+		{"Segment64.Addr", Field, 0, ""},
+		{"Segment64.Cmd", Field, 0, ""},
+		{"Segment64.Filesz", Field, 0, ""},
+		{"Segment64.Flag", Field, 0, ""},
+		{"Segment64.Len", Field, 0, ""},
+		{"Segment64.Maxprot", Field, 0, ""},
+		{"Segment64.Memsz", Field, 0, ""},
+		{"Segment64.Name", Field, 0, ""},
+		{"Segment64.Nsect", Field, 0, ""},
+		{"Segment64.Offset", Field, 0, ""},
+		{"Segment64.Prot", Field, 0, ""},
+		{"SegmentHeader", Type, 0, ""},
+		{"SegmentHeader.Addr", Field, 0, ""},
+		{"SegmentHeader.Cmd", Field, 0, ""},
+		{"SegmentHeader.Filesz", Field, 0, ""},
+		{"SegmentHeader.Flag", Field, 0, ""},
+		{"SegmentHeader.Len", Field, 0, ""},
+		{"SegmentHeader.Maxprot", Field, 0, ""},
+		{"SegmentHeader.Memsz", Field, 0, ""},
+		{"SegmentHeader.Name", Field, 0, ""},
+		{"SegmentHeader.Nsect", Field, 0, ""},
+		{"SegmentHeader.Offset", Field, 0, ""},
+		{"SegmentHeader.Prot", Field, 0, ""},
+		{"Symbol", Type, 0, ""},
+		{"Symbol.Desc", Field, 0, ""},
+		{"Symbol.Name", Field, 0, ""},
+		{"Symbol.Sect", Field, 0, ""},
+		{"Symbol.Type", Field, 0, ""},
+		{"Symbol.Value", Field, 0, ""},
+		{"Symtab", Type, 0, ""},
+		{"Symtab.LoadBytes", Field, 0, ""},
+		{"Symtab.Syms", Field, 0, ""},
+		{"Symtab.SymtabCmd", Field, 0, ""},
+		{"SymtabCmd", Type, 0, ""},
+		{"SymtabCmd.Cmd", Field, 0, ""},
+		{"SymtabCmd.Len", Field, 0, ""},
+		{"SymtabCmd.Nsyms", Field, 0, ""},
+		{"SymtabCmd.Stroff", Field, 0, ""},
+		{"SymtabCmd.Strsize", Field, 0, ""},
+		{"SymtabCmd.Symoff", Field, 0, ""},
+		{"Thread", Type, 0, ""},
+		{"Thread.Cmd", Field, 0, ""},
+		{"Thread.Data", Field, 0, ""},
+		{"Thread.Len", Field, 0, ""},
+		{"Thread.Type", Field, 0, ""},
+		{"Type", Type, 0, ""},
+		{"TypeBundle", Const, 3, ""},
+		{"TypeDylib", Const, 3, ""},
+		{"TypeExec", Const, 0, ""},
+		{"TypeObj", Const, 0, ""},
+		{"X86_64_RELOC_BRANCH", Const, 10, ""},
+		{"X86_64_RELOC_GOT", Const, 10, ""},
+		{"X86_64_RELOC_GOT_LOAD", Const, 10, ""},
+		{"X86_64_RELOC_SIGNED", Const, 10, ""},
+		{"X86_64_RELOC_SIGNED_1", Const, 10, ""},
+		{"X86_64_RELOC_SIGNED_2", Const, 10, ""},
+		{"X86_64_RELOC_SIGNED_4", Const, 10, ""},
+		{"X86_64_RELOC_SUBTRACTOR", Const, 10, ""},
+		{"X86_64_RELOC_TLV", Const, 10, ""},
+		{"X86_64_RELOC_UNSIGNED", Const, 10, ""},
+	},
+	"debug/pe": {
+		{"(*COFFSymbol).FullName", Method, 8, ""},
+		{"(*File).COFFSymbolReadSectionDefAux", Method, 19, ""},
+		{"(*File).Close", Method, 0, ""},
+		{"(*File).DWARF", Method, 0, ""},
+		{"(*File).ImportedLibraries", Method, 0, ""},
+		{"(*File).ImportedSymbols", Method, 0, ""},
+		{"(*File).Section", Method, 0, ""},
+		{"(*FormatError).Error", Method, 0, ""},
+		{"(*Section).Data", Method, 0, ""},
+		{"(*Section).Open", Method, 0, ""},
+		{"(Section).ReadAt", Method, 0, ""},
+		{"(StringTable).String", Method, 8, ""},
+		{"COFFSymbol", Type, 1, ""},
+		{"COFFSymbol.Name", Field, 1, ""},
+		{"COFFSymbol.NumberOfAuxSymbols", Field, 1, ""},
+		{"COFFSymbol.SectionNumber", Field, 1, ""},
+		{"COFFSymbol.StorageClass", Field, 1, ""},
+		{"COFFSymbol.Type", Field, 1, ""},
+		{"COFFSymbol.Value", Field, 1, ""},
+		{"COFFSymbolAuxFormat5", Type, 19, ""},
+		{"COFFSymbolAuxFormat5.Checksum", Field, 19, ""},
+		{"COFFSymbolAuxFormat5.NumLineNumbers", Field, 19, ""},
+		{"COFFSymbolAuxFormat5.NumRelocs", Field, 19, ""},
+		{"COFFSymbolAuxFormat5.SecNum", Field, 19, ""},
+		{"COFFSymbolAuxFormat5.Selection", Field, 19, ""},
+		{"COFFSymbolAuxFormat5.Size", Field, 19, ""},
+		{"COFFSymbolSize", Const, 1, ""},
+		{"DataDirectory", Type, 3, ""},
+		{"DataDirectory.Size", Field, 3, ""},
+		{"DataDirectory.VirtualAddress", Field, 3, ""},
+		{"File", Type, 0, ""},
+		{"File.COFFSymbols", Field, 8, ""},
+		{"File.FileHeader", Field, 0, ""},
+		{"File.OptionalHeader", Field, 3, ""},
+		{"File.Sections", Field, 0, ""},
+		{"File.StringTable", Field, 8, ""},
+		{"File.Symbols", Field, 1, ""},
+		{"FileHeader", Type, 0, ""},
+		{"FileHeader.Characteristics", Field, 0, ""},
+		{"FileHeader.Machine", Field, 0, ""},
+		{"FileHeader.NumberOfSections", Field, 0, ""},
+		{"FileHeader.NumberOfSymbols", Field, 0, ""},
+		{"FileHeader.PointerToSymbolTable", Field, 0, ""},
+		{"FileHeader.SizeOfOptionalHeader", Field, 0, ""},
+		{"FileHeader.TimeDateStamp", Field, 0, ""},
+		{"FormatError", Type, 0, ""},
+		{"IMAGE_COMDAT_SELECT_ANY", Const, 19, ""},
+		{"IMAGE_COMDAT_SELECT_ASSOCIATIVE", Const, 19, ""},
+		{"IMAGE_COMDAT_SELECT_EXACT_MATCH", Const, 19, ""},
+		{"IMAGE_COMDAT_SELECT_LARGEST", Const, 19, ""},
+		{"IMAGE_COMDAT_SELECT_NODUPLICATES", Const, 19, ""},
+		{"IMAGE_COMDAT_SELECT_SAME_SIZE", Const, 19, ""},
+		{"IMAGE_DIRECTORY_ENTRY_ARCHITECTURE", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_BASERELOC", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_DEBUG", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_EXCEPTION", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_EXPORT", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_GLOBALPTR", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_IAT", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_IMPORT", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_RESOURCE", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_SECURITY", Const, 11, ""},
+		{"IMAGE_DIRECTORY_ENTRY_TLS", Const, 11, ""},
+		{"IMAGE_DLLCHARACTERISTICS_APPCONTAINER", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_GUARD_CF", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_NO_BIND", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_NO_ISOLATION", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_NO_SEH", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_NX_COMPAT", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE", Const, 15, ""},
+		{"IMAGE_DLLCHARACTERISTICS_WDM_DRIVER", Const, 15, ""},
+		{"IMAGE_FILE_32BIT_MACHINE", Const, 15, ""},
+		{"IMAGE_FILE_AGGRESIVE_WS_TRIM", Const, 15, ""},
+		{"IMAGE_FILE_BYTES_REVERSED_HI", Const, 15, ""},
+		{"IMAGE_FILE_BYTES_REVERSED_LO", Const, 15, ""},
+		{"IMAGE_FILE_DEBUG_STRIPPED", Const, 15, ""},
+		{"IMAGE_FILE_DLL", Const, 15, ""},
+		{"IMAGE_FILE_EXECUTABLE_IMAGE", Const, 15, ""},
+		{"IMAGE_FILE_LARGE_ADDRESS_AWARE", Const, 15, ""},
+		{"IMAGE_FILE_LINE_NUMS_STRIPPED", Const, 15, ""},
+		{"IMAGE_FILE_LOCAL_SYMS_STRIPPED", Const, 15, ""},
+		{"IMAGE_FILE_MACHINE_AM33", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_AMD64", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_ARM", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_ARM64", Const, 11, ""},
+		{"IMAGE_FILE_MACHINE_ARMNT", Const, 12, ""},
+		{"IMAGE_FILE_MACHINE_EBC", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_I386", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_IA64", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_LOONGARCH32", Const, 19, ""},
+		{"IMAGE_FILE_MACHINE_LOONGARCH64", Const, 19, ""},
+		{"IMAGE_FILE_MACHINE_M32R", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_MIPS16", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_MIPSFPU", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_MIPSFPU16", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_POWERPC", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_POWERPCFP", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_R4000", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_RISCV128", Const, 20, ""},
+		{"IMAGE_FILE_MACHINE_RISCV32", Const, 20, ""},
+		{"IMAGE_FILE_MACHINE_RISCV64", Const, 20, ""},
+		{"IMAGE_FILE_MACHINE_SH3", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_SH3DSP", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_SH4", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_SH5", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_THUMB", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_UNKNOWN", Const, 0, ""},
+		{"IMAGE_FILE_MACHINE_WCEMIPSV2", Const, 0, ""},
+		{"IMAGE_FILE_NET_RUN_FROM_SWAP", Const, 15, ""},
+		{"IMAGE_FILE_RELOCS_STRIPPED", Const, 15, ""},
+		{"IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP", Const, 15, ""},
+		{"IMAGE_FILE_SYSTEM", Const, 15, ""},
+		{"IMAGE_FILE_UP_SYSTEM_ONLY", Const, 15, ""},
+		{"IMAGE_SCN_CNT_CODE", Const, 19, ""},
+		{"IMAGE_SCN_CNT_INITIALIZED_DATA", Const, 19, ""},
+		{"IMAGE_SCN_CNT_UNINITIALIZED_DATA", Const, 19, ""},
+		{"IMAGE_SCN_LNK_COMDAT", Const, 19, ""},
+		{"IMAGE_SCN_MEM_DISCARDABLE", Const, 19, ""},
+		{"IMAGE_SCN_MEM_EXECUTE", Const, 19, ""},
+		{"IMAGE_SCN_MEM_READ", Const, 19, ""},
+		{"IMAGE_SCN_MEM_WRITE", Const, 19, ""},
+		{"IMAGE_SUBSYSTEM_EFI_APPLICATION", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_EFI_ROM", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_NATIVE", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_NATIVE_WINDOWS", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_OS2_CUI", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_POSIX_CUI", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_UNKNOWN", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_WINDOWS_CE_GUI", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_WINDOWS_CUI", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_WINDOWS_GUI", Const, 15, ""},
+		{"IMAGE_SUBSYSTEM_XBOX", Const, 15, ""},
+		{"ImportDirectory", Type, 0, ""},
+		{"ImportDirectory.FirstThunk", Field, 0, ""},
+		{"ImportDirectory.ForwarderChain", Field, 0, ""},
+		{"ImportDirectory.Name", Field, 0, ""},
+		{"ImportDirectory.OriginalFirstThunk", Field, 0, ""},
+		{"ImportDirectory.TimeDateStamp", Field, 0, ""},
+		{"NewFile", Func, 0, "func(r io.ReaderAt) (*File, error)"},
+		{"Open", Func, 0, "func(name string) (*File, error)"},
+		{"OptionalHeader32", Type, 3, ""},
+		{"OptionalHeader32.AddressOfEntryPoint", Field, 3, ""},
+		{"OptionalHeader32.BaseOfCode", Field, 3, ""},
+		{"OptionalHeader32.BaseOfData", Field, 3, ""},
+		{"OptionalHeader32.CheckSum", Field, 3, ""},
+		{"OptionalHeader32.DataDirectory", Field, 3, ""},
+		{"OptionalHeader32.DllCharacteristics", Field, 3, ""},
+		{"OptionalHeader32.FileAlignment", Field, 3, ""},
+		{"OptionalHeader32.ImageBase", Field, 3, ""},
+		{"OptionalHeader32.LoaderFlags", Field, 3, ""},
+		{"OptionalHeader32.Magic", Field, 3, ""},
+		{"OptionalHeader32.MajorImageVersion", Field, 3, ""},
+		{"OptionalHeader32.MajorLinkerVersion", Field, 3, ""},
+		{"OptionalHeader32.MajorOperatingSystemVersion", Field, 3, ""},
+		{"OptionalHeader32.MajorSubsystemVersion", Field, 3, ""},
+		{"OptionalHeader32.MinorImageVersion", Field, 3, ""},
+		{"OptionalHeader32.MinorLinkerVersion", Field, 3, ""},
+		{"OptionalHeader32.MinorOperatingSystemVersion", Field, 3, ""},
+		{"OptionalHeader32.MinorSubsystemVersion", Field, 3, ""},
+		{"OptionalHeader32.NumberOfRvaAndSizes", Field, 3, ""},
+		{"OptionalHeader32.SectionAlignment", Field, 3, ""},
+		{"OptionalHeader32.SizeOfCode", Field, 3, ""},
+		{"OptionalHeader32.SizeOfHeaders", Field, 3, ""},
+		{"OptionalHeader32.SizeOfHeapCommit", Field, 3, ""},
+		{"OptionalHeader32.SizeOfHeapReserve", Field, 3, ""},
+		{"OptionalHeader32.SizeOfImage", Field, 3, ""},
+		{"OptionalHeader32.SizeOfInitializedData", Field, 3, ""},
+		{"OptionalHeader32.SizeOfStackCommit", Field, 3, ""},
+		{"OptionalHeader32.SizeOfStackReserve", Field, 3, ""},
+		{"OptionalHeader32.SizeOfUninitializedData", Field, 3, ""},
+		{"OptionalHeader32.Subsystem", Field, 3, ""},
+		{"OptionalHeader32.Win32VersionValue", Field, 3, ""},
+		{"OptionalHeader64", Type, 3, ""},
+		{"OptionalHeader64.AddressOfEntryPoint", Field, 3, ""},
+		{"OptionalHeader64.BaseOfCode", Field, 3, ""},
+		{"OptionalHeader64.CheckSum", Field, 3, ""},
+		{"OptionalHeader64.DataDirectory", Field, 3, ""},
+		{"OptionalHeader64.DllCharacteristics", Field, 3, ""},
+		{"OptionalHeader64.FileAlignment", Field, 3, ""},
+		{"OptionalHeader64.ImageBase", Field, 3, ""},
+		{"OptionalHeader64.LoaderFlags", Field, 3, ""},
+		{"OptionalHeader64.Magic", Field, 3, ""},
+		{"OptionalHeader64.MajorImageVersion", Field, 3, ""},
+		{"OptionalHeader64.MajorLinkerVersion", Field, 3, ""},
+		{"OptionalHeader64.MajorOperatingSystemVersion", Field, 3, ""},
+		{"OptionalHeader64.MajorSubsystemVersion", Field, 3, ""},
+		{"OptionalHeader64.MinorImageVersion", Field, 3, ""},
+		{"OptionalHeader64.MinorLinkerVersion", Field, 3, ""},
+		{"OptionalHeader64.MinorOperatingSystemVersion", Field, 3, ""},
+		{"OptionalHeader64.MinorSubsystemVersion", Field, 3, ""},
+		{"OptionalHeader64.NumberOfRvaAndSizes", Field, 3, ""},
+		{"OptionalHeader64.SectionAlignment", Field, 3, ""},
+		{"OptionalHeader64.SizeOfCode", Field, 3, ""},
+		{"OptionalHeader64.SizeOfHeaders", Field, 3, ""},
+		{"OptionalHeader64.SizeOfHeapCommit", Field, 3, ""},
+		{"OptionalHeader64.SizeOfHeapReserve", Field, 3, ""},
+		{"OptionalHeader64.SizeOfImage", Field, 3, ""},
+		{"OptionalHeader64.SizeOfInitializedData", Field, 3, ""},
+		{"OptionalHeader64.SizeOfStackCommit", Field, 3, ""},
+		{"OptionalHeader64.SizeOfStackReserve", Field, 3, ""},
+		{"OptionalHeader64.SizeOfUninitializedData", Field, 3, ""},
+		{"OptionalHeader64.Subsystem", Field, 3, ""},
+		{"OptionalHeader64.Win32VersionValue", Field, 3, ""},
+		{"Reloc", Type, 8, ""},
+		{"Reloc.SymbolTableIndex", Field, 8, ""},
+		{"Reloc.Type", Field, 8, ""},
+		{"Reloc.VirtualAddress", Field, 8, ""},
+		{"Section", Type, 0, ""},
+		{"Section.ReaderAt", Field, 0, ""},
+		{"Section.Relocs", Field, 8, ""},
+		{"Section.SectionHeader", Field, 0, ""},
+		{"SectionHeader", Type, 0, ""},
+		{"SectionHeader.Characteristics", Field, 0, ""},
+		{"SectionHeader.Name", Field, 0, ""},
+		{"SectionHeader.NumberOfLineNumbers", Field, 0, ""},
+		{"SectionHeader.NumberOfRelocations", Field, 0, ""},
+		{"SectionHeader.Offset", Field, 0, ""},
+		{"SectionHeader.PointerToLineNumbers", Field, 0, ""},
+		{"SectionHeader.PointerToRelocations", Field, 0, ""},
+		{"SectionHeader.Size", Field, 0, ""},
+		{"SectionHeader.VirtualAddress", Field, 0, ""},
+		{"SectionHeader.VirtualSize", Field, 0, ""},
+		{"SectionHeader32", Type, 0, ""},
+		{"SectionHeader32.Characteristics", Field, 0, ""},
+		{"SectionHeader32.Name", Field, 0, ""},
+		{"SectionHeader32.NumberOfLineNumbers", Field, 0, ""},
+		{"SectionHeader32.NumberOfRelocations", Field, 0, ""},
+		{"SectionHeader32.PointerToLineNumbers", Field, 0, ""},
+		{"SectionHeader32.PointerToRawData", Field, 0, ""},
+		{"SectionHeader32.PointerToRelocations", Field, 0, ""},
+		{"SectionHeader32.SizeOfRawData", Field, 0, ""},
+		{"SectionHeader32.VirtualAddress", Field, 0, ""},
+		{"SectionHeader32.VirtualSize", Field, 0, ""},
+		{"StringTable", Type, 8, ""},
+		{"Symbol", Type, 1, ""},
+		{"Symbol.Name", Field, 1, ""},
+		{"Symbol.SectionNumber", Field, 1, ""},
+		{"Symbol.StorageClass", Field, 1, ""},
+		{"Symbol.Type", Field, 1, ""},
+		{"Symbol.Value", Field, 1, ""},
+	},
+	"debug/plan9obj": {
+		{"(*File).Close", Method, 3, ""},
+		{"(*File).Section", Method, 3, ""},
+		{"(*File).Symbols", Method, 3, ""},
+		{"(*Section).Data", Method, 3, ""},
+		{"(*Section).Open", Method, 3, ""},
+		{"(Section).ReadAt", Method, 3, ""},
+		{"ErrNoSymbols", Var, 18, ""},
+		{"File", Type, 3, ""},
+		{"File.FileHeader", Field, 3, ""},
+		{"File.Sections", Field, 3, ""},
+		{"FileHeader", Type, 3, ""},
+		{"FileHeader.Bss", Field, 3, ""},
+		{"FileHeader.Entry", Field, 3, ""},
+		{"FileHeader.HdrSize", Field, 4, ""},
+		{"FileHeader.LoadAddress", Field, 4, ""},
+		{"FileHeader.Magic", Field, 3, ""},
+		{"FileHeader.PtrSize", Field, 3, ""},
+		{"Magic386", Const, 3, ""},
+		{"Magic64", Const, 3, ""},
+		{"MagicAMD64", Const, 3, ""},
+		{"MagicARM", Const, 3, ""},
+		{"NewFile", Func, 3, "func(r io.ReaderAt) (*File, error)"},
+		{"Open", Func, 3, "func(name string) (*File, error)"},
+		{"Section", Type, 3, ""},
+		{"Section.ReaderAt", Field, 3, ""},
+		{"Section.SectionHeader", Field, 3, ""},
+		{"SectionHeader", Type, 3, ""},
+		{"SectionHeader.Name", Field, 3, ""},
+		{"SectionHeader.Offset", Field, 3, ""},
+		{"SectionHeader.Size", Field, 3, ""},
+		{"Sym", Type, 3, ""},
+		{"Sym.Name", Field, 3, ""},
+		{"Sym.Type", Field, 3, ""},
+		{"Sym.Value", Field, 3, ""},
+	},
+	"embed": {
+		{"(FS).Open", Method, 16, ""},
+		{"(FS).ReadDir", Method, 16, ""},
+		{"(FS).ReadFile", Method, 16, ""},
+		{"FS", Type, 16, ""},
+	},
+	"encoding": {
+		{"(BinaryAppender).AppendBinary", Method, 24, ""},
+		{"(BinaryMarshaler).MarshalBinary", Method, 2, ""},
+		{"(BinaryUnmarshaler).UnmarshalBinary", Method, 2, ""},
+		{"(TextAppender).AppendText", Method, 24, ""},
+		{"(TextMarshaler).MarshalText", Method, 2, ""},
+		{"(TextUnmarshaler).UnmarshalText", Method, 2, ""},
+		{"BinaryAppender", Type, 24, ""},
+		{"BinaryMarshaler", Type, 2, ""},
+		{"BinaryUnmarshaler", Type, 2, ""},
+		{"TextAppender", Type, 24, ""},
+		{"TextMarshaler", Type, 2, ""},
+		{"TextUnmarshaler", Type, 2, ""},
+	},
+	"encoding/ascii85": {
+		{"(CorruptInputError).Error", Method, 0, ""},
+		{"CorruptInputError", Type, 0, ""},
+		{"Decode", Func, 0, "func(dst []byte, src []byte, flush bool) (ndst int, nsrc int, err error)"},
+		{"Encode", Func, 0, "func(dst []byte, src []byte) int"},
+		{"MaxEncodedLen", Func, 0, "func(n int) int"},
+		{"NewDecoder", Func, 0, "func(r io.Reader) io.Reader"},
+		{"NewEncoder", Func, 0, "func(w io.Writer) io.WriteCloser"},
+	},
+	"encoding/asn1": {
+		{"(BitString).At", Method, 0, ""},
+		{"(BitString).RightAlign", Method, 0, ""},
+		{"(ObjectIdentifier).Equal", Method, 0, ""},
+		{"(ObjectIdentifier).String", Method, 3, ""},
+		{"(StructuralError).Error", Method, 0, ""},
+		{"(SyntaxError).Error", Method, 0, ""},
+		{"BitString", Type, 0, ""},
+		{"BitString.BitLength", Field, 0, ""},
+		{"BitString.Bytes", Field, 0, ""},
+		{"ClassApplication", Const, 6, ""},
+		{"ClassContextSpecific", Const, 6, ""},
+		{"ClassPrivate", Const, 6, ""},
+		{"ClassUniversal", Const, 6, ""},
+		{"Enumerated", Type, 0, ""},
+		{"Flag", Type, 0, ""},
+		{"Marshal", Func, 0, "func(val any) ([]byte, error)"},
+		{"MarshalWithParams", Func, 10, "func(val any, params string) ([]byte, error)"},
+		{"NullBytes", Var, 9, ""},
+		{"NullRawValue", Var, 9, ""},
+		{"ObjectIdentifier", Type, 0, ""},
+		{"RawContent", Type, 0, ""},
+		{"RawValue", Type, 0, ""},
+		{"RawValue.Bytes", Field, 0, ""},
+		{"RawValue.Class", Field, 0, ""},
+		{"RawValue.FullBytes", Field, 0, ""},
+		{"RawValue.IsCompound", Field, 0, ""},
+		{"RawValue.Tag", Field, 0, ""},
+		{"StructuralError", Type, 0, ""},
+		{"StructuralError.Msg", Field, 0, ""},
+		{"SyntaxError", Type, 0, ""},
+		{"SyntaxError.Msg", Field, 0, ""},
+		{"TagBMPString", Const, 14, ""},
+		{"TagBitString", Const, 6, ""},
+		{"TagBoolean", Const, 6, ""},
+		{"TagEnum", Const, 6, ""},
+		{"TagGeneralString", Const, 6, ""},
+		{"TagGeneralizedTime", Const, 6, ""},
+		{"TagIA5String", Const, 6, ""},
+		{"TagInteger", Const, 6, ""},
+		{"TagNull", Const, 9, ""},
+		{"TagNumericString", Const, 10, ""},
+		{"TagOID", Const, 6, ""},
+		{"TagOctetString", Const, 6, ""},
+		{"TagPrintableString", Const, 6, ""},
+		{"TagSequence", Const, 6, ""},
+		{"TagSet", Const, 6, ""},
+		{"TagT61String", Const, 6, ""},
+		{"TagUTCTime", Const, 6, ""},
+		{"TagUTF8String", Const, 6, ""},
+		{"Unmarshal", Func, 0, "func(b []byte, val any) (rest []byte, err error)"},
+		{"UnmarshalWithParams", Func, 0, "func(b []byte, val any, params string) (rest []byte, err error)"},
+	},
+	"encoding/base32": {
+		{"(*Encoding).AppendDecode", Method, 22, ""},
+		{"(*Encoding).AppendEncode", Method, 22, ""},
+		{"(*Encoding).Decode", Method, 0, ""},
+		{"(*Encoding).DecodeString", Method, 0, ""},
+		{"(*Encoding).DecodedLen", Method, 0, ""},
+		{"(*Encoding).Encode", Method, 0, ""},
+		{"(*Encoding).EncodeToString", Method, 0, ""},
+		{"(*Encoding).EncodedLen", Method, 0, ""},
+		{"(CorruptInputError).Error", Method, 0, ""},
+		{"(Encoding).WithPadding", Method, 9, ""},
+		{"CorruptInputError", Type, 0, ""},
+		{"Encoding", Type, 0, ""},
+		{"HexEncoding", Var, 0, ""},
+		{"NewDecoder", Func, 0, "func(enc *Encoding, r io.Reader) io.Reader"},
+		{"NewEncoder", Func, 0, "func(enc *Encoding, w io.Writer) io.WriteCloser"},
+		{"NewEncoding", Func, 0, "func(encoder string) *Encoding"},
+		{"NoPadding", Const, 9, ""},
+		{"StdEncoding", Var, 0, ""},
+		{"StdPadding", Const, 9, ""},
+	},
+	"encoding/base64": {
+		{"(*Encoding).AppendDecode", Method, 22, ""},
+		{"(*Encoding).AppendEncode", Method, 22, ""},
+		{"(*Encoding).Decode", Method, 0, ""},
+		{"(*Encoding).DecodeString", Method, 0, ""},
+		{"(*Encoding).DecodedLen", Method, 0, ""},
+		{"(*Encoding).Encode", Method, 0, ""},
+		{"(*Encoding).EncodeToString", Method, 0, ""},
+		{"(*Encoding).EncodedLen", Method, 0, ""},
+		{"(CorruptInputError).Error", Method, 0, ""},
+		{"(Encoding).Strict", Method, 8, ""},
+		{"(Encoding).WithPadding", Method, 5, ""},
+		{"CorruptInputError", Type, 0, ""},
+		{"Encoding", Type, 0, ""},
+		{"NewDecoder", Func, 0, "func(enc *Encoding, r io.Reader) io.Reader"},
+		{"NewEncoder", Func, 0, "func(enc *Encoding, w io.Writer) io.WriteCloser"},
+		{"NewEncoding", Func, 0, "func(encoder string) *Encoding"},
+		{"NoPadding", Const, 5, ""},
+		{"RawStdEncoding", Var, 5, ""},
+		{"RawURLEncoding", Var, 5, ""},
+		{"StdEncoding", Var, 0, ""},
+		{"StdPadding", Const, 5, ""},
+		{"URLEncoding", Var, 0, ""},
+	},
+	"encoding/binary": {
+		{"(AppendByteOrder).AppendUint16", Method, 19, ""},
+		{"(AppendByteOrder).AppendUint32", Method, 19, ""},
+		{"(AppendByteOrder).AppendUint64", Method, 19, ""},
+		{"(AppendByteOrder).String", Method, 19, ""},
+		{"(ByteOrder).PutUint16", Method, 0, ""},
+		{"(ByteOrder).PutUint32", Method, 0, ""},
+		{"(ByteOrder).PutUint64", Method, 0, ""},
+		{"(ByteOrder).String", Method, 0, ""},
+		{"(ByteOrder).Uint16", Method, 0, ""},
+		{"(ByteOrder).Uint32", Method, 0, ""},
+		{"(ByteOrder).Uint64", Method, 0, ""},
+		{"Append", Func, 23, "func(buf []byte, order ByteOrder, data any) ([]byte, error)"},
+		{"AppendByteOrder", Type, 19, ""},
+		{"AppendUvarint", Func, 19, "func(buf []byte, x uint64) []byte"},
+		{"AppendVarint", Func, 19, "func(buf []byte, x int64) []byte"},
+		{"BigEndian", Var, 0, ""},
+		{"ByteOrder", Type, 0, ""},
+		{"Decode", Func, 23, "func(buf []byte, order ByteOrder, data any) (int, error)"},
+		{"Encode", Func, 23, "func(buf []byte, order ByteOrder, data any) (int, error)"},
+		{"LittleEndian", Var, 0, ""},
+		{"MaxVarintLen16", Const, 0, ""},
+		{"MaxVarintLen32", Const, 0, ""},
+		{"MaxVarintLen64", Const, 0, ""},
+		{"NativeEndian", Var, 21, ""},
+		{"PutUvarint", Func, 0, "func(buf []byte, x uint64) int"},
+		{"PutVarint", Func, 0, "func(buf []byte, x int64) int"},
+		{"Read", Func, 0, "func(r io.Reader, order ByteOrder, data any) error"},
+		{"ReadUvarint", Func, 0, "func(r io.ByteReader) (uint64, error)"},
+		{"ReadVarint", Func, 0, "func(r io.ByteReader) (int64, error)"},
+		{"Size", Func, 0, "func(v any) int"},
+		{"Uvarint", Func, 0, "func(buf []byte) (uint64, int)"},
+		{"Varint", Func, 0, "func(buf []byte) (int64, int)"},
+		{"Write", Func, 0, "func(w io.Writer, order ByteOrder, data any) error"},
+	},
+	"encoding/csv": {
+		{"(*ParseError).Error", Method, 0, ""},
+		{"(*ParseError).Unwrap", Method, 13, ""},
+		{"(*Reader).FieldPos", Method, 17, ""},
+		{"(*Reader).InputOffset", Method, 19, ""},
+		{"(*Reader).Read", Method, 0, ""},
+		{"(*Reader).ReadAll", Method, 0, ""},
+		{"(*Writer).Error", Method, 1, ""},
+		{"(*Writer).Flush", Method, 0, ""},
+		{"(*Writer).Write", Method, 0, ""},
+		{"(*Writer).WriteAll", Method, 0, ""},
+		{"ErrBareQuote", Var, 0, ""},
+		{"ErrFieldCount", Var, 0, ""},
+		{"ErrQuote", Var, 0, ""},
+		{"ErrTrailingComma", Var, 0, ""},
+		{"NewReader", Func, 0, "func(r io.Reader) *Reader"},
+		{"NewWriter", Func, 0, "func(w io.Writer) *Writer"},
+		{"ParseError", Type, 0, ""},
+		{"ParseError.Column", Field, 0, ""},
+		{"ParseError.Err", Field, 0, ""},
+		{"ParseError.Line", Field, 0, ""},
+		{"ParseError.StartLine", Field, 10, ""},
+		{"Reader", Type, 0, ""},
+		{"Reader.Comma", Field, 0, ""},
+		{"Reader.Comment", Field, 0, ""},
+		{"Reader.FieldsPerRecord", Field, 0, ""},
+		{"Reader.LazyQuotes", Field, 0, ""},
+		{"Reader.ReuseRecord", Field, 9, ""},
+		{"Reader.TrailingComma", Field, 0, ""},
+		{"Reader.TrimLeadingSpace", Field, 0, ""},
+		{"Writer", Type, 0, ""},
+		{"Writer.Comma", Field, 0, ""},
+		{"Writer.UseCRLF", Field, 0, ""},
+	},
+	"encoding/gob": {
+		{"(*Decoder).Decode", Method, 0, ""},
+		{"(*Decoder).DecodeValue", Method, 0, ""},
+		{"(*Encoder).Encode", Method, 0, ""},
+		{"(*Encoder).EncodeValue", Method, 0, ""},
+		{"(GobDecoder).GobDecode", Method, 0, ""},
+		{"(GobEncoder).GobEncode", Method, 0, ""},
+		{"CommonType", Type, 0, ""},
+		{"CommonType.Id", Field, 0, ""},
+		{"CommonType.Name", Field, 0, ""},
+		{"Decoder", Type, 0, ""},
+		{"Encoder", Type, 0, ""},
+		{"GobDecoder", Type, 0, ""},
+		{"GobEncoder", Type, 0, ""},
+		{"NewDecoder", Func, 0, "func(r io.Reader) *Decoder"},
+		{"NewEncoder", Func, 0, "func(w io.Writer) *Encoder"},
+		{"Register", Func, 0, "func(value any)"},
+		{"RegisterName", Func, 0, "func(name string, value any)"},
+	},
+	"encoding/hex": {
+		{"(InvalidByteError).Error", Method, 0, ""},
+		{"AppendDecode", Func, 22, "func(dst []byte, src []byte) ([]byte, error)"},
+		{"AppendEncode", Func, 22, "func(dst []byte, src []byte) []byte"},
+		{"Decode", Func, 0, "func(dst []byte, src []byte) (int, error)"},
+		{"DecodeString", Func, 0, "func(s string) ([]byte, error)"},
+		{"DecodedLen", Func, 0, "func(x int) int"},
+		{"Dump", Func, 0, "func(data []byte) string"},
+		{"Dumper", Func, 0, "func(w io.Writer) io.WriteCloser"},
+		{"Encode", Func, 0, "func(dst []byte, src []byte) int"},
+		{"EncodeToString", Func, 0, "func(src []byte) string"},
+		{"EncodedLen", Func, 0, "func(n int) int"},
+		{"ErrLength", Var, 0, ""},
+		{"InvalidByteError", Type, 0, ""},
+		{"NewDecoder", Func, 10, "func(r io.Reader) io.Reader"},
+		{"NewEncoder", Func, 10, "func(w io.Writer) io.Writer"},
+	},
+	"encoding/json": {
+		{"(*Decoder).Buffered", Method, 1, ""},
+		{"(*Decoder).Decode", Method, 0, ""},
+		{"(*Decoder).DisallowUnknownFields", Method, 10, ""},
+		{"(*Decoder).InputOffset", Method, 14, ""},
+		{"(*Decoder).More", Method, 5, ""},
+		{"(*Decoder).Token", Method, 5, ""},
+		{"(*Decoder).UseNumber", Method, 1, ""},
+		{"(*Encoder).Encode", Method, 0, ""},
+		{"(*Encoder).SetEscapeHTML", Method, 7, ""},
+		{"(*Encoder).SetIndent", Method, 7, ""},
+		{"(*InvalidUTF8Error).Error", Method, 0, ""},
+		{"(*InvalidUnmarshalError).Error", Method, 0, ""},
+		{"(*MarshalerError).Error", Method, 0, ""},
+		{"(*MarshalerError).Unwrap", Method, 13, ""},
+		{"(*RawMessage).MarshalJSON", Method, 0, ""},
+		{"(*RawMessage).UnmarshalJSON", Method, 0, ""},
+		{"(*SyntaxError).Error", Method, 0, ""},
+		{"(*UnmarshalFieldError).Error", Method, 0, ""},
+		{"(*UnmarshalTypeError).Error", Method, 0, ""},
+		{"(*UnsupportedTypeError).Error", Method, 0, ""},
+		{"(*UnsupportedValueError).Error", Method, 0, ""},
+		{"(Delim).String", Method, 5, ""},
+		{"(Marshaler).MarshalJSON", Method, 0, ""},
+		{"(Number).Float64", Method, 1, ""},
+		{"(Number).Int64", Method, 1, ""},
+		{"(Number).String", Method, 1, ""},
+		{"(RawMessage).MarshalJSON", Method, 8, ""},
+		{"(Unmarshaler).UnmarshalJSON", Method, 0, ""},
+		{"Compact", Func, 0, "func(dst *bytes.Buffer, src []byte) error"},
+		{"Decoder", Type, 0, ""},
+		{"Delim", Type, 5, ""},
+		{"Encoder", Type, 0, ""},
+		{"HTMLEscape", Func, 0, "func(dst *bytes.Buffer, src []byte)"},
+		{"Indent", Func, 0, "func(dst *bytes.Buffer, src []byte, prefix string, indent string) error"},
+		{"InvalidUTF8Error", Type, 0, ""},
+		{"InvalidUTF8Error.S", Field, 0, ""},
+		{"InvalidUnmarshalError", Type, 0, ""},
+		{"InvalidUnmarshalError.Type", Field, 0, ""},
+		{"Marshal", Func, 0, "func(v any) ([]byte, error)"},
+		{"MarshalIndent", Func, 0, "func(v any, prefix string, indent string) ([]byte, error)"},
+		{"Marshaler", Type, 0, ""},
+		{"MarshalerError", Type, 0, ""},
+		{"MarshalerError.Err", Field, 0, ""},
+		{"MarshalerError.Type", Field, 0, ""},
+		{"NewDecoder", Func, 0, "func(r io.Reader) *Decoder"},
+		{"NewEncoder", Func, 0, "func(w io.Writer) *Encoder"},
+		{"Number", Type, 1, ""},
+		{"RawMessage", Type, 0, ""},
+		{"SyntaxError", Type, 0, ""},
+		{"SyntaxError.Offset", Field, 0, ""},
+		{"Token", Type, 5, ""},
+		{"Unmarshal", Func, 0, "func(data []byte, v any) error"},
+		{"UnmarshalFieldError", Type, 0, ""},
+		{"UnmarshalFieldError.Field", Field, 0, ""},
+		{"UnmarshalFieldError.Key", Field, 0, ""},
+		{"UnmarshalFieldError.Type", Field, 0, ""},
+		{"UnmarshalTypeError", Type, 0, ""},
+		{"UnmarshalTypeError.Field", Field, 8, ""},
+		{"UnmarshalTypeError.Offset", Field, 5, ""},
+		{"UnmarshalTypeError.Struct", Field, 8, ""},
+		{"UnmarshalTypeError.Type", Field, 0, ""},
+		{"UnmarshalTypeError.Value", Field, 0, ""},
+		{"Unmarshaler", Type, 0, ""},
+		{"UnsupportedTypeError", Type, 0, ""},
+		{"UnsupportedTypeError.Type", Field, 0, ""},
+		{"UnsupportedValueError", Type, 0, ""},
+		{"UnsupportedValueError.Str", Field, 0, ""},
+		{"UnsupportedValueError.Value", Field, 0, ""},
+		{"Valid", Func, 9, "func(data []byte) bool"},
+	},
+	"encoding/pem": {
+		{"Block", Type, 0, ""},
+		{"Block.Bytes", Field, 0, ""},
+		{"Block.Headers", Field, 0, ""},
+		{"Block.Type", Field, 0, ""},
+		{"Decode", Func, 0, "func(data []byte) (p *Block, rest []byte)"},
+		{"Encode", Func, 0, "func(out io.Writer, b *Block) error"},
+		{"EncodeToMemory", Func, 0, "func(b *Block) []byte"},
+	},
+	"encoding/xml": {
+		{"(*Decoder).Decode", Method, 0, ""},
+		{"(*Decoder).DecodeElement", Method, 0, ""},
+		{"(*Decoder).InputOffset", Method, 4, ""},
+		{"(*Decoder).InputPos", Method, 19, ""},
+		{"(*Decoder).RawToken", Method, 0, ""},
+		{"(*Decoder).Skip", Method, 0, ""},
+		{"(*Decoder).Token", Method, 0, ""},
+		{"(*Encoder).Close", Method, 20, ""},
+		{"(*Encoder).Encode", Method, 0, ""},
+		{"(*Encoder).EncodeElement", Method, 2, ""},
+		{"(*Encoder).EncodeToken", Method, 2, ""},
+		{"(*Encoder).Flush", Method, 2, ""},
+		{"(*Encoder).Indent", Method, 1, ""},
+		{"(*SyntaxError).Error", Method, 0, ""},
+		{"(*TagPathError).Error", Method, 0, ""},
+		{"(*UnsupportedTypeError).Error", Method, 0, ""},
+		{"(CharData).Copy", Method, 0, ""},
+		{"(Comment).Copy", Method, 0, ""},
+		{"(Directive).Copy", Method, 0, ""},
+		{"(Marshaler).MarshalXML", Method, 2, ""},
+		{"(MarshalerAttr).MarshalXMLAttr", Method, 2, ""},
+		{"(ProcInst).Copy", Method, 0, ""},
+		{"(StartElement).Copy", Method, 0, ""},
+		{"(StartElement).End", Method, 2, ""},
+		{"(TokenReader).Token", Method, 10, ""},
+		{"(UnmarshalError).Error", Method, 0, ""},
+		{"(Unmarshaler).UnmarshalXML", Method, 2, ""},
+		{"(UnmarshalerAttr).UnmarshalXMLAttr", Method, 2, ""},
+		{"Attr", Type, 0, ""},
+		{"Attr.Name", Field, 0, ""},
+		{"Attr.Value", Field, 0, ""},
+		{"CharData", Type, 0, ""},
+		{"Comment", Type, 0, ""},
+		{"CopyToken", Func, 0, "func(t Token) Token"},
+		{"Decoder", Type, 0, ""},
+		{"Decoder.AutoClose", Field, 0, ""},
+		{"Decoder.CharsetReader", Field, 0, ""},
+		{"Decoder.DefaultSpace", Field, 1, ""},
+		{"Decoder.Entity", Field, 0, ""},
+		{"Decoder.Strict", Field, 0, ""},
+		{"Directive", Type, 0, ""},
+		{"Encoder", Type, 0, ""},
+		{"EndElement", Type, 0, ""},
+		{"EndElement.Name", Field, 0, ""},
+		{"Escape", Func, 0, "func(w io.Writer, s []byte)"},
+		{"EscapeText", Func, 1, "func(w io.Writer, s []byte) error"},
+		{"HTMLAutoClose", Var, 0, ""},
+		{"HTMLEntity", Var, 0, ""},
+		{"Header", Const, 0, ""},
+		{"Marshal", Func, 0, "func(v any) ([]byte, error)"},
+		{"MarshalIndent", Func, 0, "func(v any, prefix string, indent string) ([]byte, error)"},
+		{"Marshaler", Type, 2, ""},
+		{"MarshalerAttr", Type, 2, ""},
+		{"Name", Type, 0, ""},
+		{"Name.Local", Field, 0, ""},
+		{"Name.Space", Field, 0, ""},
+		{"NewDecoder", Func, 0, "func(r io.Reader) *Decoder"},
+		{"NewEncoder", Func, 0, "func(w io.Writer) *Encoder"},
+		{"NewTokenDecoder", Func, 10, "func(t TokenReader) *Decoder"},
+		{"ProcInst", Type, 0, ""},
+		{"ProcInst.Inst", Field, 0, ""},
+		{"ProcInst.Target", Field, 0, ""},
+		{"StartElement", Type, 0, ""},
+		{"StartElement.Attr", Field, 0, ""},
+		{"StartElement.Name", Field, 0, ""},
+		{"SyntaxError", Type, 0, ""},
+		{"SyntaxError.Line", Field, 0, ""},
+		{"SyntaxError.Msg", Field, 0, ""},
+		{"TagPathError", Type, 0, ""},
+		{"TagPathError.Field1", Field, 0, ""},
+		{"TagPathError.Field2", Field, 0, ""},
+		{"TagPathError.Struct", Field, 0, ""},
+		{"TagPathError.Tag1", Field, 0, ""},
+		{"TagPathError.Tag2", Field, 0, ""},
+		{"Token", Type, 0, ""},
+		{"TokenReader", Type, 10, ""},
+		{"Unmarshal", Func, 0, "func(data []byte, v any) error"},
+		{"UnmarshalError", Type, 0, ""},
+		{"Unmarshaler", Type, 2, ""},
+		{"UnmarshalerAttr", Type, 2, ""},
+		{"UnsupportedTypeError", Type, 0, ""},
+		{"UnsupportedTypeError.Type", Field, 0, ""},
+	},
+	"errors": {
+		{"As", Func, 13, "func(err error, target any) bool"},
+		{"AsType", Func, 26, "func[E error](err error) (E, bool)"},
+		{"ErrUnsupported", Var, 21, ""},
+		{"Is", Func, 13, "func(err error, target error) bool"},
+		{"Join", Func, 20, "func(errs ...error) error"},
+		{"New", Func, 0, "func(text string) error"},
+		{"Unwrap", Func, 13, "func(err error) error"},
+	},
+	"expvar": {
+		{"(*Float).Add", Method, 0, ""},
+		{"(*Float).Set", Method, 0, ""},
+		{"(*Float).String", Method, 0, ""},
+		{"(*Float).Value", Method, 8, ""},
+		{"(*Int).Add", Method, 0, ""},
+		{"(*Int).Set", Method, 0, ""},
+		{"(*Int).String", Method, 0, ""},
+		{"(*Int).Value", Method, 8, ""},
+		{"(*Map).Add", Method, 0, ""},
+		{"(*Map).AddFloat", Method, 0, ""},
+		{"(*Map).Delete", Method, 12, ""},
+		{"(*Map).Do", Method, 0, ""},
+		{"(*Map).Get", Method, 0, ""},
+		{"(*Map).Init", Method, 0, ""},
+		{"(*Map).Set", Method, 0, ""},
+		{"(*Map).String", Method, 0, ""},
+		{"(*String).Set", Method, 0, ""},
+		{"(*String).String", Method, 0, ""},
+		{"(*String).Value", Method, 8, ""},
+		{"(Func).String", Method, 0, ""},
+		{"(Func).Value", Method, 8, ""},
+		{"(Var).String", Method, 0, ""},
+		{"Do", Func, 0, "func(f func(KeyValue))"},
+		{"Float", Type, 0, ""},
+		{"Func", Type, 0, ""},
+		{"Get", Func, 0, "func(name string) Var"},
+		{"Handler", Func, 8, "func() http.Handler"},
+		{"Int", Type, 0, ""},
+		{"KeyValue", Type, 0, ""},
+		{"KeyValue.Key", Field, 0, ""},
+		{"KeyValue.Value", Field, 0, ""},
+		{"Map", Type, 0, ""},
+		{"NewFloat", Func, 0, "func(name string) *Float"},
+		{"NewInt", Func, 0, "func(name string) *Int"},
+		{"NewMap", Func, 0, "func(name string) *Map"},
+		{"NewString", Func, 0, "func(name string) *String"},
+		{"Publish", Func, 0, "func(name string, v Var)"},
+		{"String", Type, 0, ""},
+		{"Var", Type, 0, ""},
+	},
+	"flag": {
+		{"(*FlagSet).Arg", Method, 0, ""},
+		{"(*FlagSet).Args", Method, 0, ""},
+		{"(*FlagSet).Bool", Method, 0, ""},
+		{"(*FlagSet).BoolFunc", Method, 21, ""},
+		{"(*FlagSet).BoolVar", Method, 0, ""},
+		{"(*FlagSet).Duration", Method, 0, ""},
+		{"(*FlagSet).DurationVar", Method, 0, ""},
+		{"(*FlagSet).ErrorHandling", Method, 10, ""},
+		{"(*FlagSet).Float64", Method, 0, ""},
+		{"(*FlagSet).Float64Var", Method, 0, ""},
+		{"(*FlagSet).Func", Method, 16, ""},
+		{"(*FlagSet).Init", Method, 0, ""},
+		{"(*FlagSet).Int", Method, 0, ""},
+		{"(*FlagSet).Int64", Method, 0, ""},
+		{"(*FlagSet).Int64Var", Method, 0, ""},
+		{"(*FlagSet).IntVar", Method, 0, ""},
+		{"(*FlagSet).Lookup", Method, 0, ""},
+		{"(*FlagSet).NArg", Method, 0, ""},
+		{"(*FlagSet).NFlag", Method, 0, ""},
+		{"(*FlagSet).Name", Method, 10, ""},
+		{"(*FlagSet).Output", Method, 10, ""},
+		{"(*FlagSet).Parse", Method, 0, ""},
+		{"(*FlagSet).Parsed", Method, 0, ""},
+		{"(*FlagSet).PrintDefaults", Method, 0, ""},
+		{"(*FlagSet).Set", Method, 0, ""},
+		{"(*FlagSet).SetOutput", Method, 0, ""},
+		{"(*FlagSet).String", Method, 0, ""},
+		{"(*FlagSet).StringVar", Method, 0, ""},
+		{"(*FlagSet).TextVar", Method, 19, ""},
+		{"(*FlagSet).Uint", Method, 0, ""},
+		{"(*FlagSet).Uint64", Method, 0, ""},
+		{"(*FlagSet).Uint64Var", Method, 0, ""},
+		{"(*FlagSet).UintVar", Method, 0, ""},
+		{"(*FlagSet).Var", Method, 0, ""},
+		{"(*FlagSet).Visit", Method, 0, ""},
+		{"(*FlagSet).VisitAll", Method, 0, ""},
+		{"(Getter).Get", Method, 2, ""},
+		{"(Getter).Set", Method, 2, ""},
+		{"(Getter).String", Method, 2, ""},
+		{"(Value).Set", Method, 0, ""},
+		{"(Value).String", Method, 0, ""},
+		{"Arg", Func, 0, "func(i int) string"},
+		{"Args", Func, 0, "func() []string"},
+		{"Bool", Func, 0, "func(name string, value bool, usage string) *bool"},
+		{"BoolFunc", Func, 21, "func(name string, usage string, fn func(string) error)"},
+		{"BoolVar", Func, 0, "func(p *bool, name string, value bool, usage string)"},
+		{"CommandLine", Var, 2, ""},
+		{"ContinueOnError", Const, 0, ""},
+		{"Duration", Func, 0, "func(name string, value time.Duration, usage string) *time.Duration"},
+		{"DurationVar", Func, 0, "func(p *time.Duration, name string, value time.Duration, usage string)"},
+		{"ErrHelp", Var, 0, ""},
+		{"ErrorHandling", Type, 0, ""},
+		{"ExitOnError", Const, 0, ""},
+		{"Flag", Type, 0, ""},
+		{"Flag.DefValue", Field, 0, ""},
+		{"Flag.Name", Field, 0, ""},
+		{"Flag.Usage", Field, 0, ""},
+		{"Flag.Value", Field, 0, ""},
+		{"FlagSet", Type, 0, ""},
+		{"FlagSet.Usage", Field, 0, ""},
+		{"Float64", Func, 0, "func(name string, value float64, usage string) *float64"},
+		{"Float64Var", Func, 0, "func(p *float64, name string, value float64, usage string)"},
+		{"Func", Func, 16, "func(name string, usage string, fn func(string) error)"},
+		{"Getter", Type, 2, ""},
+		{"Int", Func, 0, "func(name string, value int, usage string) *int"},
+		{"Int64", Func, 0, "func(name string, value int64, usage string) *int64"},
+		{"Int64Var", Func, 0, "func(p *int64, name string, value int64, usage string)"},
+		{"IntVar", Func, 0, "func(p *int, name string, value int, usage string)"},
+		{"Lookup", Func, 0, "func(name string) *Flag"},
+		{"NArg", Func, 0, "func() int"},
+		{"NFlag", Func, 0, "func() int"},
+		{"NewFlagSet", Func, 0, "func(name string, errorHandling ErrorHandling) *FlagSet"},
+		{"PanicOnError", Const, 0, ""},
+		{"Parse", Func, 0, "func()"},
+		{"Parsed", Func, 0, "func() bool"},
+		{"PrintDefaults", Func, 0, "func()"},
+		{"Set", Func, 0, "func(name string, value string) error"},
+		{"String", Func, 0, "func(name string, value string, usage string) *string"},
+		{"StringVar", Func, 0, "func(p *string, name string, value string, usage string)"},
+		{"TextVar", Func, 19, "func(p encoding.TextUnmarshaler, name string, value encoding.TextMarshaler, usage string)"},
+		{"Uint", Func, 0, "func(name string, value uint, usage string) *uint"},
+		{"Uint64", Func, 0, "func(name string, value uint64, usage string) *uint64"},
+		{"Uint64Var", Func, 0, "func(p *uint64, name string, value uint64, usage string)"},
+		{"UintVar", Func, 0, "func(p *uint, name string, value uint, usage string)"},
+		{"UnquoteUsage", Func, 5, "func(flag *Flag) (name string, usage string)"},
+		{"Usage", Var, 0, ""},
+		{"Value", Type, 0, ""},
+		{"Var", Func, 0, "func(value Value, name string, usage string)"},
+		{"Visit", Func, 0, "func(fn func(*Flag))"},
+		{"VisitAll", Func, 0, "func(fn func(*Flag))"},
+	},
+	"fmt": {
+		{"(Formatter).Format", Method, 0, ""},
+		{"(GoStringer).GoString", Method, 0, ""},
+		{"(ScanState).Read", Method, 0, ""},
+		{"(ScanState).ReadRune", Method, 0, ""},
+		{"(ScanState).SkipSpace", Method, 0, ""},
+		{"(ScanState).Token", Method, 0, ""},
+		{"(ScanState).UnreadRune", Method, 0, ""},
+		{"(ScanState).Width", Method, 0, ""},
+		{"(Scanner).Scan", Method, 0, ""},
+		{"(State).Flag", Method, 0, ""},
+		{"(State).Precision", Method, 0, ""},
+		{"(State).Width", Method, 0, ""},
+		{"(State).Write", Method, 0, ""},
+		{"(Stringer).String", Method, 0, ""},
+		{"Append", Func, 19, "func(b []byte, a ...any) []byte"},
+		{"Appendf", Func, 19, "func(b []byte, format string, a ...any) []byte"},
+		{"Appendln", Func, 19, "func(b []byte, a ...any) []byte"},
+		{"Errorf", Func, 0, "func(format string, a ...any) (err error)"},
+		{"FormatString", Func, 20, "func(state State, verb rune) string"},
+		{"Formatter", Type, 0, ""},
+		{"Fprint", Func, 0, "func(w io.Writer, a ...any) (n int, err error)"},
+		{"Fprintf", Func, 0, "func(w io.Writer, format string, a ...any) (n int, err error)"},
+		{"Fprintln", Func, 0, "func(w io.Writer, a ...any) (n int, err error)"},
+		{"Fscan", Func, 0, "func(r io.Reader, a ...any) (n int, err error)"},
+		{"Fscanf", Func, 0, "func(r io.Reader, format string, a ...any) (n int, err error)"},
+		{"Fscanln", Func, 0, "func(r io.Reader, a ...any) (n int, err error)"},
+		{"GoStringer", Type, 0, ""},
+		{"Print", Func, 0, "func(a ...any) (n int, err error)"},
+		{"Printf", Func, 0, "func(format string, a ...any) (n int, err error)"},
+		{"Println", Func, 0, "func(a ...any) (n int, err error)"},
+		{"Scan", Func, 0, "func(a ...any) (n int, err error)"},
+		{"ScanState", Type, 0, ""},
+		{"Scanf", Func, 0, "func(format string, a ...any) (n int, err error)"},
+		{"Scanln", Func, 0, "func(a ...any) (n int, err error)"},
+		{"Scanner", Type, 0, ""},
+		{"Sprint", Func, 0, "func(a ...any) string"},
+		{"Sprintf", Func, 0, "func(format string, a ...any) string"},
+		{"Sprintln", Func, 0, "func(a ...any) string"},
+		{"Sscan", Func, 0, "func(str string, a ...any) (n int, err error)"},
+		{"Sscanf", Func, 0, "func(str string, format string, a ...any) (n int, err error)"},
+		{"Sscanln", Func, 0, "func(str string, a ...any) (n int, err error)"},
+		{"State", Type, 0, ""},
+		{"Stringer", Type, 0, ""},
+	},
+	"go/ast": {
+		{"(*ArrayType).End", Method, 0, ""},
+		{"(*ArrayType).Pos", Method, 0, ""},
+		{"(*AssignStmt).End", Method, 0, ""},
+		{"(*AssignStmt).Pos", Method, 0, ""},
+		{"(*BadDecl).End", Method, 0, ""},
+		{"(*BadDecl).Pos", Method, 0, ""},
+		{"(*BadExpr).End", Method, 0, ""},
+		{"(*BadExpr).Pos", Method, 0, ""},
+		{"(*BadStmt).End", Method, 0, ""},
+		{"(*BadStmt).Pos", Method, 0, ""},
+		{"(*BasicLit).End", Method, 0, ""},
+		{"(*BasicLit).Pos", Method, 0, ""},
+		{"(*BinaryExpr).End", Method, 0, ""},
+		{"(*BinaryExpr).Pos", Method, 0, ""},
+		{"(*BlockStmt).End", Method, 0, ""},
+		{"(*BlockStmt).Pos", Method, 0, ""},
+		{"(*BranchStmt).End", Method, 0, ""},
+		{"(*BranchStmt).Pos", Method, 0, ""},
+		{"(*CallExpr).End", Method, 0, ""},
+		{"(*CallExpr).Pos", Method, 0, ""},
+		{"(*CaseClause).End", Method, 0, ""},
+		{"(*CaseClause).Pos", Method, 0, ""},
+		{"(*ChanType).End", Method, 0, ""},
+		{"(*ChanType).Pos", Method, 0, ""},
+		{"(*CommClause).End", Method, 0, ""},
+		{"(*CommClause).Pos", Method, 0, ""},
+		{"(*Comment).End", Method, 0, ""},
+		{"(*Comment).Pos", Method, 0, ""},
+		{"(*CommentGroup).End", Method, 0, ""},
+		{"(*CommentGroup).Pos", Method, 0, ""},
+		{"(*CommentGroup).Text", Method, 0, ""},
+		{"(*CompositeLit).End", Method, 0, ""},
+		{"(*CompositeLit).Pos", Method, 0, ""},
+		{"(*DeclStmt).End", Method, 0, ""},
+		{"(*DeclStmt).Pos", Method, 0, ""},
+		{"(*DeferStmt).End", Method, 0, ""},
+		{"(*DeferStmt).Pos", Method, 0, ""},
+		{"(*Directive).End", Method, 26, ""},
+		{"(*Directive).ParseArgs", Method, 26, ""},
+		{"(*Directive).Pos", Method, 26, ""},
+		{"(*Ellipsis).End", Method, 0, ""},
+		{"(*Ellipsis).Pos", Method, 0, ""},
+		{"(*EmptyStmt).End", Method, 0, ""},
+		{"(*EmptyStmt).Pos", Method, 0, ""},
+		{"(*ExprStmt).End", Method, 0, ""},
+		{"(*ExprStmt).Pos", Method, 0, ""},
+		{"(*Field).End", Method, 0, ""},
+		{"(*Field).Pos", Method, 0, ""},
+		{"(*FieldList).End", Method, 0, ""},
+		{"(*FieldList).NumFields", Method, 0, ""},
+		{"(*FieldList).Pos", Method, 0, ""},
+		{"(*File).End", Method, 0, ""},
+		{"(*File).Pos", Method, 0, ""},
+		{"(*ForStmt).End", Method, 0, ""},
+		{"(*ForStmt).Pos", Method, 0, ""},
+		{"(*FuncDecl).End", Method, 0, ""},
+		{"(*FuncDecl).Pos", Method, 0, ""},
+		{"(*FuncLit).End", Method, 0, ""},
+		{"(*FuncLit).Pos", Method, 0, ""},
+		{"(*FuncType).End", Method, 0, ""},
+		{"(*FuncType).Pos", Method, 0, ""},
+		{"(*GenDecl).End", Method, 0, ""},
+		{"(*GenDecl).Pos", Method, 0, ""},
+		{"(*GoStmt).End", Method, 0, ""},
+		{"(*GoStmt).Pos", Method, 0, ""},
+		{"(*Ident).End", Method, 0, ""},
+		{"(*Ident).IsExported", Method, 0, ""},
+		{"(*Ident).Pos", Method, 0, ""},
+		{"(*Ident).String", Method, 0, ""},
+		{"(*IfStmt).End", Method, 0, ""},
+		{"(*IfStmt).Pos", Method, 0, ""},
+		{"(*ImportSpec).End", Method, 0, ""},
+		{"(*ImportSpec).Pos", Method, 0, ""},
+		{"(*IncDecStmt).End", Method, 0, ""},
+		{"(*IncDecStmt).Pos", Method, 0, ""},
+		{"(*IndexExpr).End", Method, 0, ""},
+		{"(*IndexExpr).Pos", Method, 0, ""},
+		{"(*IndexListExpr).End", Method, 18, ""},
+		{"(*IndexListExpr).Pos", Method, 18, ""},
+		{"(*InterfaceType).End", Method, 0, ""},
+		{"(*InterfaceType).Pos", Method, 0, ""},
+		{"(*KeyValueExpr).End", Method, 0, ""},
+		{"(*KeyValueExpr).Pos", Method, 0, ""},
+		{"(*LabeledStmt).End", Method, 0, ""},
+		{"(*LabeledStmt).Pos", Method, 0, ""},
+		{"(*MapType).End", Method, 0, ""},
+		{"(*MapType).Pos", Method, 0, ""},
+		{"(*Object).Pos", Method, 0, ""},
+		{"(*Package).End", Method, 0, ""},
+		{"(*Package).Pos", Method, 0, ""},
+		{"(*ParenExpr).End", Method, 0, ""},
+		{"(*ParenExpr).Pos", Method, 0, ""},
+		{"(*RangeStmt).End", Method, 0, ""},
+		{"(*RangeStmt).Pos", Method, 0, ""},
+		{"(*ReturnStmt).End", Method, 0, ""},
+		{"(*ReturnStmt).Pos", Method, 0, ""},
+		{"(*Scope).Insert", Method, 0, ""},
+		{"(*Scope).Lookup", Method, 0, ""},
+		{"(*Scope).String", Method, 0, ""},
+		{"(*SelectStmt).End", Method, 0, ""},
+		{"(*SelectStmt).Pos", Method, 0, ""},
+		{"(*SelectorExpr).End", Method, 0, ""},
+		{"(*SelectorExpr).Pos", Method, 0, ""},
+		{"(*SendStmt).End", Method, 0, ""},
+		{"(*SendStmt).Pos", Method, 0, ""},
+		{"(*SliceExpr).End", Method, 0, ""},
+		{"(*SliceExpr).Pos", Method, 0, ""},
+		{"(*StarExpr).End", Method, 0, ""},
+		{"(*StarExpr).Pos", Method, 0, ""},
+		{"(*StructType).End", Method, 0, ""},
+		{"(*StructType).Pos", Method, 0, ""},
+		{"(*SwitchStmt).End", Method, 0, ""},
+		{"(*SwitchStmt).Pos", Method, 0, ""},
+		{"(*TypeAssertExpr).End", Method, 0, ""},
+		{"(*TypeAssertExpr).Pos", Method, 0, ""},
+		{"(*TypeSpec).End", Method, 0, ""},
+		{"(*TypeSpec).Pos", Method, 0, ""},
+		{"(*TypeSwitchStmt).End", Method, 0, ""},
+		{"(*TypeSwitchStmt).Pos", Method, 0, ""},
+		{"(*UnaryExpr).End", Method, 0, ""},
+		{"(*UnaryExpr).Pos", Method, 0, ""},
+		{"(*ValueSpec).End", Method, 0, ""},
+		{"(*ValueSpec).Pos", Method, 0, ""},
+		{"(CommentMap).Comments", Method, 1, ""},
+		{"(CommentMap).Filter", Method, 1, ""},
+		{"(CommentMap).String", Method, 1, ""},
+		{"(CommentMap).Update", Method, 1, ""},
+		{"(Decl).End", Method, 0, ""},
+		{"(Decl).Pos", Method, 0, ""},
+		{"(Expr).End", Method, 0, ""},
+		{"(Expr).Pos", Method, 0, ""},
+		{"(Node).End", Method, 0, ""},
+		{"(Node).Pos", Method, 0, ""},
+		{"(ObjKind).String", Method, 0, ""},
+		{"(Spec).End", Method, 0, ""},
+		{"(Spec).Pos", Method, 0, ""},
+		{"(Stmt).End", Method, 0, ""},
+		{"(Stmt).Pos", Method, 0, ""},
+		{"(Visitor).Visit", Method, 0, ""},
+		{"ArrayType", Type, 0, ""},
+		{"ArrayType.Elt", Field, 0, ""},
+		{"ArrayType.Lbrack", Field, 0, ""},
+		{"ArrayType.Len", Field, 0, ""},
+		{"AssignStmt", Type, 0, ""},
+		{"AssignStmt.Lhs", Field, 0, ""},
+		{"AssignStmt.Rhs", Field, 0, ""},
+		{"AssignStmt.Tok", Field, 0, ""},
+		{"AssignStmt.TokPos", Field, 0, ""},
+		{"Bad", Const, 0, ""},
+		{"BadDecl", Type, 0, ""},
+		{"BadDecl.From", Field, 0, ""},
+		{"BadDecl.To", Field, 0, ""},
+		{"BadExpr", Type, 0, ""},
+		{"BadExpr.From", Field, 0, ""},
+		{"BadExpr.To", Field, 0, ""},
+		{"BadStmt", Type, 0, ""},
+		{"BadStmt.From", Field, 0, ""},
+		{"BadStmt.To", Field, 0, ""},
+		{"BasicLit", Type, 0, ""},
+		{"BasicLit.Kind", Field, 0, ""},
+		{"BasicLit.Value", Field, 0, ""},
+		{"BasicLit.ValueEnd", Field, 26, ""},
+		{"BasicLit.ValuePos", Field, 0, ""},
+		{"BinaryExpr", Type, 0, ""},
+		{"BinaryExpr.Op", Field, 0, ""},
+		{"BinaryExpr.OpPos", Field, 0, ""},
+		{"BinaryExpr.X", Field, 0, ""},
+		{"BinaryExpr.Y", Field, 0, ""},
+		{"BlockStmt", Type, 0, ""},
+		{"BlockStmt.Lbrace", Field, 0, ""},
+		{"BlockStmt.List", Field, 0, ""},
+		{"BlockStmt.Rbrace", Field, 0, ""},
+		{"BranchStmt", Type, 0, ""},
+		{"BranchStmt.Label", Field, 0, ""},
+		{"BranchStmt.Tok", Field, 0, ""},
+		{"BranchStmt.TokPos", Field, 0, ""},
+		{"CallExpr", Type, 0, ""},
+		{"CallExpr.Args", Field, 0, ""},
+		{"CallExpr.Ellipsis", Field, 0, ""},
+		{"CallExpr.Fun", Field, 0, ""},
+		{"CallExpr.Lparen", Field, 0, ""},
+		{"CallExpr.Rparen", Field, 0, ""},
+		{"CaseClause", Type, 0, ""},
+		{"CaseClause.Body", Field, 0, ""},
+		{"CaseClause.Case", Field, 0, ""},
+		{"CaseClause.Colon", Field, 0, ""},
+		{"CaseClause.List", Field, 0, ""},
+		{"ChanDir", Type, 0, ""},
+		{"ChanType", Type, 0, ""},
+		{"ChanType.Arrow", Field, 1, ""},
+		{"ChanType.Begin", Field, 0, ""},
+		{"ChanType.Dir", Field, 0, ""},
+		{"ChanType.Value", Field, 0, ""},
+		{"CommClause", Type, 0, ""},
+		{"CommClause.Body", Field, 0, ""},
+		{"CommClause.Case", Field, 0, ""},
+		{"CommClause.Colon", Field, 0, ""},
+		{"CommClause.Comm", Field, 0, ""},
+		{"Comment", Type, 0, ""},
+		{"Comment.Slash", Field, 0, ""},
+		{"Comment.Text", Field, 0, ""},
+		{"CommentGroup", Type, 0, ""},
+		{"CommentGroup.List", Field, 0, ""},
+		{"CommentMap", Type, 1, ""},
+		{"CompositeLit", Type, 0, ""},
+		{"CompositeLit.Elts", Field, 0, ""},
+		{"CompositeLit.Incomplete", Field, 11, ""},
+		{"CompositeLit.Lbrace", Field, 0, ""},
+		{"CompositeLit.Rbrace", Field, 0, ""},
+		{"CompositeLit.Type", Field, 0, ""},
+		{"Con", Const, 0, ""},
+		{"DeclStmt", Type, 0, ""},
+		{"DeclStmt.Decl", Field, 0, ""},
+		{"DeferStmt", Type, 0, ""},
+		{"DeferStmt.Call", Field, 0, ""},
+		{"DeferStmt.Defer", Field, 0, ""},
+		{"Directive", Type, 26, ""},
+		{"Directive.Args", Field, 26, ""},
+		{"Directive.ArgsPos", Field, 26, ""},
+		{"Directive.Name", Field, 26, ""},
+		{"Directive.Slash", Field, 26, ""},
+		{"Directive.Tool", Field, 26, ""},
+		{"DirectiveArg", Type, 26, ""},
+		{"DirectiveArg.Arg", Field, 26, ""},
+		{"DirectiveArg.Pos", Field, 26, ""},
+		{"Ellipsis", Type, 0, ""},
+		{"Ellipsis.Ellipsis", Field, 0, ""},
+		{"Ellipsis.Elt", Field, 0, ""},
+		{"EmptyStmt", Type, 0, ""},
+		{"EmptyStmt.Implicit", Field, 5, ""},
+		{"EmptyStmt.Semicolon", Field, 0, ""},
+		{"ExprStmt", Type, 0, ""},
+		{"ExprStmt.X", Field, 0, ""},
+		{"Field", Type, 0, ""},
+		{"Field.Comment", Field, 0, ""},
+		{"Field.Doc", Field, 0, ""},
+		{"Field.Names", Field, 0, ""},
+		{"Field.Tag", Field, 0, ""},
+		{"Field.Type", Field, 0, ""},
+		{"FieldFilter", Type, 0, ""},
+		{"FieldList", Type, 0, ""},
+		{"FieldList.Closing", Field, 0, ""},
+		{"FieldList.List", Field, 0, ""},
+		{"FieldList.Opening", Field, 0, ""},
+		{"File", Type, 0, ""},
+		{"File.Comments", Field, 0, ""},
+		{"File.Decls", Field, 0, ""},
+		{"File.Doc", Field, 0, ""},
+		{"File.FileEnd", Field, 20, ""},
+		{"File.FileStart", Field, 20, ""},
+		{"File.GoVersion", Field, 21, ""},
+		{"File.Imports", Field, 0, ""},
+		{"File.Name", Field, 0, ""},
+		{"File.Package", Field, 0, ""},
+		{"File.Scope", Field, 0, ""},
+		{"File.Unresolved", Field, 0, ""},
+		{"FileExports", Func, 0, "func(src *File) bool"},
+		{"Filter", Type, 0, ""},
+		{"FilterDecl", Func, 0, "func(decl Decl, f Filter) bool"},
+		{"FilterFile", Func, 0, "func(src *File, f Filter) bool"},
+		{"FilterFuncDuplicates", Const, 0, ""},
+		{"FilterImportDuplicates", Const, 0, ""},
+		{"FilterPackage", Func, 0, "func(pkg *Package, f Filter) bool"},
+		{"FilterUnassociatedComments", Const, 0, ""},
+		{"ForStmt", Type, 0, ""},
+		{"ForStmt.Body", Field, 0, ""},
+		{"ForStmt.Cond", Field, 0, ""},
+		{"ForStmt.For", Field, 0, ""},
+		{"ForStmt.Init", Field, 0, ""},
+		{"ForStmt.Post", Field, 0, ""},
+		{"Fprint", Func, 0, "func(w io.Writer, fset *token.FileSet, x any, f FieldFilter) error"},
+		{"Fun", Const, 0, ""},
+		{"FuncDecl", Type, 0, ""},
+		{"FuncDecl.Body", Field, 0, ""},
+		{"FuncDecl.Doc", Field, 0, ""},
+		{"FuncDecl.Name", Field, 0, ""},
+		{"FuncDecl.Recv", Field, 0, ""},
+		{"FuncDecl.Type", Field, 0, ""},
+		{"FuncLit", Type, 0, ""},
+		{"FuncLit.Body", Field, 0, ""},
+		{"FuncLit.Type", Field, 0, ""},
+		{"FuncType", Type, 0, ""},
+		{"FuncType.Func", Field, 0, ""},
+		{"FuncType.Params", Field, 0, ""},
+		{"FuncType.Results", Field, 0, ""},
+		{"FuncType.TypeParams", Field, 18, ""},
+		{"GenDecl", Type, 0, ""},
+		{"GenDecl.Doc", Field, 0, ""},
+		{"GenDecl.Lparen", Field, 0, ""},
+		{"GenDecl.Rparen", Field, 0, ""},
+		{"GenDecl.Specs", Field, 0, ""},
+		{"GenDecl.Tok", Field, 0, ""},
+		{"GenDecl.TokPos", Field, 0, ""},
+		{"GoStmt", Type, 0, ""},
+		{"GoStmt.Call", Field, 0, ""},
+		{"GoStmt.Go", Field, 0, ""},
+		{"Ident", Type, 0, ""},
+		{"Ident.Name", Field, 0, ""},
+		{"Ident.NamePos", Field, 0, ""},
+		{"Ident.Obj", Field, 0, ""},
+		{"IfStmt", Type, 0, ""},
+		{"IfStmt.Body", Field, 0, ""},
+		{"IfStmt.Cond", Field, 0, ""},
+		{"IfStmt.Else", Field, 0, ""},
+		{"IfStmt.If", Field, 0, ""},
+		{"IfStmt.Init", Field, 0, ""},
+		{"ImportSpec", Type, 0, ""},
+		{"ImportSpec.Comment", Field, 0, ""},
+		{"ImportSpec.Doc", Field, 0, ""},
+		{"ImportSpec.EndPos", Field, 0, ""},
+		{"ImportSpec.Name", Field, 0, ""},
+		{"ImportSpec.Path", Field, 0, ""},
+		{"Importer", Type, 0, ""},
+		{"IncDecStmt", Type, 0, ""},
+		{"IncDecStmt.Tok", Field, 0, ""},
+		{"IncDecStmt.TokPos", Field, 0, ""},
+		{"IncDecStmt.X", Field, 0, ""},
+		{"IndexExpr", Type, 0, ""},
+		{"IndexExpr.Index", Field, 0, ""},
+		{"IndexExpr.Lbrack", Field, 0, ""},
+		{"IndexExpr.Rbrack", Field, 0, ""},
+		{"IndexExpr.X", Field, 0, ""},
+		{"IndexListExpr", Type, 18, ""},
+		{"IndexListExpr.Indices", Field, 18, ""},
+		{"IndexListExpr.Lbrack", Field, 18, ""},
+		{"IndexListExpr.Rbrack", Field, 18, ""},
+		{"IndexListExpr.X", Field, 18, ""},
+		{"Inspect", Func, 0, "func(node Node, f func(Node) bool)"},
+		{"InterfaceType", Type, 0, ""},
+		{"InterfaceType.Incomplete", Field, 0, ""},
+		{"InterfaceType.Interface", Field, 0, ""},
+		{"InterfaceType.Methods", Field, 0, ""},
+		{"IsExported", Func, 0, "func(name string) bool"},
+		{"IsGenerated", Func, 21, "func(file *File) bool"},
+		{"KeyValueExpr", Type, 0, ""},
+		{"KeyValueExpr.Colon", Field, 0, ""},
+		{"KeyValueExpr.Key", Field, 0, ""},
+		{"KeyValueExpr.Value", Field, 0, ""},
+		{"LabeledStmt", Type, 0, ""},
+		{"LabeledStmt.Colon", Field, 0, ""},
+		{"LabeledStmt.Label", Field, 0, ""},
+		{"LabeledStmt.Stmt", Field, 0, ""},
+		{"Lbl", Const, 0, ""},
+		{"MapType", Type, 0, ""},
+		{"MapType.Key", Field, 0, ""},
+		{"MapType.Map", Field, 0, ""},
+		{"MapType.Value", Field, 0, ""},
+		{"MergeMode", Type, 0, ""},
+		{"MergePackageFiles", Func, 0, "func(pkg *Package, mode MergeMode) *File"},
+		{"NewCommentMap", Func, 1, "func(fset *token.FileSet, node Node, comments []*CommentGroup) CommentMap"},
+		{"NewIdent", Func, 0, "func(name string) *Ident"},
+		{"NewObj", Func, 0, "func(kind ObjKind, name string) *Object"},
+		{"NewPackage", Func, 0, "func(fset *token.FileSet, files map[string]*File, importer Importer, universe *Scope) (*Package, error)"},
+		{"NewScope", Func, 0, "func(outer *Scope) *Scope"},
+		{"Node", Type, 0, ""},
+		{"NotNilFilter", Func, 0, "func(_ string, v reflect.Value) bool"},
+		{"ObjKind", Type, 0, ""},
+		{"Object", Type, 0, ""},
+		{"Object.Data", Field, 0, ""},
+		{"Object.Decl", Field, 0, ""},
+		{"Object.Kind", Field, 0, ""},
+		{"Object.Name", Field, 0, ""},
+		{"Object.Type", Field, 0, ""},
+		{"Package", Type, 0, ""},
+		{"Package.Files", Field, 0, ""},
+		{"Package.Imports", Field, 0, ""},
+		{"Package.Name", Field, 0, ""},
+		{"Package.Scope", Field, 0, ""},
+		{"PackageExports", Func, 0, "func(pkg *Package) bool"},
+		{"ParenExpr", Type, 0, ""},
+		{"ParenExpr.Lparen", Field, 0, ""},
+		{"ParenExpr.Rparen", Field, 0, ""},
+		{"ParenExpr.X", Field, 0, ""},
+		{"ParseDirective", Func, 26, "func(pos token.Pos, c string) (Directive, bool)"},
+		{"Pkg", Const, 0, ""},
+		{"Preorder", Func, 23, "func(root Node) iter.Seq[Node]"},
+		{"PreorderStack", Func, 25, "func(root Node, stack []Node, f func(n Node, stack []Node) bool)"},
+		{"Print", Func, 0, "func(fset *token.FileSet, x any) error"},
+		{"RECV", Const, 0, ""},
+		{"RangeStmt", Type, 0, ""},
+		{"RangeStmt.Body", Field, 0, ""},
+		{"RangeStmt.For", Field, 0, ""},
+		{"RangeStmt.Key", Field, 0, ""},
+		{"RangeStmt.Range", Field, 20, ""},
+		{"RangeStmt.Tok", Field, 0, ""},
+		{"RangeStmt.TokPos", Field, 0, ""},
+		{"RangeStmt.Value", Field, 0, ""},
+		{"RangeStmt.X", Field, 0, ""},
+		{"ReturnStmt", Type, 0, ""},
+		{"ReturnStmt.Results", Field, 0, ""},
+		{"ReturnStmt.Return", Field, 0, ""},
+		{"SEND", Const, 0, ""},
+		{"Scope", Type, 0, ""},
+		{"Scope.Objects", Field, 0, ""},
+		{"Scope.Outer", Field, 0, ""},
+		{"SelectStmt", Type, 0, ""},
+		{"SelectStmt.Body", Field, 0, ""},
+		{"SelectStmt.Select", Field, 0, ""},
+		{"SelectorExpr", Type, 0, ""},
+		{"SelectorExpr.Sel", Field, 0, ""},
+		{"SelectorExpr.X", Field, 0, ""},
+		{"SendStmt", Type, 0, ""},
+		{"SendStmt.Arrow", Field, 0, ""},
+		{"SendStmt.Chan", Field, 0, ""},
+		{"SendStmt.Value", Field, 0, ""},
+		{"SliceExpr", Type, 0, ""},
+		{"SliceExpr.High", Field, 0, ""},
+		{"SliceExpr.Lbrack", Field, 0, ""},
+		{"SliceExpr.Low", Field, 0, ""},
+		{"SliceExpr.Max", Field, 2, ""},
+		{"SliceExpr.Rbrack", Field, 0, ""},
+		{"SliceExpr.Slice3", Field, 2, ""},
+		{"SliceExpr.X", Field, 0, ""},
+		{"SortImports", Func, 0, "func(fset *token.FileSet, f *File)"},
+		{"StarExpr", Type, 0, ""},
+		{"StarExpr.Star", Field, 0, ""},
+		{"StarExpr.X", Field, 0, ""},
+		{"StructType", Type, 0, ""},
+		{"StructType.Fields", Field, 0, ""},
+		{"StructType.Incomplete", Field, 0, ""},
+		{"StructType.Struct", Field, 0, ""},
+		{"SwitchStmt", Type, 0, ""},
+		{"SwitchStmt.Body", Field, 0, ""},
+		{"SwitchStmt.Init", Field, 0, ""},
+		{"SwitchStmt.Switch", Field, 0, ""},
+		{"SwitchStmt.Tag", Field, 0, ""},
+		{"Typ", Const, 0, ""},
+		{"TypeAssertExpr", Type, 0, ""},
+		{"TypeAssertExpr.Lparen", Field, 2, ""},
+		{"TypeAssertExpr.Rparen", Field, 2, ""},
+		{"TypeAssertExpr.Type", Field, 0, ""},
+		{"TypeAssertExpr.X", Field, 0, ""},
+		{"TypeSpec", Type, 0, ""},
+		{"TypeSpec.Assign", Field, 9, ""},
+		{"TypeSpec.Comment", Field, 0, ""},
+		{"TypeSpec.Doc", Field, 0, ""},
+		{"TypeSpec.Name", Field, 0, ""},
+		{"TypeSpec.Type", Field, 0, ""},
+		{"TypeSpec.TypeParams", Field, 18, ""},
+		{"TypeSwitchStmt", Type, 0, ""},
+		{"TypeSwitchStmt.Assign", Field, 0, ""},
+		{"TypeSwitchStmt.Body", Field, 0, ""},
+		{"TypeSwitchStmt.Init", Field, 0, ""},
+		{"TypeSwitchStmt.Switch", Field, 0, ""},
+		{"UnaryExpr", Type, 0, ""},
+		{"UnaryExpr.Op", Field, 0, ""},
+		{"UnaryExpr.OpPos", Field, 0, ""},
+		{"UnaryExpr.X", Field, 0, ""},
+		{"Unparen", Func, 22, "func(e Expr) Expr"},
+		{"ValueSpec", Type, 0, ""},
+		{"ValueSpec.Comment", Field, 0, ""},
+		{"ValueSpec.Doc", Field, 0, ""},
+		{"ValueSpec.Names", Field, 0, ""},
+		{"ValueSpec.Type", Field, 0, ""},
+		{"ValueSpec.Values", Field, 0, ""},
+		{"Var", Const, 0, ""},
+		{"Visitor", Type, 0, ""},
+		{"Walk", Func, 0, "func(v Visitor, node Node)"},
+	},
+	"go/build": {
+		{"(*Context).Import", Method, 0, ""},
+		{"(*Context).ImportDir", Method, 0, ""},
+		{"(*Context).MatchFile", Method, 2, ""},
+		{"(*Context).SrcDirs", Method, 0, ""},
+		{"(*MultiplePackageError).Error", Method, 4, ""},
+		{"(*NoGoError).Error", Method, 0, ""},
+		{"(*Package).IsCommand", Method, 0, ""},
+		{"AllowBinary", Const, 0, ""},
+		{"ArchChar", Func, 0, "func(goarch string) (string, error)"},
+		{"Context", Type, 0, ""},
+		{"Context.BuildTags", Field, 0, ""},
+		{"Context.CgoEnabled", Field, 0, ""},
+		{"Context.Compiler", Field, 0, ""},
+		{"Context.Dir", Field, 14, ""},
+		{"Context.GOARCH", Field, 0, ""},
+		{"Context.GOOS", Field, 0, ""},
+		{"Context.GOPATH", Field, 0, ""},
+		{"Context.GOROOT", Field, 0, ""},
+		{"Context.HasSubdir", Field, 0, ""},
+		{"Context.InstallSuffix", Field, 1, ""},
+		{"Context.IsAbsPath", Field, 0, ""},
+		{"Context.IsDir", Field, 0, ""},
+		{"Context.JoinPath", Field, 0, ""},
+		{"Context.OpenFile", Field, 0, ""},
+		{"Context.ReadDir", Field, 0, ""},
+		{"Context.ReleaseTags", Field, 1, ""},
+		{"Context.SplitPathList", Field, 0, ""},
+		{"Context.ToolTags", Field, 17, ""},
+		{"Context.UseAllFiles", Field, 0, ""},
+		{"Default", Var, 0, ""},
+		{"Directive", Type, 21, ""},
+		{"Directive.Pos", Field, 21, ""},
+		{"Directive.Text", Field, 21, ""},
+		{"FindOnly", Const, 0, ""},
+		{"IgnoreVendor", Const, 6, ""},
+		{"Import", Func, 0, "func(path string, srcDir string, mode ImportMode) (*Package, error)"},
+		{"ImportComment", Const, 4, ""},
+		{"ImportDir", Func, 0, "func(dir string, mode ImportMode) (*Package, error)"},
+		{"ImportMode", Type, 0, ""},
+		{"IsLocalImport", Func, 0, "func(path string) bool"},
+		{"MultiplePackageError", Type, 4, ""},
+		{"MultiplePackageError.Dir", Field, 4, ""},
+		{"MultiplePackageError.Files", Field, 4, ""},
+		{"MultiplePackageError.Packages", Field, 4, ""},
+		{"NoGoError", Type, 0, ""},
+		{"NoGoError.Dir", Field, 0, ""},
+		{"Package", Type, 0, ""},
+		{"Package.AllTags", Field, 2, ""},
+		{"Package.BinDir", Field, 0, ""},
+		{"Package.BinaryOnly", Field, 7, ""},
+		{"Package.CFiles", Field, 0, ""},
+		{"Package.CXXFiles", Field, 2, ""},
+		{"Package.CgoCFLAGS", Field, 0, ""},
+		{"Package.CgoCPPFLAGS", Field, 2, ""},
+		{"Package.CgoCXXFLAGS", Field, 2, ""},
+		{"Package.CgoFFLAGS", Field, 7, ""},
+		{"Package.CgoFiles", Field, 0, ""},
+		{"Package.CgoLDFLAGS", Field, 0, ""},
+		{"Package.CgoPkgConfig", Field, 0, ""},
+		{"Package.ConflictDir", Field, 2, ""},
+		{"Package.Dir", Field, 0, ""},
+		{"Package.Directives", Field, 21, ""},
+		{"Package.Doc", Field, 0, ""},
+		{"Package.EmbedPatternPos", Field, 16, ""},
+		{"Package.EmbedPatterns", Field, 16, ""},
+		{"Package.FFiles", Field, 7, ""},
+		{"Package.GoFiles", Field, 0, ""},
+		{"Package.Goroot", Field, 0, ""},
+		{"Package.HFiles", Field, 0, ""},
+		{"Package.IgnoredGoFiles", Field, 1, ""},
+		{"Package.IgnoredOtherFiles", Field, 16, ""},
+		{"Package.ImportComment", Field, 4, ""},
+		{"Package.ImportPath", Field, 0, ""},
+		{"Package.ImportPos", Field, 0, ""},
+		{"Package.Imports", Field, 0, ""},
+		{"Package.InvalidGoFiles", Field, 6, ""},
+		{"Package.MFiles", Field, 3, ""},
+		{"Package.Name", Field, 0, ""},
+		{"Package.PkgObj", Field, 0, ""},
+		{"Package.PkgRoot", Field, 0, ""},
+		{"Package.PkgTargetRoot", Field, 5, ""},
+		{"Package.Root", Field, 0, ""},
+		{"Package.SFiles", Field, 0, ""},
+		{"Package.SrcRoot", Field, 0, ""},
+		{"Package.SwigCXXFiles", Field, 1, ""},
+		{"Package.SwigFiles", Field, 1, ""},
+		{"Package.SysoFiles", Field, 0, ""},
+		{"Package.TestDirectives", Field, 21, ""},
+		{"Package.TestEmbedPatternPos", Field, 16, ""},
+		{"Package.TestEmbedPatterns", Field, 16, ""},
+		{"Package.TestGoFiles", Field, 0, ""},
+		{"Package.TestImportPos", Field, 0, ""},
+		{"Package.TestImports", Field, 0, ""},
+		{"Package.XTestDirectives", Field, 21, ""},
+		{"Package.XTestEmbedPatternPos", Field, 16, ""},
+		{"Package.XTestEmbedPatterns", Field, 16, ""},
+		{"Package.XTestGoFiles", Field, 0, ""},
+		{"Package.XTestImportPos", Field, 0, ""},
+		{"Package.XTestImports", Field, 0, ""},
+		{"ToolDir", Var, 0, ""},
+	},
+	"go/build/constraint": {
+		{"(*AndExpr).Eval", Method, 16, ""},
+		{"(*AndExpr).String", Method, 16, ""},
+		{"(*NotExpr).Eval", Method, 16, ""},
+		{"(*NotExpr).String", Method, 16, ""},
+		{"(*OrExpr).Eval", Method, 16, ""},
+		{"(*OrExpr).String", Method, 16, ""},
+		{"(*SyntaxError).Error", Method, 16, ""},
+		{"(*TagExpr).Eval", Method, 16, ""},
+		{"(*TagExpr).String", Method, 16, ""},
+		{"(Expr).Eval", Method, 16, ""},
+		{"(Expr).String", Method, 16, ""},
+		{"AndExpr", Type, 16, ""},
+		{"AndExpr.X", Field, 16, ""},
+		{"AndExpr.Y", Field, 16, ""},
+		{"GoVersion", Func, 21, "func(x Expr) string"},
+		{"IsGoBuild", Func, 16, "func(line string) bool"},
+		{"IsPlusBuild", Func, 16, "func(line string) bool"},
+		{"NotExpr", Type, 16, ""},
+		{"NotExpr.X", Field, 16, ""},
+		{"OrExpr", Type, 16, ""},
+		{"OrExpr.X", Field, 16, ""},
+		{"OrExpr.Y", Field, 16, ""},
+		{"Parse", Func, 16, "func(line string) (Expr, error)"},
+		{"PlusBuildLines", Func, 16, "func(x Expr) ([]string, error)"},
+		{"SyntaxError", Type, 16, ""},
+		{"SyntaxError.Err", Field, 16, ""},
+		{"SyntaxError.Offset", Field, 16, ""},
+		{"TagExpr", Type, 16, ""},
+		{"TagExpr.Tag", Field, 16, ""},
+	},
+	"go/constant": {
+		{"(Kind).String", Method, 18, ""},
+		{"(Value).ExactString", Method, 6, ""},
+		{"(Value).Kind", Method, 5, ""},
+		{"(Value).String", Method, 5, ""},
+		{"BinaryOp", Func, 5, "func(x_ Value, op token.Token, y_ Value) Value"},
+		{"BitLen", Func, 5, "func(x Value) int"},
+		{"Bool", Const, 5, ""},
+		{"BoolVal", Func, 5, "func(x Value) bool"},
+		{"Bytes", Func, 5, "func(x Value) []byte"},
+		{"Compare", Func, 5, "func(x_ Value, op token.Token, y_ Value) bool"},
+		{"Complex", Const, 5, ""},
+		{"Denom", Func, 5, "func(x Value) Value"},
+		{"Float", Const, 5, ""},
+		{"Float32Val", Func, 5, "func(x Value) (float32, bool)"},
+		{"Float64Val", Func, 5, "func(x Value) (float64, bool)"},
+		{"Imag", Func, 5, "func(x Value) Value"},
+		{"Int", Const, 5, ""},
+		{"Int64Val", Func, 5, "func(x Value) (int64, bool)"},
+		{"Kind", Type, 5, ""},
+		{"Make", Func, 13, "func(x any) Value"},
+		{"MakeBool", Func, 5, "func(b bool) Value"},
+		{"MakeFloat64", Func, 5, "func(x float64) Value"},
+		{"MakeFromBytes", Func, 5, "func(bytes []byte) Value"},
+		{"MakeFromLiteral", Func, 5, "func(lit string, tok token.Token, zero uint) Value"},
+		{"MakeImag", Func, 5, "func(x Value) Value"},
+		{"MakeInt64", Func, 5, "func(x int64) Value"},
+		{"MakeString", Func, 5, "func(s string) Value"},
+		{"MakeUint64", Func, 5, "func(x uint64) Value"},
+		{"MakeUnknown", Func, 5, "func() Value"},
+		{"Num", Func, 5, "func(x Value) Value"},
+		{"Real", Func, 5, "func(x Value) Value"},
+		{"Shift", Func, 5, "func(x Value, op token.Token, s uint) Value"},
+		{"Sign", Func, 5, "func(x Value) int"},
+		{"String", Const, 5, ""},
+		{"StringVal", Func, 5, "func(x Value) string"},
+		{"ToComplex", Func, 6, "func(x Value) Value"},
+		{"ToFloat", Func, 6, "func(x Value) Value"},
+		{"ToInt", Func, 6, "func(x Value) Value"},
+		{"Uint64Val", Func, 5, "func(x Value) (uint64, bool)"},
+		{"UnaryOp", Func, 5, "func(op token.Token, y Value, prec uint) Value"},
+		{"Unknown", Const, 5, ""},
+		{"Val", Func, 13, "func(x Value) any"},
+	},
+	"go/doc": {
+		{"(*Package).Filter", Method, 0, ""},
+		{"(*Package).HTML", Method, 19, ""},
+		{"(*Package).Markdown", Method, 19, ""},
+		{"(*Package).Parser", Method, 19, ""},
+		{"(*Package).Printer", Method, 19, ""},
+		{"(*Package).Synopsis", Method, 19, ""},
+		{"(*Package).Text", Method, 19, ""},
+		{"AllDecls", Const, 0, ""},
+		{"AllMethods", Const, 0, ""},
+		{"Example", Type, 0, ""},
+		{"Example.Code", Field, 0, ""},
+		{"Example.Comments", Field, 0, ""},
+		{"Example.Doc", Field, 0, ""},
+		{"Example.EmptyOutput", Field, 1, ""},
+		{"Example.Name", Field, 0, ""},
+		{"Example.Order", Field, 1, ""},
+		{"Example.Output", Field, 0, ""},
+		{"Example.Play", Field, 1, ""},
+		{"Example.Suffix", Field, 14, ""},
+		{"Example.Unordered", Field, 7, ""},
+		{"Examples", Func, 0, "func(testFiles ...*ast.File) []*Example"},
+		{"Filter", Type, 0, ""},
+		{"Func", Type, 0, ""},
+		{"Func.Decl", Field, 0, ""},
+		{"Func.Doc", Field, 0, ""},
+		{"Func.Examples", Field, 14, ""},
+		{"Func.Level", Field, 0, ""},
+		{"Func.Name", Field, 0, ""},
+		{"Func.Orig", Field, 0, ""},
+		{"Func.Recv", Field, 0, ""},
+		{"IllegalPrefixes", Var, 1, ""},
+		{"IsPredeclared", Func, 8, "func(s string) bool"},
+		{"Mode", Type, 0, ""},
+		{"New", Func, 0, "func(pkg *ast.Package, importPath string, mode Mode) *Package"},
+		{"NewFromFiles", Func, 14, "func(fset *token.FileSet, files []*ast.File, importPath string, opts ...any) (*Package, error)"},
+		{"Note", Type, 1, ""},
+		{"Note.Body", Field, 1, ""},
+		{"Note.End", Field, 1, ""},
+		{"Note.Pos", Field, 1, ""},
+		{"Note.UID", Field, 1, ""},
+		{"Package", Type, 0, ""},
+		{"Package.Bugs", Field, 0, ""},
+		{"Package.Consts", Field, 0, ""},
+		{"Package.Doc", Field, 0, ""},
+		{"Package.Examples", Field, 14, ""},
+		{"Package.Filenames", Field, 0, ""},
+		{"Package.Funcs", Field, 0, ""},
+		{"Package.ImportPath", Field, 0, ""},
+		{"Package.Imports", Field, 0, ""},
+		{"Package.Name", Field, 0, ""},
+		{"Package.Notes", Field, 1, ""},
+		{"Package.Types", Field, 0, ""},
+		{"Package.Vars", Field, 0, ""},
+		{"PreserveAST", Const, 12, ""},
+		{"Synopsis", Func, 0, "func(text string) string"},
+		{"ToHTML", Func, 0, "func(w io.Writer, text string, words map[string]string)"},
+		{"ToText", Func, 0, "func(w io.Writer, text string, prefix string, codePrefix string, width int)"},
+		{"Type", Type, 0, ""},
+		{"Type.Consts", Field, 0, ""},
+		{"Type.Decl", Field, 0, ""},
+		{"Type.Doc", Field, 0, ""},
+		{"Type.Examples", Field, 14, ""},
+		{"Type.Funcs", Field, 0, ""},
+		{"Type.Methods", Field, 0, ""},
+		{"Type.Name", Field, 0, ""},
+		{"Type.Vars", Field, 0, ""},
+		{"Value", Type, 0, ""},
+		{"Value.Decl", Field, 0, ""},
+		{"Value.Doc", Field, 0, ""},
+		{"Value.Names", Field, 0, ""},
+	},
+	"go/doc/comment": {
+		{"(*DocLink).DefaultURL", Method, 19, ""},
+		{"(*Heading).DefaultID", Method, 19, ""},
+		{"(*List).BlankBefore", Method, 19, ""},
+		{"(*List).BlankBetween", Method, 19, ""},
+		{"(*Parser).Parse", Method, 19, ""},
+		{"(*Printer).Comment", Method, 19, ""},
+		{"(*Printer).HTML", Method, 19, ""},
+		{"(*Printer).Markdown", Method, 19, ""},
+		{"(*Printer).Text", Method, 19, ""},
+		{"Code", Type, 19, ""},
+		{"Code.Text", Field, 19, ""},
+		{"DefaultLookupPackage", Func, 19, "func(name string) (importPath string, ok bool)"},
+		{"Doc", Type, 19, ""},
+		{"Doc.Content", Field, 19, ""},
+		{"Doc.Links", Field, 19, ""},
+		{"DocLink", Type, 19, ""},
+		{"DocLink.ImportPath", Field, 19, ""},
+		{"DocLink.Name", Field, 19, ""},
+		{"DocLink.Recv", Field, 19, ""},
+		{"DocLink.Text", Field, 19, ""},
+		{"Heading", Type, 19, ""},
+		{"Heading.Text", Field, 19, ""},
+		{"Italic", Type, 19, ""},
+		{"Link", Type, 19, ""},
+		{"Link.Auto", Field, 19, ""},
+		{"Link.Text", Field, 19, ""},
+		{"Link.URL", Field, 19, ""},
+		{"LinkDef", Type, 19, ""},
+		{"LinkDef.Text", Field, 19, ""},
+		{"LinkDef.URL", Field, 19, ""},
+		{"LinkDef.Used", Field, 19, ""},
+		{"List", Type, 19, ""},
+		{"List.ForceBlankBefore", Field, 19, ""},
+		{"List.ForceBlankBetween", Field, 19, ""},
+		{"List.Items", Field, 19, ""},
+		{"ListItem", Type, 19, ""},
+		{"ListItem.Content", Field, 19, ""},
+		{"ListItem.Number", Field, 19, ""},
+		{"Paragraph", Type, 19, ""},
+		{"Paragraph.Text", Field, 19, ""},
+		{"Parser", Type, 19, ""},
+		{"Parser.LookupPackage", Field, 19, ""},
+		{"Parser.LookupSym", Field, 19, ""},
+		{"Parser.Words", Field, 19, ""},
+		{"Plain", Type, 19, ""},
+		{"Printer", Type, 19, ""},
+		{"Printer.DocLinkBaseURL", Field, 19, ""},
+		{"Printer.DocLinkURL", Field, 19, ""},
+		{"Printer.HeadingID", Field, 19, ""},
+		{"Printer.HeadingLevel", Field, 19, ""},
+		{"Printer.TextCodePrefix", Field, 19, ""},
+		{"Printer.TextPrefix", Field, 19, ""},
+		{"Printer.TextWidth", Field, 19, ""},
+	},
+	"go/format": {
+		{"Node", Func, 1, "func(dst io.Writer, fset *token.FileSet, node any) error"},
+		{"Source", Func, 1, "func(src []byte) ([]byte, error)"},
+	},
+	"go/importer": {
+		{"Default", Func, 5, "func() types.Importer"},
+		{"For", Func, 5, "func(compiler string, lookup Lookup) types.Importer"},
+		{"ForCompiler", Func, 12, "func(fset *token.FileSet, compiler string, lookup Lookup) types.Importer"},
+		{"Lookup", Type, 5, ""},
+	},
+	"go/parser": {
+		{"AllErrors", Const, 1, ""},
+		{"DeclarationErrors", Const, 0, ""},
+		{"ImportsOnly", Const, 0, ""},
+		{"Mode", Type, 0, ""},
+		{"PackageClauseOnly", Const, 0, ""},
+		{"ParseComments", Const, 0, ""},
+		{"ParseDir", Func, 0, "func(fset *token.FileSet, path string, filter func(fs.FileInfo) bool, mode Mode) (pkgs map[string]*ast.Package, first error)"},
+		{"ParseExpr", Func, 0, "func(x string) (ast.Expr, error)"},
+		{"ParseExprFrom", Func, 5, "func(fset *token.FileSet, filename string, src any, mode Mode) (expr ast.Expr, err error)"},
+		{"ParseFile", Func, 0, "func(fset *token.FileSet, filename string, src any, mode Mode) (f *ast.File, err error)"},
+		{"SkipObjectResolution", Const, 17, ""},
+		{"SpuriousErrors", Const, 0, ""},
+		{"Trace", Const, 0, ""},
+	},
+	"go/printer": {
+		{"(*Config).Fprint", Method, 0, ""},
+		{"CommentedNode", Type, 0, ""},
+		{"CommentedNode.Comments", Field, 0, ""},
+		{"CommentedNode.Node", Field, 0, ""},
+		{"Config", Type, 0, ""},
+		{"Config.Indent", Field, 1, ""},
+		{"Config.Mode", Field, 0, ""},
+		{"Config.Tabwidth", Field, 0, ""},
+		{"Fprint", Func, 0, "func(output io.Writer, fset *token.FileSet, node any) error"},
+		{"Mode", Type, 0, ""},
+		{"RawFormat", Const, 0, ""},
+		{"SourcePos", Const, 0, ""},
+		{"TabIndent", Const, 0, ""},
+		{"UseSpaces", Const, 0, ""},
+	},
+	"go/scanner": {
+		{"(*ErrorList).Add", Method, 0, ""},
+		{"(*ErrorList).RemoveMultiples", Method, 0, ""},
+		{"(*ErrorList).Reset", Method, 0, ""},
+		{"(*Scanner).Init", Method, 0, ""},
+		{"(*Scanner).Scan", Method, 0, ""},
+		{"(Error).Error", Method, 0, ""},
+		{"(ErrorList).Err", Method, 0, ""},
+		{"(ErrorList).Error", Method, 0, ""},
+		{"(ErrorList).Len", Method, 0, ""},
+		{"(ErrorList).Less", Method, 0, ""},
+		{"(ErrorList).Sort", Method, 0, ""},
+		{"(ErrorList).Swap", Method, 0, ""},
+		{"Error", Type, 0, ""},
+		{"Error.Msg", Field, 0, ""},
+		{"Error.Pos", Field, 0, ""},
+		{"ErrorHandler", Type, 0, ""},
+		{"ErrorList", Type, 0, ""},
+		{"Mode", Type, 0, ""},
+		{"PrintError", Func, 0, "func(w io.Writer, err error)"},
+		{"ScanComments", Const, 0, ""},
+		{"Scanner", Type, 0, ""},
+		{"Scanner.ErrorCount", Field, 0, ""},
+	},
+	"go/token": {
+		{"(*File).AddLine", Method, 0, ""},
+		{"(*File).AddLineColumnInfo", Method, 11, ""},
+		{"(*File).AddLineInfo", Method, 0, ""},
+		{"(*File).Base", Method, 0, ""},
+		{"(*File).End", Method, 26, ""},
+		{"(*File).Line", Method, 0, ""},
+		{"(*File).LineCount", Method, 0, ""},
+		{"(*File).LineStart", Method, 12, ""},
+		{"(*File).Lines", Method, 21, ""},
+		{"(*File).MergeLine", Method, 2, ""},
+		{"(*File).Name", Method, 0, ""},
+		{"(*File).Offset", Method, 0, ""},
+		{"(*File).Pos", Method, 0, ""},
+		{"(*File).Position", Method, 0, ""},
+		{"(*File).PositionFor", Method, 4, ""},
+		{"(*File).SetLines", Method, 0, ""},
+		{"(*File).SetLinesForContent", Method, 0, ""},
+		{"(*File).Size", Method, 0, ""},
+		{"(*FileSet).AddExistingFiles", Method, 25, ""},
+		{"(*FileSet).AddFile", Method, 0, ""},
+		{"(*FileSet).Base", Method, 0, ""},
+		{"(*FileSet).File", Method, 0, ""},
+		{"(*FileSet).Iterate", Method, 0, ""},
+		{"(*FileSet).Position", Method, 0, ""},
+		{"(*FileSet).PositionFor", Method, 4, ""},
+		{"(*FileSet).Read", Method, 0, ""},
+		{"(*FileSet).RemoveFile", Method, 20, ""},
+		{"(*FileSet).Write", Method, 0, ""},
+		{"(*Position).IsValid", Method, 0, ""},
+		{"(Pos).IsValid", Method, 0, ""},
+		{"(Position).String", Method, 0, ""},
+		{"(Token).IsKeyword", Method, 0, ""},
+		{"(Token).IsLiteral", Method, 0, ""},
+		{"(Token).IsOperator", Method, 0, ""},
+		{"(Token).Precedence", Method, 0, ""},
+		{"(Token).String", Method, 0, ""},
+		{"ADD", Const, 0, ""},
+		{"ADD_ASSIGN", Const, 0, ""},
+		{"AND", Const, 0, ""},
+		{"AND_ASSIGN", Const, 0, ""},
+		{"AND_NOT", Const, 0, ""},
+		{"AND_NOT_ASSIGN", Const, 0, ""},
+		{"ARROW", Const, 0, ""},
+		{"ASSIGN", Const, 0, ""},
+		{"BREAK", Const, 0, ""},
+		{"CASE", Const, 0, ""},
+		{"CHAN", Const, 0, ""},
+		{"CHAR", Const, 0, ""},
+		{"COLON", Const, 0, ""},
+		{"COMMA", Const, 0, ""},
+		{"COMMENT", Const, 0, ""},
+		{"CONST", Const, 0, ""},
+		{"CONTINUE", Const, 0, ""},
+		{"DEC", Const, 0, ""},
+		{"DEFAULT", Const, 0, ""},
+		{"DEFER", Const, 0, ""},
+		{"DEFINE", Const, 0, ""},
+		{"ELLIPSIS", Const, 0, ""},
+		{"ELSE", Const, 0, ""},
+		{"EOF", Const, 0, ""},
+		{"EQL", Const, 0, ""},
+		{"FALLTHROUGH", Const, 0, ""},
+		{"FLOAT", Const, 0, ""},
+		{"FOR", Const, 0, ""},
+		{"FUNC", Const, 0, ""},
+		{"File", Type, 0, ""},
+		{"FileSet", Type, 0, ""},
+		{"GEQ", Const, 0, ""},
+		{"GO", Const, 0, ""},
+		{"GOTO", Const, 0, ""},
+		{"GTR", Const, 0, ""},
+		{"HighestPrec", Const, 0, ""},
+		{"IDENT", Const, 0, ""},
+		{"IF", Const, 0, ""},
+		{"ILLEGAL", Const, 0, ""},
+		{"IMAG", Const, 0, ""},
+		{"IMPORT", Const, 0, ""},
+		{"INC", Const, 0, ""},
+		{"INT", Const, 0, ""},
+		{"INTERFACE", Const, 0, ""},
+		{"IsExported", Func, 13, "func(name string) bool"},
+		{"IsIdentifier", Func, 13, "func(name string) bool"},
+		{"IsKeyword", Func, 13, "func(name string) bool"},
+		{"LAND", Const, 0, ""},
+		{"LBRACE", Const, 0, ""},
+		{"LBRACK", Const, 0, ""},
+		{"LEQ", Const, 0, ""},
+		{"LOR", Const, 0, ""},
+		{"LPAREN", Const, 0, ""},
+		{"LSS", Const, 0, ""},
+		{"Lookup", Func, 0, "func(ident string) Token"},
+		{"LowestPrec", Const, 0, ""},
+		{"MAP", Const, 0, ""},
+		{"MUL", Const, 0, ""},
+		{"MUL_ASSIGN", Const, 0, ""},
+		{"NEQ", Const, 0, ""},
+		{"NOT", Const, 0, ""},
+		{"NewFileSet", Func, 0, "func() *FileSet"},
+		{"NoPos", Const, 0, ""},
+		{"OR", Const, 0, ""},
+		{"OR_ASSIGN", Const, 0, ""},
+		{"PACKAGE", Const, 0, ""},
+		{"PERIOD", Const, 0, ""},
+		{"Pos", Type, 0, ""},
+		{"Position", Type, 0, ""},
+		{"Position.Column", Field, 0, ""},
+		{"Position.Filename", Field, 0, ""},
+		{"Position.Line", Field, 0, ""},
+		{"Position.Offset", Field, 0, ""},
+		{"QUO", Const, 0, ""},
+		{"QUO_ASSIGN", Const, 0, ""},
+		{"RANGE", Const, 0, ""},
+		{"RBRACE", Const, 0, ""},
+		{"RBRACK", Const, 0, ""},
+		{"REM", Const, 0, ""},
+		{"REM_ASSIGN", Const, 0, ""},
+		{"RETURN", Const, 0, ""},
+		{"RPAREN", Const, 0, ""},
+		{"SELECT", Const, 0, ""},
+		{"SEMICOLON", Const, 0, ""},
+		{"SHL", Const, 0, ""},
+		{"SHL_ASSIGN", Const, 0, ""},
+		{"SHR", Const, 0, ""},
+		{"SHR_ASSIGN", Const, 0, ""},
+		{"STRING", Const, 0, ""},
+		{"STRUCT", Const, 0, ""},
+		{"SUB", Const, 0, ""},
+		{"SUB_ASSIGN", Const, 0, ""},
+		{"SWITCH", Const, 0, ""},
+		{"TILDE", Const, 18, ""},
+		{"TYPE", Const, 0, ""},
+		{"Token", Type, 0, ""},
+		{"UnaryPrec", Const, 0, ""},
+		{"VAR", Const, 0, ""},
+		{"XOR", Const, 0, ""},
+		{"XOR_ASSIGN", Const, 0, ""},
+	},
+	"go/types": {
+		{"(*Alias).Obj", Method, 22, ""},
+		{"(*Alias).Origin", Method, 23, ""},
+		{"(*Alias).Rhs", Method, 23, ""},
+		{"(*Alias).SetTypeParams", Method, 23, ""},
+		{"(*Alias).String", Method, 22, ""},
+		{"(*Alias).TypeArgs", Method, 23, ""},
+		{"(*Alias).TypeParams", Method, 23, ""},
+		{"(*Alias).Underlying", Method, 22, ""},
+		{"(*ArgumentError).Error", Method, 18, ""},
+		{"(*ArgumentError).Unwrap", Method, 18, ""},
+		{"(*Array).Elem", Method, 5, ""},
+		{"(*Array).Len", Method, 5, ""},
+		{"(*Array).String", Method, 5, ""},
+		{"(*Array).Underlying", Method, 5, ""},
+		{"(*Basic).Info", Method, 5, ""},
+		{"(*Basic).Kind", Method, 5, ""},
+		{"(*Basic).Name", Method, 5, ""},
+		{"(*Basic).String", Method, 5, ""},
+		{"(*Basic).Underlying", Method, 5, ""},
+		{"(*Builtin).Exported", Method, 5, ""},
+		{"(*Builtin).Id", Method, 5, ""},
+		{"(*Builtin).Name", Method, 5, ""},
+		{"(*Builtin).Parent", Method, 5, ""},
+		{"(*Builtin).Pkg", Method, 5, ""},
+		{"(*Builtin).Pos", Method, 5, ""},
+		{"(*Builtin).String", Method, 5, ""},
+		{"(*Builtin).Type", Method, 5, ""},
+		{"(*Chan).Dir", Method, 5, ""},
+		{"(*Chan).Elem", Method, 5, ""},
+		{"(*Chan).String", Method, 5, ""},
+		{"(*Chan).Underlying", Method, 5, ""},
+		{"(*Checker).Files", Method, 5, ""},
+		{"(*Config).Check", Method, 5, ""},
+		{"(*Const).Exported", Method, 5, ""},
+		{"(*Const).Id", Method, 5, ""},
+		{"(*Const).Name", Method, 5, ""},
+		{"(*Const).Parent", Method, 5, ""},
+		{"(*Const).Pkg", Method, 5, ""},
+		{"(*Const).Pos", Method, 5, ""},
+		{"(*Const).String", Method, 5, ""},
+		{"(*Const).Type", Method, 5, ""},
+		{"(*Const).Val", Method, 5, ""},
+		{"(*Func).Exported", Method, 5, ""},
+		{"(*Func).FullName", Method, 5, ""},
+		{"(*Func).Id", Method, 5, ""},
+		{"(*Func).Name", Method, 5, ""},
+		{"(*Func).Origin", Method, 19, ""},
+		{"(*Func).Parent", Method, 5, ""},
+		{"(*Func).Pkg", Method, 5, ""},
+		{"(*Func).Pos", Method, 5, ""},
+		{"(*Func).Scope", Method, 5, ""},
+		{"(*Func).Signature", Method, 23, ""},
+		{"(*Func).String", Method, 5, ""},
+		{"(*Func).Type", Method, 5, ""},
+		{"(*Info).ObjectOf", Method, 5, ""},
+		{"(*Info).PkgNameOf", Method, 22, ""},
+		{"(*Info).TypeOf", Method, 5, ""},
+		{"(*Initializer).String", Method, 5, ""},
+		{"(*Interface).Complete", Method, 5, ""},
+		{"(*Interface).Embedded", Method, 5, ""},
+		{"(*Interface).EmbeddedType", Method, 11, ""},
+		{"(*Interface).EmbeddedTypes", Method, 24, ""},
+		{"(*Interface).Empty", Method, 5, ""},
+		{"(*Interface).ExplicitMethod", Method, 5, ""},
+		{"(*Interface).ExplicitMethods", Method, 24, ""},
+		{"(*Interface).IsComparable", Method, 18, ""},
+		{"(*Interface).IsImplicit", Method, 18, ""},
+		{"(*Interface).IsMethodSet", Method, 18, ""},
+		{"(*Interface).MarkImplicit", Method, 18, ""},
+		{"(*Interface).Method", Method, 5, ""},
+		{"(*Interface).Methods", Method, 24, ""},
+		{"(*Interface).NumEmbeddeds", Method, 5, ""},
+		{"(*Interface).NumExplicitMethods", Method, 5, ""},
+		{"(*Interface).NumMethods", Method, 5, ""},
+		{"(*Interface).String", Method, 5, ""},
+		{"(*Interface).Underlying", Method, 5, ""},
+		{"(*Label).Exported", Method, 5, ""},
+		{"(*Label).Id", Method, 5, ""},
+		{"(*Label).Name", Method, 5, ""},
+		{"(*Label).Parent", Method, 5, ""},
+		{"(*Label).Pkg", Method, 5, ""},
+		{"(*Label).Pos", Method, 5, ""},
+		{"(*Label).String", Method, 5, ""},
+		{"(*Label).Type", Method, 5, ""},
+		{"(*Map).Elem", Method, 5, ""},
+		{"(*Map).Key", Method, 5, ""},
+		{"(*Map).String", Method, 5, ""},
+		{"(*Map).Underlying", Method, 5, ""},
+		{"(*MethodSet).At", Method, 5, ""},
+		{"(*MethodSet).Len", Method, 5, ""},
+		{"(*MethodSet).Lookup", Method, 5, ""},
+		{"(*MethodSet).Methods", Method, 24, ""},
+		{"(*MethodSet).String", Method, 5, ""},
+		{"(*Named).AddMethod", Method, 5, ""},
+		{"(*Named).Method", Method, 5, ""},
+		{"(*Named).Methods", Method, 24, ""},
+		{"(*Named).NumMethods", Method, 5, ""},
+		{"(*Named).Obj", Method, 5, ""},
+		{"(*Named).Origin", Method, 18, ""},
+		{"(*Named).SetTypeParams", Method, 18, ""},
+		{"(*Named).SetUnderlying", Method, 5, ""},
+		{"(*Named).String", Method, 5, ""},
+		{"(*Named).TypeArgs", Method, 18, ""},
+		{"(*Named).TypeParams", Method, 18, ""},
+		{"(*Named).Underlying", Method, 5, ""},
+		{"(*Nil).Exported", Method, 5, ""},
+		{"(*Nil).Id", Method, 5, ""},
+		{"(*Nil).Name", Method, 5, ""},
+		{"(*Nil).Parent", Method, 5, ""},
+		{"(*Nil).Pkg", Method, 5, ""},
+		{"(*Nil).Pos", Method, 5, ""},
+		{"(*Nil).String", Method, 5, ""},
+		{"(*Nil).Type", Method, 5, ""},
+		{"(*Package).Complete", Method, 5, ""},
+		{"(*Package).GoVersion", Method, 21, ""},
+		{"(*Package).Imports", Method, 5, ""},
+		{"(*Package).MarkComplete", Method, 5, ""},
+		{"(*Package).Name", Method, 5, ""},
+		{"(*Package).Path", Method, 5, ""},
+		{"(*Package).Scope", Method, 5, ""},
+		{"(*Package).SetImports", Method, 5, ""},
+		{"(*Package).SetName", Method, 6, ""},
+		{"(*Package).String", Method, 5, ""},
+		{"(*PkgName).Exported", Method, 5, ""},
+		{"(*PkgName).Id", Method, 5, ""},
+		{"(*PkgName).Imported", Method, 5, ""},
+		{"(*PkgName).Name", Method, 5, ""},
+		{"(*PkgName).Parent", Method, 5, ""},
+		{"(*PkgName).Pkg", Method, 5, ""},
+		{"(*PkgName).Pos", Method, 5, ""},
+		{"(*PkgName).String", Method, 5, ""},
+		{"(*PkgName).Type", Method, 5, ""},
+		{"(*Pointer).Elem", Method, 5, ""},
+		{"(*Pointer).String", Method, 5, ""},
+		{"(*Pointer).Underlying", Method, 5, ""},
+		{"(*Scope).Child", Method, 5, ""},
+		{"(*Scope).Children", Method, 24, ""},
+		{"(*Scope).Contains", Method, 5, ""},
+		{"(*Scope).End", Method, 5, ""},
+		{"(*Scope).Innermost", Method, 5, ""},
+		{"(*Scope).Insert", Method, 5, ""},
+		{"(*Scope).Len", Method, 5, ""},
+		{"(*Scope).Lookup", Method, 5, ""},
+		{"(*Scope).LookupParent", Method, 5, ""},
+		{"(*Scope).Names", Method, 5, ""},
+		{"(*Scope).NumChildren", Method, 5, ""},
+		{"(*Scope).Parent", Method, 5, ""},
+		{"(*Scope).Pos", Method, 5, ""},
+		{"(*Scope).String", Method, 5, ""},
+		{"(*Scope).WriteTo", Method, 5, ""},
+		{"(*Selection).Index", Method, 5, ""},
+		{"(*Selection).Indirect", Method, 5, ""},
+		{"(*Selection).Kind", Method, 5, ""},
+		{"(*Selection).Obj", Method, 5, ""},
+		{"(*Selection).Recv", Method, 5, ""},
+		{"(*Selection).String", Method, 5, ""},
+		{"(*Selection).Type", Method, 5, ""},
+		{"(*Signature).Params", Method, 5, ""},
+		{"(*Signature).Recv", Method, 5, ""},
+		{"(*Signature).RecvTypeParams", Method, 18, ""},
+		{"(*Signature).Results", Method, 5, ""},
+		{"(*Signature).String", Method, 5, ""},
+		{"(*Signature).TypeParams", Method, 18, ""},
+		{"(*Signature).Underlying", Method, 5, ""},
+		{"(*Signature).Variadic", Method, 5, ""},
+		{"(*Slice).Elem", Method, 5, ""},
+		{"(*Slice).String", Method, 5, ""},
+		{"(*Slice).Underlying", Method, 5, ""},
+		{"(*StdSizes).Alignof", Method, 5, ""},
+		{"(*StdSizes).Offsetsof", Method, 5, ""},
+		{"(*StdSizes).Sizeof", Method, 5, ""},
+		{"(*Struct).Field", Method, 5, ""},
+		{"(*Struct).Fields", Method, 24, ""},
+		{"(*Struct).NumFields", Method, 5, ""},
+		{"(*Struct).String", Method, 5, ""},
+		{"(*Struct).Tag", Method, 5, ""},
+		{"(*Struct).Underlying", Method, 5, ""},
+		{"(*Term).String", Method, 18, ""},
+		{"(*Term).Tilde", Method, 18, ""},
+		{"(*Term).Type", Method, 18, ""},
+		{"(*Tuple).At", Method, 5, ""},
+		{"(*Tuple).Len", Method, 5, ""},
+		{"(*Tuple).String", Method, 5, ""},
+		{"(*Tuple).Underlying", Method, 5, ""},
+		{"(*Tuple).Variables", Method, 24, ""},
+		{"(*TypeList).At", Method, 18, ""},
+		{"(*TypeList).Len", Method, 18, ""},
+		{"(*TypeList).Types", Method, 24, ""},
+		{"(*TypeName).Exported", Method, 5, ""},
+		{"(*TypeName).Id", Method, 5, ""},
+		{"(*TypeName).IsAlias", Method, 9, ""},
+		{"(*TypeName).Name", Method, 5, ""},
+		{"(*TypeName).Parent", Method, 5, ""},
+		{"(*TypeName).Pkg", Method, 5, ""},
+		{"(*TypeName).Pos", Method, 5, ""},
+		{"(*TypeName).String", Method, 5, ""},
+		{"(*TypeName).Type", Method, 5, ""},
+		{"(*TypeParam).Constraint", Method, 18, ""},
+		{"(*TypeParam).Index", Method, 18, ""},
+		{"(*TypeParam).Obj", Method, 18, ""},
+		{"(*TypeParam).SetConstraint", Method, 18, ""},
+		{"(*TypeParam).String", Method, 18, ""},
+		{"(*TypeParam).Underlying", Method, 18, ""},
+		{"(*TypeParamList).At", Method, 18, ""},
+		{"(*TypeParamList).Len", Method, 18, ""},
+		{"(*TypeParamList).TypeParams", Method, 24, ""},
+		{"(*Union).Len", Method, 18, ""},
+		{"(*Union).String", Method, 18, ""},
+		{"(*Union).Term", Method, 18, ""},
+		{"(*Union).Terms", Method, 24, ""},
+		{"(*Union).Underlying", Method, 18, ""},
+		{"(*Var).Anonymous", Method, 5, ""},
+		{"(*Var).Embedded", Method, 11, ""},
+		{"(*Var).Exported", Method, 5, ""},
+		{"(*Var).Id", Method, 5, ""},
+		{"(*Var).IsField", Method, 5, ""},
+		{"(*Var).Kind", Method, 25, ""},
+		{"(*Var).Name", Method, 5, ""},
+		{"(*Var).Origin", Method, 19, ""},
+		{"(*Var).Parent", Method, 5, ""},
+		{"(*Var).Pkg", Method, 5, ""},
+		{"(*Var).Pos", Method, 5, ""},
+		{"(*Var).SetKind", Method, 25, ""},
+		{"(*Var).String", Method, 5, ""},
+		{"(*Var).Type", Method, 5, ""},
+		{"(Checker).ObjectOf", Method, 5, ""},
+		{"(Checker).PkgNameOf", Method, 22, ""},
+		{"(Checker).TypeOf", Method, 5, ""},
+		{"(Error).Error", Method, 5, ""},
+		{"(Importer).Import", Method, 5, ""},
+		{"(ImporterFrom).Import", Method, 6, ""},
+		{"(ImporterFrom).ImportFrom", Method, 6, ""},
+		{"(Object).Exported", Method, 5, ""},
+		{"(Object).Id", Method, 5, ""},
+		{"(Object).Name", Method, 5, ""},
+		{"(Object).Parent", Method, 5, ""},
+		{"(Object).Pkg", Method, 5, ""},
+		{"(Object).Pos", Method, 5, ""},
+		{"(Object).String", Method, 5, ""},
+		{"(Object).Type", Method, 5, ""},
+		{"(Sizes).Alignof", Method, 5, ""},
+		{"(Sizes).Offsetsof", Method, 5, ""},
+		{"(Sizes).Sizeof", Method, 5, ""},
+		{"(Type).String", Method, 5, ""},
+		{"(Type).Underlying", Method, 5, ""},
+		{"(TypeAndValue).Addressable", Method, 5, ""},
+		{"(TypeAndValue).Assignable", Method, 5, ""},
+		{"(TypeAndValue).HasOk", Method, 5, ""},
+		{"(TypeAndValue).IsBuiltin", Method, 5, ""},
+		{"(TypeAndValue).IsNil", Method, 5, ""},
+		{"(TypeAndValue).IsType", Method, 5, ""},
+		{"(TypeAndValue).IsValue", Method, 5, ""},
+		{"(TypeAndValue).IsVoid", Method, 5, ""},
+		{"(VarKind).String", Method, 25, ""},
+		{"Alias", Type, 22, ""},
+		{"ArgumentError", Type, 18, ""},
+		{"ArgumentError.Err", Field, 18, ""},
+		{"ArgumentError.Index", Field, 18, ""},
+		{"Array", Type, 5, ""},
+		{"AssertableTo", Func, 5, "func(V *Interface, T Type) bool"},
+		{"AssignableTo", Func, 5, "func(V Type, T Type) bool"},
+		{"Basic", Type, 5, ""},
+		{"BasicInfo", Type, 5, ""},
+		{"BasicKind", Type, 5, ""},
+		{"Bool", Const, 5, ""},
+		{"Builtin", Type, 5, ""},
+		{"Byte", Const, 5, ""},
+		{"Chan", Type, 5, ""},
+		{"ChanDir", Type, 5, ""},
+		{"CheckExpr", Func, 13, "func(fset *token.FileSet, pkg *Package, pos token.Pos, expr ast.Expr, info *Info) (err error)"},
+		{"Checker", Type, 5, ""},
+		{"Checker.Info", Field, 5, ""},
+		{"Comparable", Func, 5, "func(T Type) bool"},
+		{"Complex128", Const, 5, ""},
+		{"Complex64", Const, 5, ""},
+		{"Config", Type, 5, ""},
+		{"Config.Context", Field, 18, ""},
+		{"Config.DisableUnusedImportCheck", Field, 5, ""},
+		{"Config.Error", Field, 5, ""},
+		{"Config.FakeImportC", Field, 5, ""},
+		{"Config.GoVersion", Field, 18, ""},
+		{"Config.IgnoreFuncBodies", Field, 5, ""},
+		{"Config.Importer", Field, 5, ""},
+		{"Config.Sizes", Field, 5, ""},
+		{"Const", Type, 5, ""},
+		{"Context", Type, 18, ""},
+		{"ConvertibleTo", Func, 5, "func(V Type, T Type) bool"},
+		{"DefPredeclaredTestFuncs", Func, 5, "func()"},
+		{"Default", Func, 8, "func(t Type) Type"},
+		{"Error", Type, 5, ""},
+		{"Error.Fset", Field, 5, ""},
+		{"Error.Msg", Field, 5, ""},
+		{"Error.Pos", Field, 5, ""},
+		{"Error.Soft", Field, 5, ""},
+		{"Eval", Func, 5, "func(fset *token.FileSet, pkg *Package, pos token.Pos, expr string) (_ TypeAndValue, err error)"},
+		{"ExprString", Func, 5, "func(x ast.Expr) string"},
+		{"FieldVal", Const, 5, ""},
+		{"FieldVar", Const, 25, ""},
+		{"Float32", Const, 5, ""},
+		{"Float64", Const, 5, ""},
+		{"Func", Type, 5, ""},
+		{"Id", Func, 5, "func(pkg *Package, name string) string"},
+		{"Identical", Func, 5, "func(x Type, y Type) bool"},
+		{"IdenticalIgnoreTags", Func, 8, "func(x Type, y Type) bool"},
+		{"Implements", Func, 5, "func(V Type, T *Interface) bool"},
+		{"ImportMode", Type, 6, ""},
+		{"Importer", Type, 5, ""},
+		{"ImporterFrom", Type, 6, ""},
+		{"Info", Type, 5, ""},
+		{"Info.Defs", Field, 5, ""},
+		{"Info.FileVersions", Field, 22, ""},
+		{"Info.Implicits", Field, 5, ""},
+		{"Info.InitOrder", Field, 5, ""},
+		{"Info.Instances", Field, 18, ""},
+		{"Info.Scopes", Field, 5, ""},
+		{"Info.Selections", Field, 5, ""},
+		{"Info.Types", Field, 5, ""},
+		{"Info.Uses", Field, 5, ""},
+		{"Initializer", Type, 5, ""},
+		{"Initializer.Lhs", Field, 5, ""},
+		{"Initializer.Rhs", Field, 5, ""},
+		{"Instance", Type, 18, ""},
+		{"Instance.Type", Field, 18, ""},
+		{"Instance.TypeArgs", Field, 18, ""},
+		{"Instantiate", Func, 18, "func(ctxt *Context, orig Type, targs []Type, validate bool) (Type, error)"},
+		{"Int", Const, 5, ""},
+		{"Int16", Const, 5, ""},
+		{"Int32", Const, 5, ""},
+		{"Int64", Const, 5, ""},
+		{"Int8", Const, 5, ""},
+		{"Interface", Type, 5, ""},
+		{"Invalid", Const, 5, ""},
+		{"IsBoolean", Const, 5, ""},
+		{"IsComplex", Const, 5, ""},
+		{"IsConstType", Const, 5, ""},
+		{"IsFloat", Const, 5, ""},
+		{"IsInteger", Const, 5, ""},
+		{"IsInterface", Func, 5, "func(t Type) bool"},
+		{"IsNumeric", Const, 5, ""},
+		{"IsOrdered", Const, 5, ""},
+		{"IsString", Const, 5, ""},
+		{"IsUnsigned", Const, 5, ""},
+		{"IsUntyped", Const, 5, ""},
+		{"Label", Type, 5, ""},
+		{"LocalVar", Const, 25, ""},
+		{"LookupFieldOrMethod", Func, 5, "func(T Type, addressable bool, pkg *Package, name string) (obj Object, index []int, indirect bool)"},
+		{"LookupSelection", Func, 25, "func(T Type, addressable bool, pkg *Package, name string) (Selection, bool)"},
+		{"Map", Type, 5, ""},
+		{"MethodExpr", Const, 5, ""},
+		{"MethodSet", Type, 5, ""},
+		{"MethodVal", Const, 5, ""},
+		{"MissingMethod", Func, 5, "func(V Type, T *Interface, static bool) (method *Func, wrongType bool)"},
+		{"Named", Type, 5, ""},
+		{"NewAlias", Func, 22, "func(obj *TypeName, rhs Type) *Alias"},
+		{"NewArray", Func, 5, "func(elem Type, len int64) *Array"},
+		{"NewChan", Func, 5, "func(dir ChanDir, elem Type) *Chan"},
+		{"NewChecker", Func, 5, "func(conf *Config, fset *token.FileSet, pkg *Package, info *Info) *Checker"},
+		{"NewConst", Func, 5, "func(pos token.Pos, pkg *Package, name string, typ Type, val constant.Value) *Const"},
+		{"NewContext", Func, 18, "func() *Context"},
+		{"NewField", Func, 5, "func(pos token.Pos, pkg *Package, name string, typ Type, embedded bool) *Var"},
+		{"NewFunc", Func, 5, "func(pos token.Pos, pkg *Package, name string, sig *Signature) *Func"},
+		{"NewInterface", Func, 5, "func(methods []*Func, embeddeds []*Named) *Interface"},
+		{"NewInterfaceType", Func, 11, "func(methods []*Func, embeddeds []Type) *Interface"},
+		{"NewLabel", Func, 5, "func(pos token.Pos, pkg *Package, name string) *Label"},
+		{"NewMap", Func, 5, "func(key Type, elem Type) *Map"},
+		{"NewMethodSet", Func, 5, "func(T Type) *MethodSet"},
+		{"NewNamed", Func, 5, "func(obj *TypeName, underlying Type, methods []*Func) *Named"},
+		{"NewPackage", Func, 5, "func(path string, name string) *Package"},
+		{"NewParam", Func, 5, "func(pos token.Pos, pkg *Package, name string, typ Type) *Var"},
+		{"NewPkgName", Func, 5, "func(pos token.Pos, pkg *Package, name string, imported *Package) *PkgName"},
+		{"NewPointer", Func, 5, "func(elem Type) *Pointer"},
+		{"NewScope", Func, 5, "func(parent *Scope, pos token.Pos, end token.Pos, comment string) *Scope"},
+		{"NewSignature", Func, 5, "func(recv *Var, params *Tuple, results *Tuple, variadic bool) *Signature"},
+		{"NewSignatureType", Func, 18, "func(recv *Var, recvTypeParams []*TypeParam, typeParams []*TypeParam, params *Tuple, results *Tuple, variadic bool) *Signature"},
+		{"NewSlice", Func, 5, "func(elem Type) *Slice"},
+		{"NewStruct", Func, 5, "func(fields []*Var, tags []string) *Struct"},
+		{"NewTerm", Func, 18, "func(tilde bool, typ Type) *Term"},
+		{"NewTuple", Func, 5, "func(x ...*Var) *Tuple"},
+		{"NewTypeName", Func, 5, "func(pos token.Pos, pkg *Package, name string, typ Type) *TypeName"},
+		{"NewTypeParam", Func, 18, "func(obj *TypeName, constraint Type) *TypeParam"},
+		{"NewUnion", Func, 18, "func(terms []*Term) *Union"},
+		{"NewVar", Func, 5, "func(pos token.Pos, pkg *Package, name string, typ Type) *Var"},
+		{"Nil", Type, 5, ""},
+		{"ObjectString", Func, 5, "func(obj Object, qf Qualifier) string"},
+		{"Package", Type, 5, ""},
+		{"PackageVar", Const, 25, ""},
+		{"ParamVar", Const, 25, ""},
+		{"PkgName", Type, 5, ""},
+		{"Pointer", Type, 5, ""},
+		{"Qualifier", Type, 5, ""},
+		{"RecvOnly", Const, 5, ""},
+		{"RecvVar", Const, 25, ""},
+		{"RelativeTo", Func, 5, "func(pkg *Package) Qualifier"},
+		{"ResultVar", Const, 25, ""},
+		{"Rune", Const, 5, ""},
+		{"Satisfies", Func, 20, "func(V Type, T *Interface) bool"},
+		{"Scope", Type, 5, ""},
+		{"Selection", Type, 5, ""},
+		{"SelectionKind", Type, 5, ""},
+		{"SelectionString", Func, 5, "func(s *Selection, qf Qualifier) string"},
+		{"SendOnly", Const, 5, ""},
+		{"SendRecv", Const, 5, ""},
+		{"Signature", Type, 5, ""},
+		{"Sizes", Type, 5, ""},
+		{"SizesFor", Func, 9, "func(compiler string, arch string) Sizes"},
+		{"Slice", Type, 5, ""},
+		{"StdSizes", Type, 5, ""},
+		{"StdSizes.MaxAlign", Field, 5, ""},
+		{"StdSizes.WordSize", Field, 5, ""},
+		{"String", Const, 5, ""},
+		{"Struct", Type, 5, ""},
+		{"Term", Type, 18, ""},
+		{"Tuple", Type, 5, ""},
+		{"Typ", Var, 5, ""},
+		{"Type", Type, 5, ""},
+		{"TypeAndValue", Type, 5, ""},
+		{"TypeAndValue.Type", Field, 5, ""},
+		{"TypeAndValue.Value", Field, 5, ""},
+		{"TypeList", Type, 18, ""},
+		{"TypeName", Type, 5, ""},
+		{"TypeParam", Type, 18, ""},
+		{"TypeParamList", Type, 18, ""},
+		{"TypeString", Func, 5, "func(typ Type, qf Qualifier) string"},
+		{"Uint", Const, 5, ""},
+		{"Uint16", Const, 5, ""},
+		{"Uint32", Const, 5, ""},
+		{"Uint64", Const, 5, ""},
+		{"Uint8", Const, 5, ""},
+		{"Uintptr", Const, 5, ""},
+		{"Unalias", Func, 22, "func(t Type) Type"},
+		{"Union", Type, 18, ""},
+		{"Universe", Var, 5, ""},
+		{"Unsafe", Var, 5, ""},
+		{"UnsafePointer", Const, 5, ""},
+		{"UntypedBool", Const, 5, ""},
+		{"UntypedComplex", Const, 5, ""},
+		{"UntypedFloat", Const, 5, ""},
+		{"UntypedInt", Const, 5, ""},
+		{"UntypedNil", Const, 5, ""},
+		{"UntypedRune", Const, 5, ""},
+		{"UntypedString", Const, 5, ""},
+		{"Var", Type, 5, ""},
+		{"VarKind", Type, 25, ""},
+		{"WriteExpr", Func, 5, "func(buf *bytes.Buffer, x ast.Expr)"},
+		{"WriteSignature", Func, 5, "func(buf *bytes.Buffer, sig *Signature, qf Qualifier)"},
+		{"WriteType", Func, 5, "func(buf *bytes.Buffer, typ Type, qf Qualifier)"},
+	},
+	"go/version": {
+		{"Compare", Func, 22, "func(x string, y string) int"},
+		{"IsValid", Func, 22, "func(x string) bool"},
+		{"Lang", Func, 22, "func(x string) string"},
+	},
+	"hash": {
+		{"(Cloner).BlockSize", Method, 25, ""},
+		{"(Cloner).Clone", Method, 25, ""},
+		{"(Cloner).Reset", Method, 25, ""},
+		{"(Cloner).Size", Method, 25, ""},
+		{"(Cloner).Sum", Method, 25, ""},
+		{"(Cloner).Write", Method, 25, ""},
+		{"(Hash).BlockSize", Method, 0, ""},
+		{"(Hash).Reset", Method, 0, ""},
+		{"(Hash).Size", Method, 0, ""},
+		{"(Hash).Sum", Method, 0, ""},
+		{"(Hash).Write", Method, 0, ""},
+		{"(Hash32).BlockSize", Method, 0, ""},
+		{"(Hash32).Reset", Method, 0, ""},
+		{"(Hash32).Size", Method, 0, ""},
+		{"(Hash32).Sum", Method, 0, ""},
+		{"(Hash32).Sum32", Method, 0, ""},
+		{"(Hash32).Write", Method, 0, ""},
+		{"(Hash64).BlockSize", Method, 0, ""},
+		{"(Hash64).Reset", Method, 0, ""},
+		{"(Hash64).Size", Method, 0, ""},
+		{"(Hash64).Sum", Method, 0, ""},
+		{"(Hash64).Sum64", Method, 0, ""},
+		{"(Hash64).Write", Method, 0, ""},
+		{"(XOF).BlockSize", Method, 25, ""},
+		{"(XOF).Read", Method, 25, ""},
+		{"(XOF).Reset", Method, 25, ""},
+		{"(XOF).Write", Method, 25, ""},
+		{"Cloner", Type, 25, ""},
+		{"Hash", Type, 0, ""},
+		{"Hash32", Type, 0, ""},
+		{"Hash64", Type, 0, ""},
+		{"XOF", Type, 25, ""},
+	},
+	"hash/adler32": {
+		{"Checksum", Func, 0, "func(data []byte) uint32"},
+		{"New", Func, 0, "func() hash.Hash32"},
+		{"Size", Const, 0, ""},
+	},
+	"hash/crc32": {
+		{"Castagnoli", Const, 0, ""},
+		{"Checksum", Func, 0, "func(data []byte, tab *Table) uint32"},
+		{"ChecksumIEEE", Func, 0, "func(data []byte) uint32"},
+		{"IEEE", Const, 0, ""},
+		{"IEEETable", Var, 0, ""},
+		{"Koopman", Const, 0, ""},
+		{"MakeTable", Func, 0, "func(poly uint32) *Table"},
+		{"New", Func, 0, "func(tab *Table) hash.Hash32"},
+		{"NewIEEE", Func, 0, "func() hash.Hash32"},
+		{"Size", Const, 0, ""},
+		{"Table", Type, 0, ""},
+		{"Update", Func, 0, "func(crc uint32, tab *Table, p []byte) uint32"},
+	},
+	"hash/crc64": {
+		{"Checksum", Func, 0, "func(data []byte, tab *Table) uint64"},
+		{"ECMA", Const, 0, ""},
+		{"ISO", Const, 0, ""},
+		{"MakeTable", Func, 0, "func(poly uint64) *Table"},
+		{"New", Func, 0, "func(tab *Table) hash.Hash64"},
+		{"Size", Const, 0, ""},
+		{"Table", Type, 0, ""},
+		{"Update", Func, 0, "func(crc uint64, tab *Table, p []byte) uint64"},
+	},
+	"hash/fnv": {
+		{"New128", Func, 9, "func() hash.Hash"},
+		{"New128a", Func, 9, "func() hash.Hash"},
+		{"New32", Func, 0, "func() hash.Hash32"},
+		{"New32a", Func, 0, "func() hash.Hash32"},
+		{"New64", Func, 0, "func() hash.Hash64"},
+		{"New64a", Func, 0, "func() hash.Hash64"},
+	},
+	"hash/maphash": {
+		{"(*Hash).BlockSize", Method, 14, ""},
+		{"(*Hash).Clone", Method, 25, ""},
+		{"(*Hash).Reset", Method, 14, ""},
+		{"(*Hash).Seed", Method, 14, ""},
+		{"(*Hash).SetSeed", Method, 14, ""},
+		{"(*Hash).Size", Method, 14, ""},
+		{"(*Hash).Sum", Method, 14, ""},
+		{"(*Hash).Sum64", Method, 14, ""},
+		{"(*Hash).Write", Method, 14, ""},
+		{"(*Hash).WriteByte", Method, 14, ""},
+		{"(*Hash).WriteString", Method, 14, ""},
+		{"Bytes", Func, 19, "func(seed Seed, b []byte) uint64"},
+		{"Comparable", Func, 24, "func[T comparable](seed Seed, v T) uint64"},
+		{"Hash", Type, 14, ""},
+		{"MakeSeed", Func, 14, "func() Seed"},
+		{"Seed", Type, 14, ""},
+		{"String", Func, 19, "func(seed Seed, s string) uint64"},
+		{"WriteComparable", Func, 24, "func[T comparable](h *Hash, x T)"},
+	},
+	"html": {
+		{"EscapeString", Func, 0, "func(s string) string"},
+		{"UnescapeString", Func, 0, "func(s string) string"},
+	},
+	"html/template": {
+		{"(*Error).Error", Method, 0, ""},
+		{"(*Template).AddParseTree", Method, 0, ""},
+		{"(*Template).Clone", Method, 0, ""},
+		{"(*Template).DefinedTemplates", Method, 6, ""},
+		{"(*Template).Delims", Method, 0, ""},
+		{"(*Template).Execute", Method, 0, ""},
+		{"(*Template).ExecuteTemplate", Method, 0, ""},
+		{"(*Template).Funcs", Method, 0, ""},
+		{"(*Template).Lookup", Method, 0, ""},
+		{"(*Template).Name", Method, 0, ""},
+		{"(*Template).New", Method, 0, ""},
+		{"(*Template).Option", Method, 5, ""},
+		{"(*Template).Parse", Method, 0, ""},
+		{"(*Template).ParseFS", Method, 16, ""},
+		{"(*Template).ParseFiles", Method, 0, ""},
+		{"(*Template).ParseGlob", Method, 0, ""},
+		{"(*Template).Templates", Method, 0, ""},
+		{"CSS", Type, 0, ""},
+		{"ErrAmbigContext", Const, 0, ""},
+		{"ErrBadHTML", Const, 0, ""},
+		{"ErrBranchEnd", Const, 0, ""},
+		{"ErrEndContext", Const, 0, ""},
+		{"ErrJSTemplate", Const, 21, ""},
+		{"ErrNoSuchTemplate", Const, 0, ""},
+		{"ErrOutputContext", Const, 0, ""},
+		{"ErrPartialCharset", Const, 0, ""},
+		{"ErrPartialEscape", Const, 0, ""},
+		{"ErrPredefinedEscaper", Const, 9, ""},
+		{"ErrRangeLoopReentry", Const, 0, ""},
+		{"ErrSlashAmbig", Const, 0, ""},
+		{"Error", Type, 0, ""},
+		{"Error.Description", Field, 0, ""},
+		{"Error.ErrorCode", Field, 0, ""},
+		{"Error.Line", Field, 0, ""},
+		{"Error.Name", Field, 0, ""},
+		{"Error.Node", Field, 4, ""},
+		{"ErrorCode", Type, 0, ""},
+		{"FuncMap", Type, 0, ""},
+		{"HTML", Type, 0, ""},
+		{"HTMLAttr", Type, 0, ""},
+		{"HTMLEscape", Func, 0, "func(w io.Writer, b []byte)"},
+		{"HTMLEscapeString", Func, 0, "func(s string) string"},
+		{"HTMLEscaper", Func, 0, "func(args ...any) string"},
+		{"IsTrue", Func, 6, "func(val any) (truth bool, ok bool)"},
+		{"JS", Type, 0, ""},
+		{"JSEscape", Func, 0, "func(w io.Writer, b []byte)"},
+		{"JSEscapeString", Func, 0, "func(s string) string"},
+		{"JSEscaper", Func, 0, "func(args ...any) string"},
+		{"JSStr", Type, 0, ""},
+		{"Must", Func, 0, "func(t *Template, err error) *Template"},
+		{"New", Func, 0, "func(name string) *Template"},
+		{"OK", Const, 0, ""},
+		{"ParseFS", Func, 16, "func(fs fs.FS, patterns ...string) (*Template, error)"},
+		{"ParseFiles", Func, 0, "func(filenames ...string) (*Template, error)"},
+		{"ParseGlob", Func, 0, "func(pattern string) (*Template, error)"},
+		{"Srcset", Type, 10, ""},
+		{"Template", Type, 0, ""},
+		{"Template.Tree", Field, 2, ""},
+		{"URL", Type, 0, ""},
+		{"URLQueryEscaper", Func, 0, "func(args ...any) string"},
+	},
+	"image": {
+		{"(*Alpha).AlphaAt", Method, 4, ""},
+		{"(*Alpha).At", Method, 0, ""},
+		{"(*Alpha).Bounds", Method, 0, ""},
+		{"(*Alpha).ColorModel", Method, 0, ""},
+		{"(*Alpha).Opaque", Method, 0, ""},
+		{"(*Alpha).PixOffset", Method, 0, ""},
+		{"(*Alpha).RGBA64At", Method, 17, ""},
+		{"(*Alpha).Set", Method, 0, ""},
+		{"(*Alpha).SetAlpha", Method, 0, ""},
+		{"(*Alpha).SetRGBA64", Method, 17, ""},
+		{"(*Alpha).SubImage", Method, 0, ""},
+		{"(*Alpha16).Alpha16At", Method, 4, ""},
+		{"(*Alpha16).At", Method, 0, ""},
+		{"(*Alpha16).Bounds", Method, 0, ""},
+		{"(*Alpha16).ColorModel", Method, 0, ""},
+		{"(*Alpha16).Opaque", Method, 0, ""},
+		{"(*Alpha16).PixOffset", Method, 0, ""},
+		{"(*Alpha16).RGBA64At", Method, 17, ""},
+		{"(*Alpha16).Set", Method, 0, ""},
+		{"(*Alpha16).SetAlpha16", Method, 0, ""},
+		{"(*Alpha16).SetRGBA64", Method, 17, ""},
+		{"(*Alpha16).SubImage", Method, 0, ""},
+		{"(*CMYK).At", Method, 5, ""},
+		{"(*CMYK).Bounds", Method, 5, ""},
+		{"(*CMYK).CMYKAt", Method, 5, ""},
+		{"(*CMYK).ColorModel", Method, 5, ""},
+		{"(*CMYK).Opaque", Method, 5, ""},
+		{"(*CMYK).PixOffset", Method, 5, ""},
+		{"(*CMYK).RGBA64At", Method, 17, ""},
+		{"(*CMYK).Set", Method, 5, ""},
+		{"(*CMYK).SetCMYK", Method, 5, ""},
+		{"(*CMYK).SetRGBA64", Method, 17, ""},
+		{"(*CMYK).SubImage", Method, 5, ""},
+		{"(*Gray).At", Method, 0, ""},
+		{"(*Gray).Bounds", Method, 0, ""},
+		{"(*Gray).ColorModel", Method, 0, ""},
+		{"(*Gray).GrayAt", Method, 4, ""},
+		{"(*Gray).Opaque", Method, 0, ""},
+		{"(*Gray).PixOffset", Method, 0, ""},
+		{"(*Gray).RGBA64At", Method, 17, ""},
+		{"(*Gray).Set", Method, 0, ""},
+		{"(*Gray).SetGray", Method, 0, ""},
+		{"(*Gray).SetRGBA64", Method, 17, ""},
+		{"(*Gray).SubImage", Method, 0, ""},
+		{"(*Gray16).At", Method, 0, ""},
+		{"(*Gray16).Bounds", Method, 0, ""},
+		{"(*Gray16).ColorModel", Method, 0, ""},
+		{"(*Gray16).Gray16At", Method, 4, ""},
+		{"(*Gray16).Opaque", Method, 0, ""},
+		{"(*Gray16).PixOffset", Method, 0, ""},
+		{"(*Gray16).RGBA64At", Method, 17, ""},
+		{"(*Gray16).Set", Method, 0, ""},
+		{"(*Gray16).SetGray16", Method, 0, ""},
+		{"(*Gray16).SetRGBA64", Method, 17, ""},
+		{"(*Gray16).SubImage", Method, 0, ""},
+		{"(*NRGBA).At", Method, 0, ""},
+		{"(*NRGBA).Bounds", Method, 0, ""},
+		{"(*NRGBA).ColorModel", Method, 0, ""},
+		{"(*NRGBA).NRGBAAt", Method, 4, ""},
+		{"(*NRGBA).Opaque", Method, 0, ""},
+		{"(*NRGBA).PixOffset", Method, 0, ""},
+		{"(*NRGBA).RGBA64At", Method, 17, ""},
+		{"(*NRGBA).Set", Method, 0, ""},
+		{"(*NRGBA).SetNRGBA", Method, 0, ""},
+		{"(*NRGBA).SetRGBA64", Method, 17, ""},
+		{"(*NRGBA).SubImage", Method, 0, ""},
+		{"(*NRGBA64).At", Method, 0, ""},
+		{"(*NRGBA64).Bounds", Method, 0, ""},
+		{"(*NRGBA64).ColorModel", Method, 0, ""},
+		{"(*NRGBA64).NRGBA64At", Method, 4, ""},
+		{"(*NRGBA64).Opaque", Method, 0, ""},
+		{"(*NRGBA64).PixOffset", Method, 0, ""},
+		{"(*NRGBA64).RGBA64At", Method, 17, ""},
+		{"(*NRGBA64).Set", Method, 0, ""},
+		{"(*NRGBA64).SetNRGBA64", Method, 0, ""},
+		{"(*NRGBA64).SetRGBA64", Method, 17, ""},
+		{"(*NRGBA64).SubImage", Method, 0, ""},
+		{"(*NYCbCrA).AOffset", Method, 6, ""},
+		{"(*NYCbCrA).At", Method, 6, ""},
+		{"(*NYCbCrA).Bounds", Method, 6, ""},
+		{"(*NYCbCrA).COffset", Method, 6, ""},
+		{"(*NYCbCrA).ColorModel", Method, 6, ""},
+		{"(*NYCbCrA).NYCbCrAAt", Method, 6, ""},
+		{"(*NYCbCrA).Opaque", Method, 6, ""},
+		{"(*NYCbCrA).RGBA64At", Method, 17, ""},
+		{"(*NYCbCrA).SubImage", Method, 6, ""},
+		{"(*NYCbCrA).YCbCrAt", Method, 6, ""},
+		{"(*NYCbCrA).YOffset", Method, 6, ""},
+		{"(*Paletted).At", Method, 0, ""},
+		{"(*Paletted).Bounds", Method, 0, ""},
+		{"(*Paletted).ColorIndexAt", Method, 0, ""},
+		{"(*Paletted).ColorModel", Method, 0, ""},
+		{"(*Paletted).Opaque", Method, 0, ""},
+		{"(*Paletted).PixOffset", Method, 0, ""},
+		{"(*Paletted).RGBA64At", Method, 17, ""},
+		{"(*Paletted).Set", Method, 0, ""},
+		{"(*Paletted).SetColorIndex", Method, 0, ""},
+		{"(*Paletted).SetRGBA64", Method, 17, ""},
+		{"(*Paletted).SubImage", Method, 0, ""},
+		{"(*RGBA).At", Method, 0, ""},
+		{"(*RGBA).Bounds", Method, 0, ""},
+		{"(*RGBA).ColorModel", Method, 0, ""},
+		{"(*RGBA).Opaque", Method, 0, ""},
+		{"(*RGBA).PixOffset", Method, 0, ""},
+		{"(*RGBA).RGBA64At", Method, 17, ""},
+		{"(*RGBA).RGBAAt", Method, 4, ""},
+		{"(*RGBA).Set", Method, 0, ""},
+		{"(*RGBA).SetRGBA", Method, 0, ""},
+		{"(*RGBA).SetRGBA64", Method, 17, ""},
+		{"(*RGBA).SubImage", Method, 0, ""},
+		{"(*RGBA64).At", Method, 0, ""},
+		{"(*RGBA64).Bounds", Method, 0, ""},
+		{"(*RGBA64).ColorModel", Method, 0, ""},
+		{"(*RGBA64).Opaque", Method, 0, ""},
+		{"(*RGBA64).PixOffset", Method, 0, ""},
+		{"(*RGBA64).RGBA64At", Method, 4, ""},
+		{"(*RGBA64).Set", Method, 0, ""},
+		{"(*RGBA64).SetRGBA64", Method, 0, ""},
+		{"(*RGBA64).SubImage", Method, 0, ""},
+		{"(*Uniform).At", Method, 0, ""},
+		{"(*Uniform).Bounds", Method, 0, ""},
+		{"(*Uniform).ColorModel", Method, 0, ""},
+		{"(*Uniform).Convert", Method, 0, ""},
+		{"(*Uniform).Opaque", Method, 0, ""},
+		{"(*Uniform).RGBA", Method, 0, ""},
+		{"(*Uniform).RGBA64At", Method, 17, ""},
+		{"(*YCbCr).At", Method, 0, ""},
+		{"(*YCbCr).Bounds", Method, 0, ""},
+		{"(*YCbCr).COffset", Method, 0, ""},
+		{"(*YCbCr).ColorModel", Method, 0, ""},
+		{"(*YCbCr).Opaque", Method, 0, ""},
+		{"(*YCbCr).RGBA64At", Method, 17, ""},
+		{"(*YCbCr).SubImage", Method, 0, ""},
+		{"(*YCbCr).YCbCrAt", Method, 4, ""},
+		{"(*YCbCr).YOffset", Method, 0, ""},
+		{"(Image).At", Method, 0, ""},
+		{"(Image).Bounds", Method, 0, ""},
+		{"(Image).ColorModel", Method, 0, ""},
+		{"(PalettedImage).At", Method, 0, ""},
+		{"(PalettedImage).Bounds", Method, 0, ""},
+		{"(PalettedImage).ColorIndexAt", Method, 0, ""},
+		{"(PalettedImage).ColorModel", Method, 0, ""},
+		{"(Point).Add", Method, 0, ""},
+		{"(Point).Div", Method, 0, ""},
+		{"(Point).Eq", Method, 0, ""},
+		{"(Point).In", Method, 0, ""},
+		{"(Point).Mod", Method, 0, ""},
+		{"(Point).Mul", Method, 0, ""},
+		{"(Point).String", Method, 0, ""},
+		{"(Point).Sub", Method, 0, ""},
+		{"(RGBA64Image).At", Method, 17, ""},
+		{"(RGBA64Image).Bounds", Method, 17, ""},
+		{"(RGBA64Image).ColorModel", Method, 17, ""},
+		{"(RGBA64Image).RGBA64At", Method, 17, ""},
+		{"(Rectangle).Add", Method, 0, ""},
+		{"(Rectangle).At", Method, 5, ""},
+		{"(Rectangle).Bounds", Method, 5, ""},
+		{"(Rectangle).Canon", Method, 0, ""},
+		{"(Rectangle).ColorModel", Method, 5, ""},
+		{"(Rectangle).Dx", Method, 0, ""},
+		{"(Rectangle).Dy", Method, 0, ""},
+		{"(Rectangle).Empty", Method, 0, ""},
+		{"(Rectangle).Eq", Method, 0, ""},
+		{"(Rectangle).In", Method, 0, ""},
+		{"(Rectangle).Inset", Method, 0, ""},
+		{"(Rectangle).Intersect", Method, 0, ""},
+		{"(Rectangle).Overlaps", Method, 0, ""},
+		{"(Rectangle).RGBA64At", Method, 17, ""},
+		{"(Rectangle).Size", Method, 0, ""},
+		{"(Rectangle).String", Method, 0, ""},
+		{"(Rectangle).Sub", Method, 0, ""},
+		{"(Rectangle).Union", Method, 0, ""},
+		{"(YCbCrSubsampleRatio).String", Method, 0, ""},
+		{"Alpha", Type, 0, ""},
+		{"Alpha.Pix", Field, 0, ""},
+		{"Alpha.Rect", Field, 0, ""},
+		{"Alpha.Stride", Field, 0, ""},
+		{"Alpha16", Type, 0, ""},
+		{"Alpha16.Pix", Field, 0, ""},
+		{"Alpha16.Rect", Field, 0, ""},
+		{"Alpha16.Stride", Field, 0, ""},
+		{"Black", Var, 0, ""},
+		{"CMYK", Type, 5, ""},
+		{"CMYK.Pix", Field, 5, ""},
+		{"CMYK.Rect", Field, 5, ""},
+		{"CMYK.Stride", Field, 5, ""},
+		{"Config", Type, 0, ""},
+		{"Config.ColorModel", Field, 0, ""},
+		{"Config.Height", Field, 0, ""},
+		{"Config.Width", Field, 0, ""},
+		{"Decode", Func, 0, "func(r io.Reader) (Image, string, error)"},
+		{"DecodeConfig", Func, 0, "func(r io.Reader) (Config, string, error)"},
+		{"ErrFormat", Var, 0, ""},
+		{"Gray", Type, 0, ""},
+		{"Gray.Pix", Field, 0, ""},
+		{"Gray.Rect", Field, 0, ""},
+		{"Gray.Stride", Field, 0, ""},
+		{"Gray16", Type, 0, ""},
+		{"Gray16.Pix", Field, 0, ""},
+		{"Gray16.Rect", Field, 0, ""},
+		{"Gray16.Stride", Field, 0, ""},
+		{"Image", Type, 0, ""},
+		{"NRGBA", Type, 0, ""},
+		{"NRGBA.Pix", Field, 0, ""},
+		{"NRGBA.Rect", Field, 0, ""},
+		{"NRGBA.Stride", Field, 0, ""},
+		{"NRGBA64", Type, 0, ""},
+		{"NRGBA64.Pix", Field, 0, ""},
+		{"NRGBA64.Rect", Field, 0, ""},
+		{"NRGBA64.Stride", Field, 0, ""},
+		{"NYCbCrA", Type, 6, ""},
+		{"NYCbCrA.A", Field, 6, ""},
+		{"NYCbCrA.AStride", Field, 6, ""},
+		{"NYCbCrA.YCbCr", Field, 6, ""},
+		{"NewAlpha", Func, 0, "func(r Rectangle) *Alpha"},
+		{"NewAlpha16", Func, 0, "func(r Rectangle) *Alpha16"},
+		{"NewCMYK", Func, 5, "func(r Rectangle) *CMYK"},
+		{"NewGray", Func, 0, "func(r Rectangle) *Gray"},
+		{"NewGray16", Func, 0, "func(r Rectangle) *Gray16"},
+		{"NewNRGBA", Func, 0, "func(r Rectangle) *NRGBA"},
+		{"NewNRGBA64", Func, 0, "func(r Rectangle) *NRGBA64"},
+		{"NewNYCbCrA", Func, 6, "func(r Rectangle, subsampleRatio YCbCrSubsampleRatio) *NYCbCrA"},
+		{"NewPaletted", Func, 0, "func(r Rectangle, p color.Palette) *Paletted"},
+		{"NewRGBA", Func, 0, "func(r Rectangle) *RGBA"},
+		{"NewRGBA64", Func, 0, "func(r Rectangle) *RGBA64"},
+		{"NewUniform", Func, 0, "func(c color.Color) *Uniform"},
+		{"NewYCbCr", Func, 0, "func(r Rectangle, subsampleRatio YCbCrSubsampleRatio) *YCbCr"},
+		{"Opaque", Var, 0, ""},
+		{"Paletted", Type, 0, ""},
+		{"Paletted.Palette", Field, 0, ""},
+		{"Paletted.Pix", Field, 0, ""},
+		{"Paletted.Rect", Field, 0, ""},
+		{"Paletted.Stride", Field, 0, ""},
+		{"PalettedImage", Type, 0, ""},
+		{"Point", Type, 0, ""},
+		{"Point.X", Field, 0, ""},
+		{"Point.Y", Field, 0, ""},
+		{"Pt", Func, 0, "func(X int, Y int) Point"},
+		{"RGBA", Type, 0, ""},
+		{"RGBA.Pix", Field, 0, ""},
+		{"RGBA.Rect", Field, 0, ""},
+		{"RGBA.Stride", Field, 0, ""},
+		{"RGBA64", Type, 0, ""},
+		{"RGBA64.Pix", Field, 0, ""},
+		{"RGBA64.Rect", Field, 0, ""},
+		{"RGBA64.Stride", Field, 0, ""},
+		{"RGBA64Image", Type, 17, ""},
+		{"Rect", Func, 0, "func(x0 int, y0 int, x1 int, y1 int) Rectangle"},
+		{"Rectangle", Type, 0, ""},
+		{"Rectangle.Max", Field, 0, ""},
+		{"Rectangle.Min", Field, 0, ""},
+		{"RegisterFormat", Func, 0, "func(name string, magic string, decode func(io.Reader) (Image, error), decodeConfig func(io.Reader) (Config, error))"},
+		{"Transparent", Var, 0, ""},
+		{"Uniform", Type, 0, ""},
+		{"Uniform.C", Field, 0, ""},
+		{"White", Var, 0, ""},
+		{"YCbCr", Type, 0, ""},
+		{"YCbCr.CStride", Field, 0, ""},
+		{"YCbCr.Cb", Field, 0, ""},
+		{"YCbCr.Cr", Field, 0, ""},
+		{"YCbCr.Rect", Field, 0, ""},
+		{"YCbCr.SubsampleRatio", Field, 0, ""},
+		{"YCbCr.Y", Field, 0, ""},
+		{"YCbCr.YStride", Field, 0, ""},
+		{"YCbCrSubsampleRatio", Type, 0, ""},
+		{"YCbCrSubsampleRatio410", Const, 5, ""},
+		{"YCbCrSubsampleRatio411", Const, 5, ""},
+		{"YCbCrSubsampleRatio420", Const, 0, ""},
+		{"YCbCrSubsampleRatio422", Const, 0, ""},
+		{"YCbCrSubsampleRatio440", Const, 1, ""},
+		{"YCbCrSubsampleRatio444", Const, 0, ""},
+		{"ZP", Var, 0, ""},
+		{"ZR", Var, 0, ""},
+	},
+	"image/color": {
+		{"(Alpha).RGBA", Method, 0, ""},
+		{"(Alpha16).RGBA", Method, 0, ""},
+		{"(CMYK).RGBA", Method, 5, ""},
+		{"(Color).RGBA", Method, 0, ""},
+		{"(Gray).RGBA", Method, 0, ""},
+		{"(Gray16).RGBA", Method, 0, ""},
+		{"(Model).Convert", Method, 0, ""},
+		{"(NRGBA).RGBA", Method, 0, ""},
+		{"(NRGBA64).RGBA", Method, 0, ""},
+		{"(NYCbCrA).RGBA", Method, 6, ""},
+		{"(Palette).Convert", Method, 0, ""},
+		{"(Palette).Index", Method, 0, ""},
+		{"(RGBA).RGBA", Method, 0, ""},
+		{"(RGBA64).RGBA", Method, 0, ""},
+		{"(YCbCr).RGBA", Method, 0, ""},
+		{"Alpha", Type, 0, ""},
+		{"Alpha.A", Field, 0, ""},
+		{"Alpha16", Type, 0, ""},
+		{"Alpha16.A", Field, 0, ""},
+		{"Alpha16Model", Var, 0, ""},
+		{"AlphaModel", Var, 0, ""},
+		{"Black", Var, 0, ""},
+		{"CMYK", Type, 5, ""},
+		{"CMYK.C", Field, 5, ""},
+		{"CMYK.K", Field, 5, ""},
+		{"CMYK.M", Field, 5, ""},
+		{"CMYK.Y", Field, 5, ""},
+		{"CMYKModel", Var, 5, ""},
+		{"CMYKToRGB", Func, 5, "func(c uint8, m uint8, y uint8, k uint8) (uint8, uint8, uint8)"},
+		{"Color", Type, 0, ""},
+		{"Gray", Type, 0, ""},
+		{"Gray.Y", Field, 0, ""},
+		{"Gray16", Type, 0, ""},
+		{"Gray16.Y", Field, 0, ""},
+		{"Gray16Model", Var, 0, ""},
+		{"GrayModel", Var, 0, ""},
+		{"Model", Type, 0, ""},
+		{"ModelFunc", Func, 0, "func(f func(Color) Color) Model"},
+		{"NRGBA", Type, 0, ""},
+		{"NRGBA.A", Field, 0, ""},
+		{"NRGBA.B", Field, 0, ""},
+		{"NRGBA.G", Field, 0, ""},
+		{"NRGBA.R", Field, 0, ""},
+		{"NRGBA64", Type, 0, ""},
+		{"NRGBA64.A", Field, 0, ""},
+		{"NRGBA64.B", Field, 0, ""},
+		{"NRGBA64.G", Field, 0, ""},
+		{"NRGBA64.R", Field, 0, ""},
+		{"NRGBA64Model", Var, 0, ""},
+		{"NRGBAModel", Var, 0, ""},
+		{"NYCbCrA", Type, 6, ""},
+		{"NYCbCrA.A", Field, 6, ""},
+		{"NYCbCrA.YCbCr", Field, 6, ""},
+		{"NYCbCrAModel", Var, 6, ""},
+		{"Opaque", Var, 0, ""},
+		{"Palette", Type, 0, ""},
+		{"RGBA", Type, 0, ""},
+		{"RGBA.A", Field, 0, ""},
+		{"RGBA.B", Field, 0, ""},
+		{"RGBA.G", Field, 0, ""},
+		{"RGBA.R", Field, 0, ""},
+		{"RGBA64", Type, 0, ""},
+		{"RGBA64.A", Field, 0, ""},
+		{"RGBA64.B", Field, 0, ""},
+		{"RGBA64.G", Field, 0, ""},
+		{"RGBA64.R", Field, 0, ""},
+		{"RGBA64Model", Var, 0, ""},
+		{"RGBAModel", Var, 0, ""},
+		{"RGBToCMYK", Func, 5, "func(r uint8, g uint8, b uint8) (uint8, uint8, uint8, uint8)"},
+		{"RGBToYCbCr", Func, 0, "func(r uint8, g uint8, b uint8) (uint8, uint8, uint8)"},
+		{"Transparent", Var, 0, ""},
+		{"White", Var, 0, ""},
+		{"YCbCr", Type, 0, ""},
+		{"YCbCr.Cb", Field, 0, ""},
+		{"YCbCr.Cr", Field, 0, ""},
+		{"YCbCr.Y", Field, 0, ""},
+		{"YCbCrModel", Var, 0, ""},
+		{"YCbCrToRGB", Func, 0, "func(y uint8, cb uint8, cr uint8) (uint8, uint8, uint8)"},
+	},
+	"image/color/palette": {
+		{"Plan9", Var, 2, ""},
+		{"WebSafe", Var, 2, ""},
+	},
+	"image/draw": {
+		{"(Drawer).Draw", Method, 2, ""},
+		{"(Image).At", Method, 0, ""},
+		{"(Image).Bounds", Method, 0, ""},
+		{"(Image).ColorModel", Method, 0, ""},
+		{"(Image).Set", Method, 0, ""},
+		{"(Op).Draw", Method, 2, ""},
+		{"(Quantizer).Quantize", Method, 2, ""},
+		{"(RGBA64Image).At", Method, 17, ""},
+		{"(RGBA64Image).Bounds", Method, 17, ""},
+		{"(RGBA64Image).ColorModel", Method, 17, ""},
+		{"(RGBA64Image).RGBA64At", Method, 17, ""},
+		{"(RGBA64Image).Set", Method, 17, ""},
+		{"(RGBA64Image).SetRGBA64", Method, 17, ""},
+		{"Draw", Func, 0, "func(dst Image, r image.Rectangle, src image.Image, sp image.Point, op Op)"},
+		{"DrawMask", Func, 0, "func(dst Image, r image.Rectangle, src image.Image, sp image.Point, mask image.Image, mp image.Point, op Op)"},
+		{"Drawer", Type, 2, ""},
+		{"FloydSteinberg", Var, 2, ""},
+		{"Image", Type, 0, ""},
+		{"Op", Type, 0, ""},
+		{"Over", Const, 0, ""},
+		{"Quantizer", Type, 2, ""},
+		{"RGBA64Image", Type, 17, ""},
+		{"Src", Const, 0, ""},
+	},
+	"image/gif": {
+		{"Decode", Func, 0, "func(r io.Reader) (image.Image, error)"},
+		{"DecodeAll", Func, 0, "func(r io.Reader) (*GIF, error)"},
+		{"DecodeConfig", Func, 0, "func(r io.Reader) (image.Config, error)"},
+		{"DisposalBackground", Const, 5, ""},
+		{"DisposalNone", Const, 5, ""},
+		{"DisposalPrevious", Const, 5, ""},
+		{"Encode", Func, 2, "func(w io.Writer, m image.Image, o *Options) error"},
+		{"EncodeAll", Func, 2, "func(w io.Writer, g *GIF) error"},
+		{"GIF", Type, 0, ""},
+		{"GIF.BackgroundIndex", Field, 5, ""},
+		{"GIF.Config", Field, 5, ""},
+		{"GIF.Delay", Field, 0, ""},
+		{"GIF.Disposal", Field, 5, ""},
+		{"GIF.Image", Field, 0, ""},
+		{"GIF.LoopCount", Field, 0, ""},
+		{"Options", Type, 2, ""},
+		{"Options.Drawer", Field, 2, ""},
+		{"Options.NumColors", Field, 2, ""},
+		{"Options.Quantizer", Field, 2, ""},
+	},
+	"image/jpeg": {
+		{"(FormatError).Error", Method, 0, ""},
+		{"(Reader).Read", Method, 0, ""},
+		{"(Reader).ReadByte", Method, 0, ""},
+		{"(UnsupportedError).Error", Method, 0, ""},
+		{"Decode", Func, 0, "func(r io.Reader) (image.Image, error)"},
+		{"DecodeConfig", Func, 0, "func(r io.Reader) (image.Config, error)"},
+		{"DefaultQuality", Const, 0, ""},
+		{"Encode", Func, 0, "func(w io.Writer, m image.Image, o *Options) error"},
+		{"FormatError", Type, 0, ""},
+		{"Options", Type, 0, ""},
+		{"Options.Quality", Field, 0, ""},
+		{"Reader", Type, 0, ""},
+		{"UnsupportedError", Type, 0, ""},
+	},
+	"image/png": {
+		{"(*Encoder).Encode", Method, 4, ""},
+		{"(EncoderBufferPool).Get", Method, 9, ""},
+		{"(EncoderBufferPool).Put", Method, 9, ""},
+		{"(FormatError).Error", Method, 0, ""},
+		{"(UnsupportedError).Error", Method, 0, ""},
+		{"BestCompression", Const, 4, ""},
+		{"BestSpeed", Const, 4, ""},
+		{"CompressionLevel", Type, 4, ""},
+		{"Decode", Func, 0, "func(r io.Reader) (image.Image, error)"},
+		{"DecodeConfig", Func, 0, "func(r io.Reader) (image.Config, error)"},
+		{"DefaultCompression", Const, 4, ""},
+		{"Encode", Func, 0, "func(w io.Writer, m image.Image) error"},
+		{"Encoder", Type, 4, ""},
+		{"Encoder.BufferPool", Field, 9, ""},
+		{"Encoder.CompressionLevel", Field, 4, ""},
+		{"EncoderBuffer", Type, 9, ""},
+		{"EncoderBufferPool", Type, 9, ""},
+		{"FormatError", Type, 0, ""},
+		{"NoCompression", Const, 4, ""},
+		{"UnsupportedError", Type, 0, ""},
+	},
+	"index/suffixarray": {
+		{"(*Index).Bytes", Method, 0, ""},
+		{"(*Index).FindAllIndex", Method, 0, ""},
+		{"(*Index).Lookup", Method, 0, ""},
+		{"(*Index).Read", Method, 0, ""},
+		{"(*Index).Write", Method, 0, ""},
+		{"Index", Type, 0, ""},
+		{"New", Func, 0, "func(data []byte) *Index"},
+	},
+	"io": {
+		{"(*LimitedReader).Read", Method, 0, ""},
+		{"(*OffsetWriter).Seek", Method, 20, ""},
+		{"(*OffsetWriter).Write", Method, 20, ""},
+		{"(*OffsetWriter).WriteAt", Method, 20, ""},
+		{"(*PipeReader).Close", Method, 0, ""},
+		{"(*PipeReader).CloseWithError", Method, 0, ""},
+		{"(*PipeReader).Read", Method, 0, ""},
+		{"(*PipeWriter).Close", Method, 0, ""},
+		{"(*PipeWriter).CloseWithError", Method, 0, ""},
+		{"(*PipeWriter).Write", Method, 0, ""},
+		{"(*SectionReader).Outer", Method, 22, ""},
+		{"(*SectionReader).Read", Method, 0, ""},
+		{"(*SectionReader).ReadAt", Method, 0, ""},
+		{"(*SectionReader).Seek", Method, 0, ""},
+		{"(*SectionReader).Size", Method, 0, ""},
+		{"(ByteReader).ReadByte", Method, 0, ""},
+		{"(ByteScanner).ReadByte", Method, 0, ""},
+		{"(ByteScanner).UnreadByte", Method, 0, ""},
+		{"(ByteWriter).WriteByte", Method, 1, ""},
+		{"(Closer).Close", Method, 0, ""},
+		{"(ReadCloser).Close", Method, 0, ""},
+		{"(ReadCloser).Read", Method, 0, ""},
+		{"(ReadSeekCloser).Close", Method, 16, ""},
+		{"(ReadSeekCloser).Read", Method, 16, ""},
+		{"(ReadSeekCloser).Seek", Method, 16, ""},
+		{"(ReadSeeker).Read", Method, 0, ""},
+		{"(ReadSeeker).Seek", Method, 0, ""},
+		{"(ReadWriteCloser).Close", Method, 0, ""},
+		{"(ReadWriteCloser).Read", Method, 0, ""},
+		{"(ReadWriteCloser).Write", Method, 0, ""},
+		{"(ReadWriteSeeker).Read", Method, 0, ""},
+		{"(ReadWriteSeeker).Seek", Method, 0, ""},
+		{"(ReadWriteSeeker).Write", Method, 0, ""},
+		{"(ReadWriter).Read", Method, 0, ""},
+		{"(ReadWriter).Write", Method, 0, ""},
+		{"(Reader).Read", Method, 0, ""},
+		{"(ReaderAt).ReadAt", Method, 0, ""},
+		{"(ReaderFrom).ReadFrom", Method, 0, ""},
+		{"(RuneReader).ReadRune", Method, 0, ""},
+		{"(RuneScanner).ReadRune", Method, 0, ""},
+		{"(RuneScanner).UnreadRune", Method, 0, ""},
+		{"(Seeker).Seek", Method, 0, ""},
+		{"(StringWriter).WriteString", Method, 12, ""},
+		{"(WriteCloser).Close", Method, 0, ""},
+		{"(WriteCloser).Write", Method, 0, ""},
+		{"(WriteSeeker).Seek", Method, 0, ""},
+		{"(WriteSeeker).Write", Method, 0, ""},
+		{"(Writer).Write", Method, 0, ""},
+		{"(WriterAt).WriteAt", Method, 0, ""},
+		{"(WriterTo).WriteTo", Method, 0, ""},
+		{"ByteReader", Type, 0, ""},
+		{"ByteScanner", Type, 0, ""},
+		{"ByteWriter", Type, 1, ""},
+		{"Closer", Type, 0, ""},
+		{"Copy", Func, 0, "func(dst Writer, src Reader) (written int64, err error)"},
+		{"CopyBuffer", Func, 5, "func(dst Writer, src Reader, buf []byte) (written int64, err error)"},
+		{"CopyN", Func, 0, "func(dst Writer, src Reader, n int64) (written int64, err error)"},
+		{"Discard", Var, 16, ""},
+		{"EOF", Var, 0, ""},
+		{"ErrClosedPipe", Var, 0, ""},
+		{"ErrNoProgress", Var, 1, ""},
+		{"ErrShortBuffer", Var, 0, ""},
+		{"ErrShortWrite", Var, 0, ""},
+		{"ErrUnexpectedEOF", Var, 0, ""},
+		{"LimitReader", Func, 0, "func(r Reader, n int64) Reader"},
+		{"LimitedReader", Type, 0, ""},
+		{"LimitedReader.N", Field, 0, ""},
+		{"LimitedReader.R", Field, 0, ""},
+		{"MultiReader", Func, 0, "func(readers ...Reader) Reader"},
+		{"MultiWriter", Func, 0, "func(writers ...Writer) Writer"},
+		{"NewOffsetWriter", Func, 20, "func(w WriterAt, off int64) *OffsetWriter"},
+		{"NewSectionReader", Func, 0, "func(r ReaderAt, off int64, n int64) *SectionReader"},
+		{"NopCloser", Func, 16, "func(r Reader) ReadCloser"},
+		{"OffsetWriter", Type, 20, ""},
+		{"Pipe", Func, 0, "func() (*PipeReader, *PipeWriter)"},
+		{"PipeReader", Type, 0, ""},
+		{"PipeWriter", Type, 0, ""},
+		{"ReadAll", Func, 16, "func(r Reader) ([]byte, error)"},
+		{"ReadAtLeast", Func, 0, "func(r Reader, buf []byte, min int) (n int, err error)"},
+		{"ReadCloser", Type, 0, ""},
+		{"ReadFull", Func, 0, "func(r Reader, buf []byte) (n int, err error)"},
+		{"ReadSeekCloser", Type, 16, ""},
+		{"ReadSeeker", Type, 0, ""},
+		{"ReadWriteCloser", Type, 0, ""},
+		{"ReadWriteSeeker", Type, 0, ""},
+		{"ReadWriter", Type, 0, ""},
+		{"Reader", Type, 0, ""},
+		{"ReaderAt", Type, 0, ""},
+		{"ReaderFrom", Type, 0, ""},
+		{"RuneReader", Type, 0, ""},
+		{"RuneScanner", Type, 0, ""},
+		{"SectionReader", Type, 0, ""},
+		{"SeekCurrent", Const, 7, ""},
+		{"SeekEnd", Const, 7, ""},
+		{"SeekStart", Const, 7, ""},
+		{"Seeker", Type, 0, ""},
+		{"StringWriter", Type, 12, ""},
+		{"TeeReader", Func, 0, "func(r Reader, w Writer) Reader"},
+		{"WriteCloser", Type, 0, ""},
+		{"WriteSeeker", Type, 0, ""},
+		{"WriteString", Func, 0, "func(w Writer, s string) (n int, err error)"},
+		{"Writer", Type, 0, ""},
+		{"WriterAt", Type, 0, ""},
+		{"WriterTo", Type, 0, ""},
+	},
+	"io/fs": {
+		{"(*PathError).Error", Method, 16, ""},
+		{"(*PathError).Timeout", Method, 16, ""},
+		{"(*PathError).Unwrap", Method, 16, ""},
+		{"(DirEntry).Info", Method, 16, ""},
+		{"(DirEntry).IsDir", Method, 16, ""},
+		{"(DirEntry).Name", Method, 16, ""},
+		{"(DirEntry).Type", Method, 16, ""},
+		{"(FS).Open", Method, 16, ""},
+		{"(File).Close", Method, 16, ""},
+		{"(File).Read", Method, 16, ""},
+		{"(File).Stat", Method, 16, ""},
+		{"(FileInfo).IsDir", Method, 16, ""},
+		{"(FileInfo).ModTime", Method, 16, ""},
+		{"(FileInfo).Mode", Method, 16, ""},
+		{"(FileInfo).Name", Method, 16, ""},
+		{"(FileInfo).Size", Method, 16, ""},
+		{"(FileInfo).Sys", Method, 16, ""},
+		{"(FileMode).IsDir", Method, 16, ""},
+		{"(FileMode).IsRegular", Method, 16, ""},
+		{"(FileMode).Perm", Method, 16, ""},
+		{"(FileMode).String", Method, 16, ""},
+		{"(FileMode).Type", Method, 16, ""},
+		{"(GlobFS).Glob", Method, 16, ""},
+		{"(GlobFS).Open", Method, 16, ""},
+		{"(ReadDirFS).Open", Method, 16, ""},
+		{"(ReadDirFS).ReadDir", Method, 16, ""},
+		{"(ReadDirFile).Close", Method, 16, ""},
+		{"(ReadDirFile).Read", Method, 16, ""},
+		{"(ReadDirFile).ReadDir", Method, 16, ""},
+		{"(ReadDirFile).Stat", Method, 16, ""},
+		{"(ReadFileFS).Open", Method, 16, ""},
+		{"(ReadFileFS).ReadFile", Method, 16, ""},
+		{"(ReadLinkFS).Lstat", Method, 25, ""},
+		{"(ReadLinkFS).Open", Method, 25, ""},
+		{"(ReadLinkFS).ReadLink", Method, 25, ""},
+		{"(StatFS).Open", Method, 16, ""},
+		{"(StatFS).Stat", Method, 16, ""},
+		{"(SubFS).Open", Method, 16, ""},
+		{"(SubFS).Sub", Method, 16, ""},
+		{"DirEntry", Type, 16, ""},
+		{"ErrClosed", Var, 16, ""},
+		{"ErrExist", Var, 16, ""},
+		{"ErrInvalid", Var, 16, ""},
+		{"ErrNotExist", Var, 16, ""},
+		{"ErrPermission", Var, 16, ""},
+		{"FS", Type, 16, ""},
+		{"File", Type, 16, ""},
+		{"FileInfo", Type, 16, ""},
+		{"FileInfoToDirEntry", Func, 17, "func(info FileInfo) DirEntry"},
+		{"FileMode", Type, 16, ""},
+		{"FormatDirEntry", Func, 21, "func(dir DirEntry) string"},
+		{"FormatFileInfo", Func, 21, "func(info FileInfo) string"},
+		{"Glob", Func, 16, "func(fsys FS, pattern string) (matches []string, err error)"},
+		{"GlobFS", Type, 16, ""},
+		{"Lstat", Func, 25, "func(fsys FS, name string) (FileInfo, error)"},
+		{"ModeAppend", Const, 16, ""},
+		{"ModeCharDevice", Const, 16, ""},
+		{"ModeDevice", Const, 16, ""},
+		{"ModeDir", Const, 16, ""},
+		{"ModeExclusive", Const, 16, ""},
+		{"ModeIrregular", Const, 16, ""},
+		{"ModeNamedPipe", Const, 16, ""},
+		{"ModePerm", Const, 16, ""},
+		{"ModeSetgid", Const, 16, ""},
+		{"ModeSetuid", Const, 16, ""},
+		{"ModeSocket", Const, 16, ""},
+		{"ModeSticky", Const, 16, ""},
+		{"ModeSymlink", Const, 16, ""},
+		{"ModeTemporary", Const, 16, ""},
+		{"ModeType", Const, 16, ""},
+		{"PathError", Type, 16, ""},
+		{"PathError.Err", Field, 16, ""},
+		{"PathError.Op", Field, 16, ""},
+		{"PathError.Path", Field, 16, ""},
+		{"ReadDir", Func, 16, "func(fsys FS, name string) ([]DirEntry, error)"},
+		{"ReadDirFS", Type, 16, ""},
+		{"ReadDirFile", Type, 16, ""},
+		{"ReadFile", Func, 16, "func(fsys FS, name string) ([]byte, error)"},
+		{"ReadFileFS", Type, 16, ""},
+		{"ReadLink", Func, 25, "func(fsys FS, name string) (string, error)"},
+		{"ReadLinkFS", Type, 25, ""},
+		{"SkipAll", Var, 20, ""},
+		{"SkipDir", Var, 16, ""},
+		{"Stat", Func, 16, "func(fsys FS, name string) (FileInfo, error)"},
+		{"StatFS", Type, 16, ""},
+		{"Sub", Func, 16, "func(fsys FS, dir string) (FS, error)"},
+		{"SubFS", Type, 16, ""},
+		{"ValidPath", Func, 16, "func(name string) bool"},
+		{"WalkDir", Func, 16, "func(fsys FS, root string, fn WalkDirFunc) error"},
+		{"WalkDirFunc", Type, 16, ""},
+	},
+	"io/ioutil": {
+		{"Discard", Var, 0, ""},
+		{"NopCloser", Func, 0, "func(r io.Reader) io.ReadCloser"},
+		{"ReadAll", Func, 0, "func(r io.Reader) ([]byte, error)"},
+		{"ReadDir", Func, 0, "func(dirname string) ([]fs.FileInfo, error)"},
+		{"ReadFile", Func, 0, "func(filename string) ([]byte, error)"},
+		{"TempDir", Func, 0, "func(dir string, pattern string) (name string, err error)"},
+		{"TempFile", Func, 0, "func(dir string, pattern string) (f *os.File, err error)"},
+		{"WriteFile", Func, 0, "func(filename string, data []byte, perm fs.FileMode) error"},
+	},
+	"iter": {
+		{"Pull", Func, 23, "func[V any](seq Seq[V]) (next func() (V, bool), stop func())"},
+		{"Pull2", Func, 23, "func[K, V any](seq Seq2[K, V]) (next func() (K, V, bool), stop func())"},
+		{"Seq", Type, 23, ""},
+		{"Seq2", Type, 23, ""},
+	},
+	"log": {
+		{"(*Logger).Fatal", Method, 0, ""},
+		{"(*Logger).Fatalf", Method, 0, ""},
+		{"(*Logger).Fatalln", Method, 0, ""},
+		{"(*Logger).Flags", Method, 0, ""},
+		{"(*Logger).Output", Method, 0, ""},
+		{"(*Logger).Panic", Method, 0, ""},
+		{"(*Logger).Panicf", Method, 0, ""},
+		{"(*Logger).Panicln", Method, 0, ""},
+		{"(*Logger).Prefix", Method, 0, ""},
+		{"(*Logger).Print", Method, 0, ""},
+		{"(*Logger).Printf", Method, 0, ""},
+		{"(*Logger).Println", Method, 0, ""},
+		{"(*Logger).SetFlags", Method, 0, ""},
+		{"(*Logger).SetOutput", Method, 5, ""},
+		{"(*Logger).SetPrefix", Method, 0, ""},
+		{"(*Logger).Writer", Method, 12, ""},
+		{"Default", Func, 16, "func() *Logger"},
+		{"Fatal", Func, 0, "func(v ...any)"},
+		{"Fatalf", Func, 0, "func(format string, v ...any)"},
+		{"Fatalln", Func, 0, "func(v ...any)"},
+		{"Flags", Func, 0, "func() int"},
+		{"LUTC", Const, 5, ""},
+		{"Ldate", Const, 0, ""},
+		{"Llongfile", Const, 0, ""},
+		{"Lmicroseconds", Const, 0, ""},
+		{"Lmsgprefix", Const, 14, ""},
+		{"Logger", Type, 0, ""},
+		{"Lshortfile", Const, 0, ""},
+		{"LstdFlags", Const, 0, ""},
+		{"Ltime", Const, 0, ""},
+		{"New", Func, 0, "func(out io.Writer, prefix string, flag int) *Logger"},
+		{"Output", Func, 5, "func(calldepth int, s string) error"},
+		{"Panic", Func, 0, "func(v ...any)"},
+		{"Panicf", Func, 0, "func(format string, v ...any)"},
+		{"Panicln", Func, 0, "func(v ...any)"},
+		{"Prefix", Func, 0, "func() string"},
+		{"Print", Func, 0, "func(v ...any)"},
+		{"Printf", Func, 0, "func(format string, v ...any)"},
+		{"Println", Func, 0, "func(v ...any)"},
+		{"SetFlags", Func, 0, "func(flag int)"},
+		{"SetOutput", Func, 0, "func(w io.Writer)"},
+		{"SetPrefix", Func, 0, "func(prefix string)"},
+		{"Writer", Func, 13, "func() io.Writer"},
+	},
+	"log/slog": {
+		{"(*JSONHandler).Enabled", Method, 21, ""},
+		{"(*JSONHandler).Handle", Method, 21, ""},
+		{"(*JSONHandler).WithAttrs", Method, 21, ""},
+		{"(*JSONHandler).WithGroup", Method, 21, ""},
+		{"(*Level).UnmarshalJSON", Method, 21, ""},
+		{"(*Level).UnmarshalText", Method, 21, ""},
+		{"(*LevelVar).AppendText", Method, 24, ""},
+		{"(*LevelVar).Level", Method, 21, ""},
+		{"(*LevelVar).MarshalText", Method, 21, ""},
+		{"(*LevelVar).Set", Method, 21, ""},
+		{"(*LevelVar).String", Method, 21, ""},
+		{"(*LevelVar).UnmarshalText", Method, 21, ""},
+		{"(*Logger).Debug", Method, 21, ""},
+		{"(*Logger).DebugContext", Method, 21, ""},
+		{"(*Logger).Enabled", Method, 21, ""},
+		{"(*Logger).Error", Method, 21, ""},
+		{"(*Logger).ErrorContext", Method, 21, ""},
+		{"(*Logger).Handler", Method, 21, ""},
+		{"(*Logger).Info", Method, 21, ""},
+		{"(*Logger).InfoContext", Method, 21, ""},
+		{"(*Logger).Log", Method, 21, ""},
+		{"(*Logger).LogAttrs", Method, 21, ""},
+		{"(*Logger).Warn", Method, 21, ""},
+		{"(*Logger).WarnContext", Method, 21, ""},
+		{"(*Logger).With", Method, 21, ""},
+		{"(*Logger).WithGroup", Method, 21, ""},
+		{"(*MultiHandler).Enabled", Method, 26, ""},
+		{"(*MultiHandler).Handle", Method, 26, ""},
+		{"(*MultiHandler).WithAttrs", Method, 26, ""},
+		{"(*MultiHandler).WithGroup", Method, 26, ""},
+		{"(*Record).Add", Method, 21, ""},
+		{"(*Record).AddAttrs", Method, 21, ""},
+		{"(*TextHandler).Enabled", Method, 21, ""},
+		{"(*TextHandler).Handle", Method, 21, ""},
+		{"(*TextHandler).WithAttrs", Method, 21, ""},
+		{"(*TextHandler).WithGroup", Method, 21, ""},
+		{"(Attr).Equal", Method, 21, ""},
+		{"(Attr).String", Method, 21, ""},
+		{"(Handler).Enabled", Method, 21, ""},
+		{"(Handler).Handle", Method, 21, ""},
+		{"(Handler).WithAttrs", Method, 21, ""},
+		{"(Handler).WithGroup", Method, 21, ""},
+		{"(Kind).String", Method, 21, ""},
+		{"(Level).AppendText", Method, 24, ""},
+		{"(Level).Level", Method, 21, ""},
+		{"(Level).MarshalJSON", Method, 21, ""},
+		{"(Level).MarshalText", Method, 21, ""},
+		{"(Level).String", Method, 21, ""},
+		{"(Leveler).Level", Method, 21, ""},
+		{"(LogValuer).LogValue", Method, 21, ""},
+		{"(Record).Attrs", Method, 21, ""},
+		{"(Record).Clone", Method, 21, ""},
+		{"(Record).NumAttrs", Method, 21, ""},
+		{"(Record).Source", Method, 25, ""},
+		{"(Value).Any", Method, 21, ""},
+		{"(Value).Bool", Method, 21, ""},
+		{"(Value).Duration", Method, 21, ""},
+		{"(Value).Equal", Method, 21, ""},
+		{"(Value).Float64", Method, 21, ""},
+		{"(Value).Group", Method, 21, ""},
+		{"(Value).Int64", Method, 21, ""},
+		{"(Value).Kind", Method, 21, ""},
+		{"(Value).LogValuer", Method, 21, ""},
+		{"(Value).Resolve", Method, 21, ""},
+		{"(Value).String", Method, 21, ""},
+		{"(Value).Time", Method, 21, ""},
+		{"(Value).Uint64", Method, 21, ""},
+		{"Any", Func, 21, "func(key string, value any) Attr"},
+		{"AnyValue", Func, 21, "func(v any) Value"},
+		{"Attr", Type, 21, ""},
+		{"Attr.Key", Field, 21, ""},
+		{"Attr.Value", Field, 21, ""},
+		{"Bool", Func, 21, "func(key string, v bool) Attr"},
+		{"BoolValue", Func, 21, "func(v bool) Value"},
+		{"Debug", Func, 21, "func(msg string, args ...any)"},
+		{"DebugContext", Func, 21, "func(ctx context.Context, msg string, args ...any)"},
+		{"Default", Func, 21, "func() *Logger"},
+		{"DiscardHandler", Var, 24, ""},
+		{"Duration", Func, 21, "func(key string, v time.Duration) Attr"},
+		{"DurationValue", Func, 21, "func(v time.Duration) Value"},
+		{"Error", Func, 21, "func(msg string, args ...any)"},
+		{"ErrorContext", Func, 21, "func(ctx context.Context, msg string, args ...any)"},
+		{"Float64", Func, 21, "func(key string, v float64) Attr"},
+		{"Float64Value", Func, 21, "func(v float64) Value"},
+		{"Group", Func, 21, "func(key string, args ...any) Attr"},
+		{"GroupAttrs", Func, 25, "func(key string, attrs ...Attr) Attr"},
+		{"GroupValue", Func, 21, "func(as ...Attr) Value"},
+		{"Handler", Type, 21, ""},
+		{"HandlerOptions", Type, 21, ""},
+		{"HandlerOptions.AddSource", Field, 21, ""},
+		{"HandlerOptions.Level", Field, 21, ""},
+		{"HandlerOptions.ReplaceAttr", Field, 21, ""},
+		{"Info", Func, 21, "func(msg string, args ...any)"},
+		{"InfoContext", Func, 21, "func(ctx context.Context, msg string, args ...any)"},
+		{"Int", Func, 21, "func(key string, value int) Attr"},
+		{"Int64", Func, 21, "func(key string, value int64) Attr"},
+		{"Int64Value", Func, 21, "func(v int64) Value"},
+		{"IntValue", Func, 21, "func(v int) Value"},
+		{"JSONHandler", Type, 21, ""},
+		{"Kind", Type, 21, ""},
+		{"KindAny", Const, 21, ""},
+		{"KindBool", Const, 21, ""},
+		{"KindDuration", Const, 21, ""},
+		{"KindFloat64", Const, 21, ""},
+		{"KindGroup", Const, 21, ""},
+		{"KindInt64", Const, 21, ""},
+		{"KindLogValuer", Const, 21, ""},
+		{"KindString", Const, 21, ""},
+		{"KindTime", Const, 21, ""},
+		{"KindUint64", Const, 21, ""},
+		{"Level", Type, 21, ""},
+		{"LevelDebug", Const, 21, ""},
+		{"LevelError", Const, 21, ""},
+		{"LevelInfo", Const, 21, ""},
+		{"LevelKey", Const, 21, ""},
+		{"LevelVar", Type, 21, ""},
+		{"LevelWarn", Const, 21, ""},
+		{"Leveler", Type, 21, ""},
+		{"Log", Func, 21, "func(ctx context.Context, level Level, msg string, args ...any)"},
+		{"LogAttrs", Func, 21, "func(ctx context.Context, level Level, msg string, attrs ...Attr)"},
+		{"LogValuer", Type, 21, ""},
+		{"Logger", Type, 21, ""},
+		{"MessageKey", Const, 21, ""},
+		{"MultiHandler", Type, 26, ""},
+		{"New", Func, 21, "func(h Handler) *Logger"},
+		{"NewJSONHandler", Func, 21, "func(w io.Writer, opts *HandlerOptions) *JSONHandler"},
+		{"NewLogLogger", Func, 21, "func(h Handler, level Level) *log.Logger"},
+		{"NewMultiHandler", Func, 26, "func(handlers ...Handler) *MultiHandler"},
+		{"NewRecord", Func, 21, "func(t time.Time, level Level, msg string, pc uintptr) Record"},
+		{"NewTextHandler", Func, 21, "func(w io.Writer, opts *HandlerOptions) *TextHandler"},
+		{"Record", Type, 21, ""},
+		{"Record.Level", Field, 21, ""},
+		{"Record.Message", Field, 21, ""},
+		{"Record.PC", Field, 21, ""},
+		{"Record.Time", Field, 21, ""},
+		{"SetDefault", Func, 21, "func(l *Logger)"},
+		{"SetLogLoggerLevel", Func, 22, "func(level Level) (oldLevel Level)"},
+		{"Source", Type, 21, ""},
+		{"Source.File", Field, 21, ""},
+		{"Source.Function", Field, 21, ""},
+		{"Source.Line", Field, 21, ""},
+		{"SourceKey", Const, 21, ""},
+		{"String", Func, 21, "func(key string, value string) Attr"},
+		{"StringValue", Func, 21, "func(value string) Value"},
+		{"TextHandler", Type, 21, ""},
+		{"Time", Func, 21, "func(key string, v time.Time) Attr"},
+		{"TimeKey", Const, 21, ""},
+		{"TimeValue", Func, 21, "func(v time.Time) Value"},
+		{"Uint64", Func, 21, "func(key string, v uint64) Attr"},
+		{"Uint64Value", Func, 21, "func(v uint64) Value"},
+		{"Value", Type, 21, ""},
+		{"Warn", Func, 21, "func(msg string, args ...any)"},
+		{"WarnContext", Func, 21, "func(ctx context.Context, msg string, args ...any)"},
+		{"With", Func, 21, "func(args ...any) *Logger"},
+	},
+	"log/syslog": {
+		{"(*Writer).Alert", Method, 0, ""},
+		{"(*Writer).Close", Method, 0, ""},
+		{"(*Writer).Crit", Method, 0, ""},
+		{"(*Writer).Debug", Method, 0, ""},
+		{"(*Writer).Emerg", Method, 0, ""},
+		{"(*Writer).Err", Method, 0, ""},
+		{"(*Writer).Info", Method, 0, ""},
+		{"(*Writer).Notice", Method, 0, ""},
+		{"(*Writer).Warning", Method, 0, ""},
+		{"(*Writer).Write", Method, 0, ""},
+		{"Dial", Func, 0, "func(network string, raddr string, priority Priority, tag string) (*Writer, error)"},
+		{"LOG_ALERT", Const, 0, ""},
+		{"LOG_AUTH", Const, 1, ""},
+		{"LOG_AUTHPRIV", Const, 1, ""},
+		{"LOG_CRIT", Const, 0, ""},
+		{"LOG_CRON", Const, 1, ""},
+		{"LOG_DAEMON", Const, 1, ""},
+		{"LOG_DEBUG", Const, 0, ""},
+		{"LOG_EMERG", Const, 0, ""},
+		{"LOG_ERR", Const, 0, ""},
+		{"LOG_FTP", Const, 1, ""},
+		{"LOG_INFO", Const, 0, ""},
+		{"LOG_KERN", Const, 1, ""},
+		{"LOG_LOCAL0", Const, 1, ""},
+		{"LOG_LOCAL1", Const, 1, ""},
+		{"LOG_LOCAL2", Const, 1, ""},
+		{"LOG_LOCAL3", Const, 1, ""},
+		{"LOG_LOCAL4", Const, 1, ""},
+		{"LOG_LOCAL5", Const, 1, ""},
+		{"LOG_LOCAL6", Const, 1, ""},
+		{"LOG_LOCAL7", Const, 1, ""},
+		{"LOG_LPR", Const, 1, ""},
+		{"LOG_MAIL", Const, 1, ""},
+		{"LOG_NEWS", Const, 1, ""},
+		{"LOG_NOTICE", Const, 0, ""},
+		{"LOG_SYSLOG", Const, 1, ""},
+		{"LOG_USER", Const, 1, ""},
+		{"LOG_UUCP", Const, 1, ""},
+		{"LOG_WARNING", Const, 0, ""},
+		{"New", Func, 0, "func(priority Priority, tag string) (*Writer, error)"},
+		{"NewLogger", Func, 0, "func(p Priority, logFlag int) (*log.Logger, error)"},
+		{"Priority", Type, 0, ""},
+		{"Writer", Type, 0, ""},
+	},
+	"maps": {
+		{"All", Func, 23, "func[Map ~map[K]V, K comparable, V any](m Map) iter.Seq2[K, V]"},
+		{"Clone", Func, 21, "func[M ~map[K]V, K comparable, V any](m M) M"},
+		{"Collect", Func, 23, "func[K comparable, V any](seq iter.Seq2[K, V]) map[K]V"},
+		{"Copy", Func, 21, "func[M1 ~map[K]V, M2 ~map[K]V, K comparable, V any](dst M1, src M2)"},
+		{"DeleteFunc", Func, 21, "func[M ~map[K]V, K comparable, V any](m M, del func(K, V) bool)"},
+		{"Equal", Func, 21, "func[M1, M2 ~map[K]V, K, V comparable](m1 M1, m2 M2) bool"},
+		{"EqualFunc", Func, 21, "func[M1 ~map[K]V1, M2 ~map[K]V2, K comparable, V1, V2 any](m1 M1, m2 M2, eq func(V1, V2) bool) bool"},
+		{"Insert", Func, 23, "func[Map ~map[K]V, K comparable, V any](m Map, seq iter.Seq2[K, V])"},
+		{"Keys", Func, 23, "func[Map ~map[K]V, K comparable, V any](m Map) iter.Seq[K]"},
+		{"Values", Func, 23, "func[Map ~map[K]V, K comparable, V any](m Map) iter.Seq[V]"},
+	},
+	"math": {
+		{"Abs", Func, 0, "func(x float64) float64"},
+		{"Acos", Func, 0, "func(x float64) float64"},
+		{"Acosh", Func, 0, "func(x float64) float64"},
+		{"Asin", Func, 0, "func(x float64) float64"},
+		{"Asinh", Func, 0, "func(x float64) float64"},
+		{"Atan", Func, 0, "func(x float64) float64"},
+		{"Atan2", Func, 0, "func(y float64, x float64) float64"},
+		{"Atanh", Func, 0, "func(x float64) float64"},
+		{"Cbrt", Func, 0, "func(x float64) float64"},
+		{"Ceil", Func, 0, "func(x float64) float64"},
+		{"Copysign", Func, 0, "func(f float64, sign float64) float64"},
+		{"Cos", Func, 0, "func(x float64) float64"},
+		{"Cosh", Func, 0, "func(x float64) float64"},
+		{"Dim", Func, 0, "func(x float64, y float64) float64"},
+		{"E", Const, 0, ""},
+		{"Erf", Func, 0, "func(x float64) float64"},
+		{"Erfc", Func, 0, "func(x float64) float64"},
+		{"Erfcinv", Func, 10, "func(x float64) float64"},
+		{"Erfinv", Func, 10, "func(x float64) float64"},
+		{"Exp", Func, 0, "func(x float64) float64"},
+		{"Exp2", Func, 0, "func(x float64) float64"},
+		{"Expm1", Func, 0, "func(x float64) float64"},
+		{"FMA", Func, 14, "func(x float64, y float64, z float64) float64"},
+		{"Float32bits", Func, 0, "func(f float32) uint32"},
+		{"Float32frombits", Func, 0, "func(b uint32) float32"},
+		{"Float64bits", Func, 0, "func(f float64) uint64"},
+		{"Float64frombits", Func, 0, "func(b uint64) float64"},
+		{"Floor", Func, 0, "func(x float64) float64"},
+		{"Frexp", Func, 0, "func(f float64) (frac float64, exp int)"},
+		{"Gamma", Func, 0, "func(x float64) float64"},
+		{"Hypot", Func, 0, "func(p float64, q float64) float64"},
+		{"Ilogb", Func, 0, "func(x float64) int"},
+		{"Inf", Func, 0, "func(sign int) float64"},
+		{"IsInf", Func, 0, "func(f float64, sign int) bool"},
+		{"IsNaN", Func, 0, "func(f float64) (is bool)"},
+		{"J0", Func, 0, "func(x float64) float64"},
+		{"J1", Func, 0, "func(x float64) float64"},
+		{"Jn", Func, 0, "func(n int, x float64) float64"},
+		{"Ldexp", Func, 0, "func(frac float64, exp int) float64"},
+		{"Lgamma", Func, 0, "func(x float64) (lgamma float64, sign int)"},
+		{"Ln10", Const, 0, ""},
+		{"Ln2", Const, 0, ""},
+		{"Log", Func, 0, "func(x float64) float64"},
+		{"Log10", Func, 0, "func(x float64) float64"},
+		{"Log10E", Const, 0, ""},
+		{"Log1p", Func, 0, "func(x float64) float64"},
+		{"Log2", Func, 0, "func(x float64) float64"},
+		{"Log2E", Const, 0, ""},
+		{"Logb", Func, 0, "func(x float64) float64"},
+		{"Max", Func, 0, "func(x float64, y float64) float64"},
+		{"MaxFloat32", Const, 0, ""},
+		{"MaxFloat64", Const, 0, ""},
+		{"MaxInt", Const, 17, ""},
+		{"MaxInt16", Const, 0, ""},
+		{"MaxInt32", Const, 0, ""},
+		{"MaxInt64", Const, 0, ""},
+		{"MaxInt8", Const, 0, ""},
+		{"MaxUint", Const, 17, ""},
+		{"MaxUint16", Const, 0, ""},
+		{"MaxUint32", Const, 0, ""},
+		{"MaxUint64", Const, 0, ""},
+		{"MaxUint8", Const, 0, ""},
+		{"Min", Func, 0, "func(x float64, y float64) float64"},
+		{"MinInt", Const, 17, ""},
+		{"MinInt16", Const, 0, ""},
+		{"MinInt32", Const, 0, ""},
+		{"MinInt64", Const, 0, ""},
+		{"MinInt8", Const, 0, ""},
+		{"Mod", Func, 0, "func(x float64, y float64) float64"},
+		{"Modf", Func, 0, "func(f float64) (integer float64, fractional float64)"},
+		{"NaN", Func, 0, "func() float64"},
+		{"Nextafter", Func, 0, "func(x float64, y float64) (r float64)"},
+		{"Nextafter32", Func, 4, "func(x float32, y float32) (r float32)"},
+		{"Phi", Const, 0, ""},
+		{"Pi", Const, 0, ""},
+		{"Pow", Func, 0, "func(x float64, y float64) float64"},
+		{"Pow10", Func, 0, "func(n int) float64"},
+		{"Remainder", Func, 0, "func(x float64, y float64) float64"},
+		{"Round", Func, 10, "func(x float64) float64"},
+		{"RoundToEven", Func, 10, "func(x float64) float64"},
+		{"Signbit", Func, 0, "func(x float64) bool"},
+		{"Sin", Func, 0, "func(x float64) float64"},
+		{"Sincos", Func, 0, "func(x float64) (sin float64, cos float64)"},
+		{"Sinh", Func, 0, "func(x float64) float64"},
+		{"SmallestNonzeroFloat32", Const, 0, ""},
+		{"SmallestNonzeroFloat64", Const, 0, ""},
+		{"Sqrt", Func, 0, "func(x float64) float64"},
+		{"Sqrt2", Const, 0, ""},
+		{"SqrtE", Const, 0, ""},
+		{"SqrtPhi", Const, 0, ""},
+		{"SqrtPi", Const, 0, ""},
+		{"Tan", Func, 0, "func(x float64) float64"},
+		{"Tanh", Func, 0, "func(x float64) float64"},
+		{"Trunc", Func, 0, "func(x float64) float64"},
+		{"Y0", Func, 0, "func(x float64) float64"},
+		{"Y1", Func, 0, "func(x float64) float64"},
+		{"Yn", Func, 0, "func(n int, x float64) float64"},
+	},
+	"math/big": {
+		{"(*Float).Abs", Method, 5, ""},
+		{"(*Float).Acc", Method, 5, ""},
+		{"(*Float).Add", Method, 5, ""},
+		{"(*Float).Append", Method, 5, ""},
+		{"(*Float).AppendText", Method, 24, ""},
+		{"(*Float).Cmp", Method, 5, ""},
+		{"(*Float).Copy", Method, 5, ""},
+		{"(*Float).Float32", Method, 5, ""},
+		{"(*Float).Float64", Method, 5, ""},
+		{"(*Float).Format", Method, 5, ""},
+		{"(*Float).GobDecode", Method, 7, ""},
+		{"(*Float).GobEncode", Method, 7, ""},
+		{"(*Float).Int", Method, 5, ""},
+		{"(*Float).Int64", Method, 5, ""},
+		{"(*Float).IsInf", Method, 5, ""},
+		{"(*Float).IsInt", Method, 5, ""},
+		{"(*Float).MantExp", Method, 5, ""},
+		{"(*Float).MarshalText", Method, 6, ""},
+		{"(*Float).MinPrec", Method, 5, ""},
+		{"(*Float).Mode", Method, 5, ""},
+		{"(*Float).Mul", Method, 5, ""},
+		{"(*Float).Neg", Method, 5, ""},
+		{"(*Float).Parse", Method, 5, ""},
+		{"(*Float).Prec", Method, 5, ""},
+		{"(*Float).Quo", Method, 5, ""},
+		{"(*Float).Rat", Method, 5, ""},
+		{"(*Float).Scan", Method, 8, ""},
+		{"(*Float).Set", Method, 5, ""},
+		{"(*Float).SetFloat64", Method, 5, ""},
+		{"(*Float).SetInf", Method, 5, ""},
+		{"(*Float).SetInt", Method, 5, ""},
+		{"(*Float).SetInt64", Method, 5, ""},
+		{"(*Float).SetMantExp", Method, 5, ""},
+		{"(*Float).SetMode", Method, 5, ""},
+		{"(*Float).SetPrec", Method, 5, ""},
+		{"(*Float).SetRat", Method, 5, ""},
+		{"(*Float).SetString", Method, 5, ""},
+		{"(*Float).SetUint64", Method, 5, ""},
+		{"(*Float).Sign", Method, 5, ""},
+		{"(*Float).Signbit", Method, 5, ""},
+		{"(*Float).Sqrt", Method, 10, ""},
+		{"(*Float).String", Method, 5, ""},
+		{"(*Float).Sub", Method, 5, ""},
+		{"(*Float).Text", Method, 5, ""},
+		{"(*Float).Uint64", Method, 5, ""},
+		{"(*Float).UnmarshalText", Method, 6, ""},
+		{"(*Int).Abs", Method, 0, ""},
+		{"(*Int).Add", Method, 0, ""},
+		{"(*Int).And", Method, 0, ""},
+		{"(*Int).AndNot", Method, 0, ""},
+		{"(*Int).Append", Method, 6, ""},
+		{"(*Int).AppendText", Method, 24, ""},
+		{"(*Int).Binomial", Method, 0, ""},
+		{"(*Int).Bit", Method, 0, ""},
+		{"(*Int).BitLen", Method, 0, ""},
+		{"(*Int).Bits", Method, 0, ""},
+		{"(*Int).Bytes", Method, 0, ""},
+		{"(*Int).Cmp", Method, 0, ""},
+		{"(*Int).CmpAbs", Method, 10, ""},
+		{"(*Int).Div", Method, 0, ""},
+		{"(*Int).DivMod", Method, 0, ""},
+		{"(*Int).Exp", Method, 0, ""},
+		{"(*Int).FillBytes", Method, 15, ""},
+		{"(*Int).Float64", Method, 21, ""},
+		{"(*Int).Format", Method, 0, ""},
+		{"(*Int).GCD", Method, 0, ""},
+		{"(*Int).GobDecode", Method, 0, ""},
+		{"(*Int).GobEncode", Method, 0, ""},
+		{"(*Int).Int64", Method, 0, ""},
+		{"(*Int).IsInt64", Method, 9, ""},
+		{"(*Int).IsUint64", Method, 9, ""},
+		{"(*Int).Lsh", Method, 0, ""},
+		{"(*Int).MarshalJSON", Method, 1, ""},
+		{"(*Int).MarshalText", Method, 3, ""},
+		{"(*Int).Mod", Method, 0, ""},
+		{"(*Int).ModInverse", Method, 0, ""},
+		{"(*Int).ModSqrt", Method, 5, ""},
+		{"(*Int).Mul", Method, 0, ""},
+		{"(*Int).MulRange", Method, 0, ""},
+		{"(*Int).Neg", Method, 0, ""},
+		{"(*Int).Not", Method, 0, ""},
+		{"(*Int).Or", Method, 0, ""},
+		{"(*Int).ProbablyPrime", Method, 0, ""},
+		{"(*Int).Quo", Method, 0, ""},
+		{"(*Int).QuoRem", Method, 0, ""},
+		{"(*Int).Rand", Method, 0, ""},
+		{"(*Int).Rem", Method, 0, ""},
+		{"(*Int).Rsh", Method, 0, ""},
+		{"(*Int).Scan", Method, 0, ""},
+		{"(*Int).Set", Method, 0, ""},
+		{"(*Int).SetBit", Method, 0, ""},
+		{"(*Int).SetBits", Method, 0, ""},
+		{"(*Int).SetBytes", Method, 0, ""},
+		{"(*Int).SetInt64", Method, 0, ""},
+		{"(*Int).SetString", Method, 0, ""},
+		{"(*Int).SetUint64", Method, 1, ""},
+		{"(*Int).Sign", Method, 0, ""},
+		{"(*Int).Sqrt", Method, 8, ""},
+		{"(*Int).String", Method, 0, ""},
+		{"(*Int).Sub", Method, 0, ""},
+		{"(*Int).Text", Method, 6, ""},
+		{"(*Int).TrailingZeroBits", Method, 13, ""},
+		{"(*Int).Uint64", Method, 1, ""},
+		{"(*Int).UnmarshalJSON", Method, 1, ""},
+		{"(*Int).UnmarshalText", Method, 3, ""},
+		{"(*Int).Xor", Method, 0, ""},
+		{"(*Rat).Abs", Method, 0, ""},
+		{"(*Rat).Add", Method, 0, ""},
+		{"(*Rat).AppendText", Method, 24, ""},
+		{"(*Rat).Cmp", Method, 0, ""},
+		{"(*Rat).Denom", Method, 0, ""},
+		{"(*Rat).Float32", Method, 4, ""},
+		{"(*Rat).Float64", Method, 1, ""},
+		{"(*Rat).FloatPrec", Method, 22, ""},
+		{"(*Rat).FloatString", Method, 0, ""},
+		{"(*Rat).GobDecode", Method, 0, ""},
+		{"(*Rat).GobEncode", Method, 0, ""},
+		{"(*Rat).Inv", Method, 0, ""},
+		{"(*Rat).IsInt", Method, 0, ""},
+		{"(*Rat).MarshalText", Method, 3, ""},
+		{"(*Rat).Mul", Method, 0, ""},
+		{"(*Rat).Neg", Method, 0, ""},
+		{"(*Rat).Num", Method, 0, ""},
+		{"(*Rat).Quo", Method, 0, ""},
+		{"(*Rat).RatString", Method, 0, ""},
+		{"(*Rat).Scan", Method, 0, ""},
+		{"(*Rat).Set", Method, 0, ""},
+		{"(*Rat).SetFloat64", Method, 1, ""},
+		{"(*Rat).SetFrac", Method, 0, ""},
+		{"(*Rat).SetFrac64", Method, 0, ""},
+		{"(*Rat).SetInt", Method, 0, ""},
+		{"(*Rat).SetInt64", Method, 0, ""},
+		{"(*Rat).SetString", Method, 0, ""},
+		{"(*Rat).SetUint64", Method, 13, ""},
+		{"(*Rat).Sign", Method, 0, ""},
+		{"(*Rat).String", Method, 0, ""},
+		{"(*Rat).Sub", Method, 0, ""},
+		{"(*Rat).UnmarshalText", Method, 3, ""},
+		{"(Accuracy).String", Method, 5, ""},
+		{"(ErrNaN).Error", Method, 5, ""},
+		{"(RoundingMode).String", Method, 5, ""},
+		{"Above", Const, 5, ""},
+		{"Accuracy", Type, 5, ""},
+		{"AwayFromZero", Const, 5, ""},
+		{"Below", Const, 5, ""},
+		{"ErrNaN", Type, 5, ""},
+		{"Exact", Const, 5, ""},
+		{"Float", Type, 5, ""},
+		{"Int", Type, 0, ""},
+		{"Jacobi", Func, 5, "func(x *Int, y *Int) int"},
+		{"MaxBase", Const, 0, ""},
+		{"MaxExp", Const, 5, ""},
+		{"MaxPrec", Const, 5, ""},
+		{"MinExp", Const, 5, ""},
+		{"NewFloat", Func, 5, "func(x float64) *Float"},
+		{"NewInt", Func, 0, "func(x int64) *Int"},
+		{"NewRat", Func, 0, "func(a int64, b int64) *Rat"},
+		{"ParseFloat", Func, 5, "func(s string, base int, prec uint, mode RoundingMode) (f *Float, b int, err error)"},
+		{"Rat", Type, 0, ""},
+		{"RoundingMode", Type, 5, ""},
+		{"ToNearestAway", Const, 5, ""},
+		{"ToNearestEven", Const, 5, ""},
+		{"ToNegativeInf", Const, 5, ""},
+		{"ToPositiveInf", Const, 5, ""},
+		{"ToZero", Const, 5, ""},
+		{"Word", Type, 0, ""},
+	},
+	"math/bits": {
+		{"Add", Func, 12, "func(x uint, y uint, carry uint) (sum uint, carryOut uint)"},
+		{"Add32", Func, 12, "func(x uint32, y uint32, carry uint32) (sum uint32, carryOut uint32)"},
+		{"Add64", Func, 12, "func(x uint64, y uint64, carry uint64) (sum uint64, carryOut uint64)"},
+		{"Div", Func, 12, "func(hi uint, lo uint, y uint) (quo uint, rem uint)"},
+		{"Div32", Func, 12, "func(hi uint32, lo uint32, y uint32) (quo uint32, rem uint32)"},
+		{"Div64", Func, 12, "func(hi uint64, lo uint64, y uint64) (quo uint64, rem uint64)"},
+		{"LeadingZeros", Func, 9, "func(x uint) int"},
+		{"LeadingZeros16", Func, 9, "func(x uint16) int"},
+		{"LeadingZeros32", Func, 9, "func(x uint32) int"},
+		{"LeadingZeros64", Func, 9, "func(x uint64) int"},
+		{"LeadingZeros8", Func, 9, "func(x uint8) int"},
+		{"Len", Func, 9, "func(x uint) int"},
+		{"Len16", Func, 9, "func(x uint16) (n int)"},
+		{"Len32", Func, 9, "func(x uint32) (n int)"},
+		{"Len64", Func, 9, "func(x uint64) (n int)"},
+		{"Len8", Func, 9, "func(x uint8) int"},
+		{"Mul", Func, 12, "func(x uint, y uint) (hi uint, lo uint)"},
+		{"Mul32", Func, 12, "func(x uint32, y uint32) (hi uint32, lo uint32)"},
+		{"Mul64", Func, 12, "func(x uint64, y uint64) (hi uint64, lo uint64)"},
+		{"OnesCount", Func, 9, "func(x uint) int"},
+		{"OnesCount16", Func, 9, "func(x uint16) int"},
+		{"OnesCount32", Func, 9, "func(x uint32) int"},
+		{"OnesCount64", Func, 9, "func(x uint64) int"},
+		{"OnesCount8", Func, 9, "func(x uint8) int"},
+		{"Rem", Func, 14, "func(hi uint, lo uint, y uint) uint"},
+		{"Rem32", Func, 14, "func(hi uint32, lo uint32, y uint32) uint32"},
+		{"Rem64", Func, 14, "func(hi uint64, lo uint64, y uint64) uint64"},
+		{"Reverse", Func, 9, "func(x uint) uint"},
+		{"Reverse16", Func, 9, "func(x uint16) uint16"},
+		{"Reverse32", Func, 9, "func(x uint32) uint32"},
+		{"Reverse64", Func, 9, "func(x uint64) uint64"},
+		{"Reverse8", Func, 9, "func(x uint8) uint8"},
+		{"ReverseBytes", Func, 9, "func(x uint) uint"},
+		{"ReverseBytes16", Func, 9, "func(x uint16) uint16"},
+		{"ReverseBytes32", Func, 9, "func(x uint32) uint32"},
+		{"ReverseBytes64", Func, 9, "func(x uint64) uint64"},
+		{"RotateLeft", Func, 9, "func(x uint, k int) uint"},
+		{"RotateLeft16", Func, 9, "func(x uint16, k int) uint16"},
+		{"RotateLeft32", Func, 9, "func(x uint32, k int) uint32"},
+		{"RotateLeft64", Func, 9, "func(x uint64, k int) uint64"},
+		{"RotateLeft8", Func, 9, "func(x uint8, k int) uint8"},
+		{"Sub", Func, 12, "func(x uint, y uint, borrow uint) (diff uint, borrowOut uint)"},
+		{"Sub32", Func, 12, "func(x uint32, y uint32, borrow uint32) (diff uint32, borrowOut uint32)"},
+		{"Sub64", Func, 12, "func(x uint64, y uint64, borrow uint64) (diff uint64, borrowOut uint64)"},
+		{"TrailingZeros", Func, 9, "func(x uint) int"},
+		{"TrailingZeros16", Func, 9, "func(x uint16) int"},
+		{"TrailingZeros32", Func, 9, "func(x uint32) int"},
+		{"TrailingZeros64", Func, 9, "func(x uint64) int"},
+		{"TrailingZeros8", Func, 9, "func(x uint8) int"},
+		{"UintSize", Const, 9, ""},
+	},
+	"math/cmplx": {
+		{"Abs", Func, 0, "func(x complex128) float64"},
+		{"Acos", Func, 0, "func(x complex128) complex128"},
+		{"Acosh", Func, 0, "func(x complex128) complex128"},
+		{"Asin", Func, 0, "func(x complex128) complex128"},
+		{"Asinh", Func, 0, "func(x complex128) complex128"},
+		{"Atan", Func, 0, "func(x complex128) complex128"},
+		{"Atanh", Func, 0, "func(x complex128) complex128"},
+		{"Conj", Func, 0, "func(x complex128) complex128"},
+		{"Cos", Func, 0, "func(x complex128) complex128"},
+		{"Cosh", Func, 0, "func(x complex128) complex128"},
+		{"Cot", Func, 0, "func(x complex128) complex128"},
+		{"Exp", Func, 0, "func(x complex128) complex128"},
+		{"Inf", Func, 0, "func() complex128"},
+		{"IsInf", Func, 0, "func(x complex128) bool"},
+		{"IsNaN", Func, 0, "func(x complex128) bool"},
+		{"Log", Func, 0, "func(x complex128) complex128"},
+		{"Log10", Func, 0, "func(x complex128) complex128"},
+		{"NaN", Func, 0, "func() complex128"},
+		{"Phase", Func, 0, "func(x complex128) float64"},
+		{"Polar", Func, 0, "func(x complex128) (r float64, θ float64)"},
+		{"Pow", Func, 0, "func(x complex128, y complex128) complex128"},
+		{"Rect", Func, 0, "func(r float64, θ float64) complex128"},
+		{"Sin", Func, 0, "func(x complex128) complex128"},
+		{"Sinh", Func, 0, "func(x complex128) complex128"},
+		{"Sqrt", Func, 0, "func(x complex128) complex128"},
+		{"Tan", Func, 0, "func(x complex128) complex128"},
+		{"Tanh", Func, 0, "func(x complex128) complex128"},
+	},
+	"math/rand": {
+		{"(*Rand).ExpFloat64", Method, 0, ""},
+		{"(*Rand).Float32", Method, 0, ""},
+		{"(*Rand).Float64", Method, 0, ""},
+		{"(*Rand).Int", Method, 0, ""},
+		{"(*Rand).Int31", Method, 0, ""},
+		{"(*Rand).Int31n", Method, 0, ""},
+		{"(*Rand).Int63", Method, 0, ""},
+		{"(*Rand).Int63n", Method, 0, ""},
+		{"(*Rand).Intn", Method, 0, ""},
+		{"(*Rand).NormFloat64", Method, 0, ""},
+		{"(*Rand).Perm", Method, 0, ""},
+		{"(*Rand).Read", Method, 6, ""},
+		{"(*Rand).Seed", Method, 0, ""},
+		{"(*Rand).Shuffle", Method, 10, ""},
+		{"(*Rand).Uint32", Method, 0, ""},
+		{"(*Rand).Uint64", Method, 8, ""},
+		{"(*Zipf).Uint64", Method, 0, ""},
+		{"(Source).Int63", Method, 0, ""},
+		{"(Source).Seed", Method, 0, ""},
+		{"(Source64).Int63", Method, 8, ""},
+		{"(Source64).Seed", Method, 8, ""},
+		{"(Source64).Uint64", Method, 8, ""},
+		{"ExpFloat64", Func, 0, "func() float64"},
+		{"Float32", Func, 0, "func() float32"},
+		{"Float64", Func, 0, "func() float64"},
+		{"Int", Func, 0, "func() int"},
+		{"Int31", Func, 0, "func() int32"},
+		{"Int31n", Func, 0, "func(n int32) int32"},
+		{"Int63", Func, 0, "func() int64"},
+		{"Int63n", Func, 0, "func(n int64) int64"},
+		{"Intn", Func, 0, "func(n int) int"},
+		{"New", Func, 0, "func(src Source) *Rand"},
+		{"NewSource", Func, 0, "func(seed int64) Source"},
+		{"NewZipf", Func, 0, "func(r *Rand, s float64, v float64, imax uint64) *Zipf"},
+		{"NormFloat64", Func, 0, "func() float64"},
+		{"Perm", Func, 0, "func(n int) []int"},
+		{"Rand", Type, 0, ""},
+		{"Read", Func, 6, "func(p []byte) (n int, err error)"},
+		{"Seed", Func, 0, "func(seed int64)"},
+		{"Shuffle", Func, 10, "func(n int, swap func(i int, j int))"},
+		{"Source", Type, 0, ""},
+		{"Source64", Type, 8, ""},
+		{"Uint32", Func, 0, "func() uint32"},
+		{"Uint64", Func, 8, "func() uint64"},
+		{"Zipf", Type, 0, ""},
+	},
+	"math/rand/v2": {
+		{"(*ChaCha8).AppendBinary", Method, 24, ""},
+		{"(*ChaCha8).MarshalBinary", Method, 22, ""},
+		{"(*ChaCha8).Read", Method, 23, ""},
+		{"(*ChaCha8).Seed", Method, 22, ""},
+		{"(*ChaCha8).Uint64", Method, 22, ""},
+		{"(*ChaCha8).UnmarshalBinary", Method, 22, ""},
+		{"(*PCG).AppendBinary", Method, 24, ""},
+		{"(*PCG).MarshalBinary", Method, 22, ""},
+		{"(*PCG).Seed", Method, 22, ""},
+		{"(*PCG).Uint64", Method, 22, ""},
+		{"(*PCG).UnmarshalBinary", Method, 22, ""},
+		{"(*Rand).ExpFloat64", Method, 22, ""},
+		{"(*Rand).Float32", Method, 22, ""},
+		{"(*Rand).Float64", Method, 22, ""},
+		{"(*Rand).Int", Method, 22, ""},
+		{"(*Rand).Int32", Method, 22, ""},
+		{"(*Rand).Int32N", Method, 22, ""},
+		{"(*Rand).Int64", Method, 22, ""},
+		{"(*Rand).Int64N", Method, 22, ""},
+		{"(*Rand).IntN", Method, 22, ""},
+		{"(*Rand).NormFloat64", Method, 22, ""},
+		{"(*Rand).Perm", Method, 22, ""},
+		{"(*Rand).Shuffle", Method, 22, ""},
+		{"(*Rand).Uint", Method, 23, ""},
+		{"(*Rand).Uint32", Method, 22, ""},
+		{"(*Rand).Uint32N", Method, 22, ""},
+		{"(*Rand).Uint64", Method, 22, ""},
+		{"(*Rand).Uint64N", Method, 22, ""},
+		{"(*Rand).UintN", Method, 22, ""},
+		{"(*Zipf).Uint64", Method, 22, ""},
+		{"(Source).Uint64", Method, 22, ""},
+		{"ChaCha8", Type, 22, ""},
+		{"ExpFloat64", Func, 22, "func() float64"},
+		{"Float32", Func, 22, "func() float32"},
+		{"Float64", Func, 22, "func() float64"},
+		{"Int", Func, 22, "func() int"},
+		{"Int32", Func, 22, "func() int32"},
+		{"Int32N", Func, 22, "func(n int32) int32"},
+		{"Int64", Func, 22, "func() int64"},
+		{"Int64N", Func, 22, "func(n int64) int64"},
+		{"IntN", Func, 22, "func(n int) int"},
+		{"N", Func, 22, "func[Int intType](n Int) Int"},
+		{"New", Func, 22, "func(src Source) *Rand"},
+		{"NewChaCha8", Func, 22, "func(seed [32]byte) *ChaCha8"},
+		{"NewPCG", Func, 22, "func(seed1 uint64, seed2 uint64) *PCG"},
+		{"NewZipf", Func, 22, "func(r *Rand, s float64, v float64, imax uint64) *Zipf"},
+		{"NormFloat64", Func, 22, "func() float64"},
+		{"PCG", Type, 22, ""},
+		{"Perm", Func, 22, "func(n int) []int"},
+		{"Rand", Type, 22, ""},
+		{"Shuffle", Func, 22, "func(n int, swap func(i int, j int))"},
+		{"Source", Type, 22, ""},
+		{"Uint", Func, 23, "func() uint"},
+		{"Uint32", Func, 22, "func() uint32"},
+		{"Uint32N", Func, 22, "func(n uint32) uint32"},
+		{"Uint64", Func, 22, "func() uint64"},
+		{"Uint64N", Func, 22, "func(n uint64) uint64"},
+		{"UintN", Func, 22, "func(n uint) uint"},
+		{"Zipf", Type, 22, ""},
+	},
+	"mime": {
+		{"(*WordDecoder).Decode", Method, 5, ""},
+		{"(*WordDecoder).DecodeHeader", Method, 5, ""},
+		{"(WordEncoder).Encode", Method, 5, ""},
+		{"AddExtensionType", Func, 0, "func(ext string, typ string) error"},
+		{"BEncoding", Const, 5, ""},
+		{"ErrInvalidMediaParameter", Var, 9, ""},
+		{"ExtensionsByType", Func, 5, "func(typ string) ([]string, error)"},
+		{"FormatMediaType", Func, 0, "func(t string, param map[string]string) string"},
+		{"ParseMediaType", Func, 0, "func(v string) (mediatype string, params map[string]string, err error)"},
+		{"QEncoding", Const, 5, ""},
+		{"TypeByExtension", Func, 0, "func(ext string) string"},
+		{"WordDecoder", Type, 5, ""},
+		{"WordDecoder.CharsetReader", Field, 5, ""},
+		{"WordEncoder", Type, 5, ""},
+	},
+	"mime/multipart": {
+		{"(*FileHeader).Open", Method, 0, ""},
+		{"(*Form).RemoveAll", Method, 0, ""},
+		{"(*Part).Close", Method, 0, ""},
+		{"(*Part).FileName", Method, 0, ""},
+		{"(*Part).FormName", Method, 0, ""},
+		{"(*Part).Read", Method, 0, ""},
+		{"(*Reader).NextPart", Method, 0, ""},
+		{"(*Reader).NextRawPart", Method, 14, ""},
+		{"(*Reader).ReadForm", Method, 0, ""},
+		{"(*Writer).Boundary", Method, 0, ""},
+		{"(*Writer).Close", Method, 0, ""},
+		{"(*Writer).CreateFormField", Method, 0, ""},
+		{"(*Writer).CreateFormFile", Method, 0, ""},
+		{"(*Writer).CreatePart", Method, 0, ""},
+		{"(*Writer).FormDataContentType", Method, 0, ""},
+		{"(*Writer).SetBoundary", Method, 1, ""},
+		{"(*Writer).WriteField", Method, 0, ""},
+		{"(File).Close", Method, 0, ""},
+		{"(File).Read", Method, 0, ""},
+		{"(File).ReadAt", Method, 0, ""},
+		{"(File).Seek", Method, 0, ""},
+		{"ErrMessageTooLarge", Var, 9, ""},
+		{"File", Type, 0, ""},
+		{"FileContentDisposition", Func, 25, "func(fieldname string, filename string) string"},
+		{"FileHeader", Type, 0, ""},
+		{"FileHeader.Filename", Field, 0, ""},
+		{"FileHeader.Header", Field, 0, ""},
+		{"FileHeader.Size", Field, 9, ""},
+		{"Form", Type, 0, ""},
+		{"Form.File", Field, 0, ""},
+		{"Form.Value", Field, 0, ""},
+		{"NewReader", Func, 0, "func(r io.Reader, boundary string) *Reader"},
+		{"NewWriter", Func, 0, "func(w io.Writer) *Writer"},
+		{"Part", Type, 0, ""},
+		{"Part.Header", Field, 0, ""},
+		{"Reader", Type, 0, ""},
+		{"Writer", Type, 0, ""},
+	},
+	"mime/quotedprintable": {
+		{"(*Reader).Read", Method, 5, ""},
+		{"(*Writer).Close", Method, 5, ""},
+		{"(*Writer).Write", Method, 5, ""},
+		{"NewReader", Func, 5, "func(r io.Reader) *Reader"},
+		{"NewWriter", Func, 5, "func(w io.Writer) *Writer"},
+		{"Reader", Type, 5, ""},
+		{"Writer", Type, 5, ""},
+		{"Writer.Binary", Field, 5, ""},
+	},
+	"net": {
+		{"(*AddrError).Error", Method, 0, ""},
+		{"(*AddrError).Temporary", Method, 0, ""},
+		{"(*AddrError).Timeout", Method, 0, ""},
+		{"(*Buffers).Read", Method, 8, ""},
+		{"(*Buffers).WriteTo", Method, 8, ""},
+		{"(*DNSConfigError).Error", Method, 0, ""},
+		{"(*DNSConfigError).Temporary", Method, 0, ""},
+		{"(*DNSConfigError).Timeout", Method, 0, ""},
+		{"(*DNSConfigError).Unwrap", Method, 13, ""},
+		{"(*DNSError).Error", Method, 0, ""},
+		{"(*DNSError).Temporary", Method, 0, ""},
+		{"(*DNSError).Timeout", Method, 0, ""},
+		{"(*DNSError).Unwrap", Method, 23, ""},
+		{"(*Dialer).Dial", Method, 1, ""},
+		{"(*Dialer).DialContext", Method, 7, ""},
+		{"(*Dialer).DialIP", Method, 26, ""},
+		{"(*Dialer).DialTCP", Method, 26, ""},
+		{"(*Dialer).DialUDP", Method, 26, ""},
+		{"(*Dialer).DialUnix", Method, 26, ""},
+		{"(*Dialer).MultipathTCP", Method, 21, ""},
+		{"(*Dialer).SetMultipathTCP", Method, 21, ""},
+		{"(*IP).UnmarshalText", Method, 2, ""},
+		{"(*IPAddr).Network", Method, 0, ""},
+		{"(*IPAddr).String", Method, 0, ""},
+		{"(*IPConn).Close", Method, 0, ""},
+		{"(*IPConn).File", Method, 0, ""},
+		{"(*IPConn).LocalAddr", Method, 0, ""},
+		{"(*IPConn).Read", Method, 0, ""},
+		{"(*IPConn).ReadFrom", Method, 0, ""},
+		{"(*IPConn).ReadFromIP", Method, 0, ""},
+		{"(*IPConn).ReadMsgIP", Method, 1, ""},
+		{"(*IPConn).RemoteAddr", Method, 0, ""},
+		{"(*IPConn).SetDeadline", Method, 0, ""},
+		{"(*IPConn).SetReadBuffer", Method, 0, ""},
+		{"(*IPConn).SetReadDeadline", Method, 0, ""},
+		{"(*IPConn).SetWriteBuffer", Method, 0, ""},
+		{"(*IPConn).SetWriteDeadline", Method, 0, ""},
+		{"(*IPConn).SyscallConn", Method, 9, ""},
+		{"(*IPConn).Write", Method, 0, ""},
+		{"(*IPConn).WriteMsgIP", Method, 1, ""},
+		{"(*IPConn).WriteTo", Method, 0, ""},
+		{"(*IPConn).WriteToIP", Method, 0, ""},
+		{"(*IPNet).Contains", Method, 0, ""},
+		{"(*IPNet).Network", Method, 0, ""},
+		{"(*IPNet).String", Method, 0, ""},
+		{"(*Interface).Addrs", Method, 0, ""},
+		{"(*Interface).MulticastAddrs", Method, 0, ""},
+		{"(*ListenConfig).Listen", Method, 11, ""},
+		{"(*ListenConfig).ListenPacket", Method, 11, ""},
+		{"(*ListenConfig).MultipathTCP", Method, 21, ""},
+		{"(*ListenConfig).SetMultipathTCP", Method, 21, ""},
+		{"(*OpError).Error", Method, 0, ""},
+		{"(*OpError).Temporary", Method, 0, ""},
+		{"(*OpError).Timeout", Method, 0, ""},
+		{"(*OpError).Unwrap", Method, 13, ""},
+		{"(*ParseError).Error", Method, 0, ""},
+		{"(*ParseError).Temporary", Method, 17, ""},
+		{"(*ParseError).Timeout", Method, 17, ""},
+		{"(*Resolver).LookupAddr", Method, 8, ""},
+		{"(*Resolver).LookupCNAME", Method, 8, ""},
+		{"(*Resolver).LookupHost", Method, 8, ""},
+		{"(*Resolver).LookupIP", Method, 15, ""},
+		{"(*Resolver).LookupIPAddr", Method, 8, ""},
+		{"(*Resolver).LookupMX", Method, 8, ""},
+		{"(*Resolver).LookupNS", Method, 8, ""},
+		{"(*Resolver).LookupNetIP", Method, 18, ""},
+		{"(*Resolver).LookupPort", Method, 8, ""},
+		{"(*Resolver).LookupSRV", Method, 8, ""},
+		{"(*Resolver).LookupTXT", Method, 8, ""},
+		{"(*TCPAddr).AddrPort", Method, 18, ""},
+		{"(*TCPAddr).Network", Method, 0, ""},
+		{"(*TCPAddr).String", Method, 0, ""},
+		{"(*TCPConn).Close", Method, 0, ""},
+		{"(*TCPConn).CloseRead", Method, 0, ""},
+		{"(*TCPConn).CloseWrite", Method, 0, ""},
+		{"(*TCPConn).File", Method, 0, ""},
+		{"(*TCPConn).LocalAddr", Method, 0, ""},
+		{"(*TCPConn).MultipathTCP", Method, 21, ""},
+		{"(*TCPConn).Read", Method, 0, ""},
+		{"(*TCPConn).ReadFrom", Method, 0, ""},
+		{"(*TCPConn).RemoteAddr", Method, 0, ""},
+		{"(*TCPConn).SetDeadline", Method, 0, ""},
+		{"(*TCPConn).SetKeepAlive", Method, 0, ""},
+		{"(*TCPConn).SetKeepAliveConfig", Method, 23, ""},
+		{"(*TCPConn).SetKeepAlivePeriod", Method, 2, ""},
+		{"(*TCPConn).SetLinger", Method, 0, ""},
+		{"(*TCPConn).SetNoDelay", Method, 0, ""},
+		{"(*TCPConn).SetReadBuffer", Method, 0, ""},
+		{"(*TCPConn).SetReadDeadline", Method, 0, ""},
+		{"(*TCPConn).SetWriteBuffer", Method, 0, ""},
+		{"(*TCPConn).SetWriteDeadline", Method, 0, ""},
+		{"(*TCPConn).SyscallConn", Method, 9, ""},
+		{"(*TCPConn).Write", Method, 0, ""},
+		{"(*TCPConn).WriteTo", Method, 22, ""},
+		{"(*TCPListener).Accept", Method, 0, ""},
+		{"(*TCPListener).AcceptTCP", Method, 0, ""},
+		{"(*TCPListener).Addr", Method, 0, ""},
+		{"(*TCPListener).Close", Method, 0, ""},
+		{"(*TCPListener).File", Method, 0, ""},
+		{"(*TCPListener).SetDeadline", Method, 0, ""},
+		{"(*TCPListener).SyscallConn", Method, 10, ""},
+		{"(*UDPAddr).AddrPort", Method, 18, ""},
+		{"(*UDPAddr).Network", Method, 0, ""},
+		{"(*UDPAddr).String", Method, 0, ""},
+		{"(*UDPConn).Close", Method, 0, ""},
+		{"(*UDPConn).File", Method, 0, ""},
+		{"(*UDPConn).LocalAddr", Method, 0, ""},
+		{"(*UDPConn).Read", Method, 0, ""},
+		{"(*UDPConn).ReadFrom", Method, 0, ""},
+		{"(*UDPConn).ReadFromUDP", Method, 0, ""},
+		{"(*UDPConn).ReadFromUDPAddrPort", Method, 18, ""},
+		{"(*UDPConn).ReadMsgUDP", Method, 1, ""},
+		{"(*UDPConn).ReadMsgUDPAddrPort", Method, 18, ""},
+		{"(*UDPConn).RemoteAddr", Method, 0, ""},
+		{"(*UDPConn).SetDeadline", Method, 0, ""},
+		{"(*UDPConn).SetReadBuffer", Method, 0, ""},
+		{"(*UDPConn).SetReadDeadline", Method, 0, ""},
+		{"(*UDPConn).SetWriteBuffer", Method, 0, ""},
+		{"(*UDPConn).SetWriteDeadline", Method, 0, ""},
+		{"(*UDPConn).SyscallConn", Method, 9, ""},
+		{"(*UDPConn).Write", Method, 0, ""},
+		{"(*UDPConn).WriteMsgUDP", Method, 1, ""},
+		{"(*UDPConn).WriteMsgUDPAddrPort", Method, 18, ""},
+		{"(*UDPConn).WriteTo", Method, 0, ""},
+		{"(*UDPConn).WriteToUDP", Method, 0, ""},
+		{"(*UDPConn).WriteToUDPAddrPort", Method, 18, ""},
+		{"(*UnixAddr).Network", Method, 0, ""},
+		{"(*UnixAddr).String", Method, 0, ""},
+		{"(*UnixConn).Close", Method, 0, ""},
+		{"(*UnixConn).CloseRead", Method, 1, ""},
+		{"(*UnixConn).CloseWrite", Method, 1, ""},
+		{"(*UnixConn).File", Method, 0, ""},
+		{"(*UnixConn).LocalAddr", Method, 0, ""},
+		{"(*UnixConn).Read", Method, 0, ""},
+		{"(*UnixConn).ReadFrom", Method, 0, ""},
+		{"(*UnixConn).ReadFromUnix", Method, 0, ""},
+		{"(*UnixConn).ReadMsgUnix", Method, 0, ""},
+		{"(*UnixConn).RemoteAddr", Method, 0, ""},
+		{"(*UnixConn).SetDeadline", Method, 0, ""},
+		{"(*UnixConn).SetReadBuffer", Method, 0, ""},
+		{"(*UnixConn).SetReadDeadline", Method, 0, ""},
+		{"(*UnixConn).SetWriteBuffer", Method, 0, ""},
+		{"(*UnixConn).SetWriteDeadline", Method, 0, ""},
+		{"(*UnixConn).SyscallConn", Method, 9, ""},
+		{"(*UnixConn).Write", Method, 0, ""},
+		{"(*UnixConn).WriteMsgUnix", Method, 0, ""},
+		{"(*UnixConn).WriteTo", Method, 0, ""},
+		{"(*UnixConn).WriteToUnix", Method, 0, ""},
+		{"(*UnixListener).Accept", Method, 0, ""},
+		{"(*UnixListener).AcceptUnix", Method, 0, ""},
+		{"(*UnixListener).Addr", Method, 0, ""},
+		{"(*UnixListener).Close", Method, 0, ""},
+		{"(*UnixListener).File", Method, 0, ""},
+		{"(*UnixListener).SetDeadline", Method, 0, ""},
+		{"(*UnixListener).SetUnlinkOnClose", Method, 8, ""},
+		{"(*UnixListener).SyscallConn", Method, 10, ""},
+		{"(Addr).Network", Method, 0, ""},
+		{"(Addr).String", Method, 0, ""},
+		{"(Conn).Close", Method, 0, ""},
+		{"(Conn).LocalAddr", Method, 0, ""},
+		{"(Conn).Read", Method, 0, ""},
+		{"(Conn).RemoteAddr", Method, 0, ""},
+		{"(Conn).SetDeadline", Method, 0, ""},
+		{"(Conn).SetReadDeadline", Method, 0, ""},
+		{"(Conn).SetWriteDeadline", Method, 0, ""},
+		{"(Conn).Write", Method, 0, ""},
+		{"(Error).Error", Method, 0, ""},
+		{"(Error).Temporary", Method, 0, ""},
+		{"(Error).Timeout", Method, 0, ""},
+		{"(Flags).String", Method, 0, ""},
+		{"(HardwareAddr).String", Method, 0, ""},
+		{"(IP).AppendText", Method, 24, ""},
+		{"(IP).DefaultMask", Method, 0, ""},
+		{"(IP).Equal", Method, 0, ""},
+		{"(IP).IsGlobalUnicast", Method, 0, ""},
+		{"(IP).IsInterfaceLocalMulticast", Method, 0, ""},
+		{"(IP).IsLinkLocalMulticast", Method, 0, ""},
+		{"(IP).IsLinkLocalUnicast", Method, 0, ""},
+		{"(IP).IsLoopback", Method, 0, ""},
+		{"(IP).IsMulticast", Method, 0, ""},
+		{"(IP).IsPrivate", Method, 17, ""},
+		{"(IP).IsUnspecified", Method, 0, ""},
+		{"(IP).MarshalText", Method, 2, ""},
+		{"(IP).Mask", Method, 0, ""},
+		{"(IP).String", Method, 0, ""},
+		{"(IP).To16", Method, 0, ""},
+		{"(IP).To4", Method, 0, ""},
+		{"(IPMask).Size", Method, 0, ""},
+		{"(IPMask).String", Method, 0, ""},
+		{"(InvalidAddrError).Error", Method, 0, ""},
+		{"(InvalidAddrError).Temporary", Method, 0, ""},
+		{"(InvalidAddrError).Timeout", Method, 0, ""},
+		{"(Listener).Accept", Method, 0, ""},
+		{"(Listener).Addr", Method, 0, ""},
+		{"(Listener).Close", Method, 0, ""},
+		{"(PacketConn).Close", Method, 0, ""},
+		{"(PacketConn).LocalAddr", Method, 0, ""},
+		{"(PacketConn).ReadFrom", Method, 0, ""},
+		{"(PacketConn).SetDeadline", Method, 0, ""},
+		{"(PacketConn).SetReadDeadline", Method, 0, ""},
+		{"(PacketConn).SetWriteDeadline", Method, 0, ""},
+		{"(PacketConn).WriteTo", Method, 0, ""},
+		{"(UnknownNetworkError).Error", Method, 0, ""},
+		{"(UnknownNetworkError).Temporary", Method, 0, ""},
+		{"(UnknownNetworkError).Timeout", Method, 0, ""},
+		{"Addr", Type, 0, ""},
+		{"AddrError", Type, 0, ""},
+		{"AddrError.Addr", Field, 0, ""},
+		{"AddrError.Err", Field, 0, ""},
+		{"Buffers", Type, 8, ""},
+		{"CIDRMask", Func, 0, "func(ones int, bits int) IPMask"},
+		{"Conn", Type, 0, ""},
+		{"DNSConfigError", Type, 0, ""},
+		{"DNSConfigError.Err", Field, 0, ""},
+		{"DNSError", Type, 0, ""},
+		{"DNSError.Err", Field, 0, ""},
+		{"DNSError.IsNotFound", Field, 13, ""},
+		{"DNSError.IsTemporary", Field, 6, ""},
+		{"DNSError.IsTimeout", Field, 0, ""},
+		{"DNSError.Name", Field, 0, ""},
+		{"DNSError.Server", Field, 0, ""},
+		{"DNSError.UnwrapErr", Field, 23, ""},
+		{"DefaultResolver", Var, 8, ""},
+		{"Dial", Func, 0, "func(network string, address string) (Conn, error)"},
+		{"DialIP", Func, 0, "func(network string, laddr *IPAddr, raddr *IPAddr) (*IPConn, error)"},
+		{"DialTCP", Func, 0, "func(network string, laddr *TCPAddr, raddr *TCPAddr) (*TCPConn, error)"},
+		{"DialTimeout", Func, 0, "func(network string, address string, timeout time.Duration) (Conn, error)"},
+		{"DialUDP", Func, 0, "func(network string, laddr *UDPAddr, raddr *UDPAddr) (*UDPConn, error)"},
+		{"DialUnix", Func, 0, "func(network string, laddr *UnixAddr, raddr *UnixAddr) (*UnixConn, error)"},
+		{"Dialer", Type, 1, ""},
+		{"Dialer.Cancel", Field, 6, ""},
+		{"Dialer.Control", Field, 11, ""},
+		{"Dialer.ControlContext", Field, 20, ""},
+		{"Dialer.Deadline", Field, 1, ""},
+		{"Dialer.DualStack", Field, 2, ""},
+		{"Dialer.FallbackDelay", Field, 5, ""},
+		{"Dialer.KeepAlive", Field, 3, ""},
+		{"Dialer.KeepAliveConfig", Field, 23, ""},
+		{"Dialer.LocalAddr", Field, 1, ""},
+		{"Dialer.Resolver", Field, 8, ""},
+		{"Dialer.Timeout", Field, 1, ""},
+		{"ErrClosed", Var, 16, ""},
+		{"ErrWriteToConnected", Var, 0, ""},
+		{"Error", Type, 0, ""},
+		{"FileConn", Func, 0, "func(f *os.File) (c Conn, err error)"},
+		{"FileListener", Func, 0, "func(f *os.File) (ln Listener, err error)"},
+		{"FilePacketConn", Func, 0, "func(f *os.File) (c PacketConn, err error)"},
+		{"FlagBroadcast", Const, 0, ""},
+		{"FlagLoopback", Const, 0, ""},
+		{"FlagMulticast", Const, 0, ""},
+		{"FlagPointToPoint", Const, 0, ""},
+		{"FlagRunning", Const, 20, ""},
+		{"FlagUp", Const, 0, ""},
+		{"Flags", Type, 0, ""},
+		{"HardwareAddr", Type, 0, ""},
+		{"IP", Type, 0, ""},
+		{"IPAddr", Type, 0, ""},
+		{"IPAddr.IP", Field, 0, ""},
+		{"IPAddr.Zone", Field, 1, ""},
+		{"IPConn", Type, 0, ""},
+		{"IPMask", Type, 0, ""},
+		{"IPNet", Type, 0, ""},
+		{"IPNet.IP", Field, 0, ""},
+		{"IPNet.Mask", Field, 0, ""},
+		{"IPv4", Func, 0, "func(a byte, b byte, c byte, d byte) IP"},
+		{"IPv4Mask", Func, 0, "func(a byte, b byte, c byte, d byte) IPMask"},
+		{"IPv4allrouter", Var, 0, ""},
+		{"IPv4allsys", Var, 0, ""},
+		{"IPv4bcast", Var, 0, ""},
+		{"IPv4len", Const, 0, ""},
+		{"IPv4zero", Var, 0, ""},
+		{"IPv6interfacelocalallnodes", Var, 0, ""},
+		{"IPv6len", Const, 0, ""},
+		{"IPv6linklocalallnodes", Var, 0, ""},
+		{"IPv6linklocalallrouters", Var, 0, ""},
+		{"IPv6loopback", Var, 0, ""},
+		{"IPv6unspecified", Var, 0, ""},
+		{"IPv6zero", Var, 0, ""},
+		{"Interface", Type, 0, ""},
+		{"Interface.Flags", Field, 0, ""},
+		{"Interface.HardwareAddr", Field, 0, ""},
+		{"Interface.Index", Field, 0, ""},
+		{"Interface.MTU", Field, 0, ""},
+		{"Interface.Name", Field, 0, ""},
+		{"InterfaceAddrs", Func, 0, "func() ([]Addr, error)"},
+		{"InterfaceByIndex", Func, 0, "func(index int) (*Interface, error)"},
+		{"InterfaceByName", Func, 0, "func(name string) (*Interface, error)"},
+		{"Interfaces", Func, 0, "func() ([]Interface, error)"},
+		{"InvalidAddrError", Type, 0, ""},
+		{"JoinHostPort", Func, 0, "func(host string, port string) string"},
+		{"KeepAliveConfig", Type, 23, ""},
+		{"KeepAliveConfig.Count", Field, 23, ""},
+		{"KeepAliveConfig.Enable", Field, 23, ""},
+		{"KeepAliveConfig.Idle", Field, 23, ""},
+		{"KeepAliveConfig.Interval", Field, 23, ""},
+		{"Listen", Func, 0, "func(network string, address string) (Listener, error)"},
+		{"ListenConfig", Type, 11, ""},
+		{"ListenConfig.Control", Field, 11, ""},
+		{"ListenConfig.KeepAlive", Field, 13, ""},
+		{"ListenConfig.KeepAliveConfig", Field, 23, ""},
+		{"ListenIP", Func, 0, "func(network string, laddr *IPAddr) (*IPConn, error)"},
+		{"ListenMulticastUDP", Func, 0, "func(network string, ifi *Interface, gaddr *UDPAddr) (*UDPConn, error)"},
+		{"ListenPacket", Func, 0, "func(network string, address string) (PacketConn, error)"},
+		{"ListenTCP", Func, 0, "func(network string, laddr *TCPAddr) (*TCPListener, error)"},
+		{"ListenUDP", Func, 0, "func(network string, laddr *UDPAddr) (*UDPConn, error)"},
+		{"ListenUnix", Func, 0, "func(network string, laddr *UnixAddr) (*UnixListener, error)"},
+		{"ListenUnixgram", Func, 0, "func(network string, laddr *UnixAddr) (*UnixConn, error)"},
+		{"Listener", Type, 0, ""},
+		{"LookupAddr", Func, 0, "func(addr string) (names []string, err error)"},
+		{"LookupCNAME", Func, 0, "func(host string) (cname string, err error)"},
+		{"LookupHost", Func, 0, "func(host string) (addrs []string, err error)"},
+		{"LookupIP", Func, 0, "func(host string) ([]IP, error)"},
+		{"LookupMX", Func, 0, "func(name string) ([]*MX, error)"},
+		{"LookupNS", Func, 1, "func(name string) ([]*NS, error)"},
+		{"LookupPort", Func, 0, "func(network string, service string) (port int, err error)"},
+		{"LookupSRV", Func, 0, "func(service string, proto string, name string) (cname string, addrs []*SRV, err error)"},
+		{"LookupTXT", Func, 0, "func(name string) ([]string, error)"},
+		{"MX", Type, 0, ""},
+		{"MX.Host", Field, 0, ""},
+		{"MX.Pref", Field, 0, ""},
+		{"NS", Type, 1, ""},
+		{"NS.Host", Field, 1, ""},
+		{"OpError", Type, 0, ""},
+		{"OpError.Addr", Field, 0, ""},
+		{"OpError.Err", Field, 0, ""},
+		{"OpError.Net", Field, 0, ""},
+		{"OpError.Op", Field, 0, ""},
+		{"OpError.Source", Field, 5, ""},
+		{"PacketConn", Type, 0, ""},
+		{"ParseCIDR", Func, 0, "func(s string) (IP, *IPNet, error)"},
+		{"ParseError", Type, 0, ""},
+		{"ParseError.Text", Field, 0, ""},
+		{"ParseError.Type", Field, 0, ""},
+		{"ParseIP", Func, 0, "func(s string) IP"},
+		{"ParseMAC", Func, 0, "func(s string) (hw HardwareAddr, err error)"},
+		{"Pipe", Func, 0, "func() (Conn, Conn)"},
+		{"ResolveIPAddr", Func, 0, "func(network string, address string) (*IPAddr, error)"},
+		{"ResolveTCPAddr", Func, 0, "func(network string, address string) (*TCPAddr, error)"},
+		{"ResolveUDPAddr", Func, 0, "func(network string, address string) (*UDPAddr, error)"},
+		{"ResolveUnixAddr", Func, 0, "func(network string, address string) (*UnixAddr, error)"},
+		{"Resolver", Type, 8, ""},
+		{"Resolver.Dial", Field, 9, ""},
+		{"Resolver.PreferGo", Field, 8, ""},
+		{"Resolver.StrictErrors", Field, 9, ""},
+		{"SRV", Type, 0, ""},
+		{"SRV.Port", Field, 0, ""},
+		{"SRV.Priority", Field, 0, ""},
+		{"SRV.Target", Field, 0, ""},
+		{"SRV.Weight", Field, 0, ""},
+		{"SplitHostPort", Func, 0, "func(hostport string) (host string, port string, err error)"},
+		{"TCPAddr", Type, 0, ""},
+		{"TCPAddr.IP", Field, 0, ""},
+		{"TCPAddr.Port", Field, 0, ""},
+		{"TCPAddr.Zone", Field, 1, ""},
+		{"TCPAddrFromAddrPort", Func, 18, "func(addr netip.AddrPort) *TCPAddr"},
+		{"TCPConn", Type, 0, ""},
+		{"TCPListener", Type, 0, ""},
+		{"UDPAddr", Type, 0, ""},
+		{"UDPAddr.IP", Field, 0, ""},
+		{"UDPAddr.Port", Field, 0, ""},
+		{"UDPAddr.Zone", Field, 1, ""},
+		{"UDPAddrFromAddrPort", Func, 18, "func(addr netip.AddrPort) *UDPAddr"},
+		{"UDPConn", Type, 0, ""},
+		{"UnixAddr", Type, 0, ""},
+		{"UnixAddr.Name", Field, 0, ""},
+		{"UnixAddr.Net", Field, 0, ""},
+		{"UnixConn", Type, 0, ""},
+		{"UnixListener", Type, 0, ""},
+		{"UnknownNetworkError", Type, 0, ""},
+	},
+	"net/http": {
+		{"(*Client).CloseIdleConnections", Method, 12, ""},
+		{"(*Client).Do", Method, 0, ""},
+		{"(*Client).Get", Method, 0, ""},
+		{"(*Client).Head", Method, 0, ""},
+		{"(*Client).Post", Method, 0, ""},
+		{"(*Client).PostForm", Method, 0, ""},
+		{"(*ClientConn).Available", Method, 26, ""},
+		{"(*ClientConn).Close", Method, 26, ""},
+		{"(*ClientConn).Err", Method, 26, ""},
+		{"(*ClientConn).InFlight", Method, 26, ""},
+		{"(*ClientConn).Release", Method, 26, ""},
+		{"(*ClientConn).Reserve", Method, 26, ""},
+		{"(*ClientConn).RoundTrip", Method, 26, ""},
+		{"(*ClientConn).SetStateHook", Method, 26, ""},
+		{"(*Cookie).String", Method, 0, ""},
+		{"(*Cookie).Valid", Method, 18, ""},
+		{"(*CrossOriginProtection).AddInsecureBypassPattern", Method, 25, ""},
+		{"(*CrossOriginProtection).AddTrustedOrigin", Method, 25, ""},
+		{"(*CrossOriginProtection).Check", Method, 25, ""},
+		{"(*CrossOriginProtection).Handler", Method, 25, ""},
+		{"(*CrossOriginProtection).SetDenyHandler", Method, 25, ""},
+		{"(*MaxBytesError).Error", Method, 19, ""},
+		{"(*ProtocolError).Error", Method, 0, ""},
+		{"(*ProtocolError).Is", Method, 21, ""},
+		{"(*Protocols).SetHTTP1", Method, 24, ""},
+		{"(*Protocols).SetHTTP2", Method, 24, ""},
+		{"(*Protocols).SetUnencryptedHTTP2", Method, 24, ""},
+		{"(*Request).AddCookie", Method, 0, ""},
+		{"(*Request).BasicAuth", Method, 4, ""},
+		{"(*Request).Clone", Method, 13, ""},
+		{"(*Request).Context", Method, 7, ""},
+		{"(*Request).Cookie", Method, 0, ""},
+		{"(*Request).Cookies", Method, 0, ""},
+		{"(*Request).CookiesNamed", Method, 23, ""},
+		{"(*Request).FormFile", Method, 0, ""},
+		{"(*Request).FormValue", Method, 0, ""},
+		{"(*Request).MultipartReader", Method, 0, ""},
+		{"(*Request).ParseForm", Method, 0, ""},
+		{"(*Request).ParseMultipartForm", Method, 0, ""},
+		{"(*Request).PathValue", Method, 22, ""},
+		{"(*Request).PostFormValue", Method, 1, ""},
+		{"(*Request).ProtoAtLeast", Method, 0, ""},
+		{"(*Request).Referer", Method, 0, ""},
+		{"(*Request).SetBasicAuth", Method, 0, ""},
+		{"(*Request).SetPathValue", Method, 22, ""},
+		{"(*Request).UserAgent", Method, 0, ""},
+		{"(*Request).WithContext", Method, 7, ""},
+		{"(*Request).Write", Method, 0, ""},
+		{"(*Request).WriteProxy", Method, 0, ""},
+		{"(*Response).Cookies", Method, 0, ""},
+		{"(*Response).Location", Method, 0, ""},
+		{"(*Response).ProtoAtLeast", Method, 0, ""},
+		{"(*Response).Write", Method, 0, ""},
+		{"(*ResponseController).EnableFullDuplex", Method, 21, ""},
+		{"(*ResponseController).Flush", Method, 20, ""},
+		{"(*ResponseController).Hijack", Method, 20, ""},
+		{"(*ResponseController).SetReadDeadline", Method, 20, ""},
+		{"(*ResponseController).SetWriteDeadline", Method, 20, ""},
+		{"(*ServeMux).Handle", Method, 0, ""},
+		{"(*ServeMux).HandleFunc", Method, 0, ""},
+		{"(*ServeMux).Handler", Method, 1, ""},
+		{"(*ServeMux).ServeHTTP", Method, 0, ""},
+		{"(*Server).Close", Method, 8, ""},
+		{"(*Server).ListenAndServe", Method, 0, ""},
+		{"(*Server).ListenAndServeTLS", Method, 0, ""},
+		{"(*Server).RegisterOnShutdown", Method, 9, ""},
+		{"(*Server).Serve", Method, 0, ""},
+		{"(*Server).ServeTLS", Method, 9, ""},
+		{"(*Server).SetKeepAlivesEnabled", Method, 3, ""},
+		{"(*Server).Shutdown", Method, 8, ""},
+		{"(*Transport).CancelRequest", Method, 1, ""},
+		{"(*Transport).Clone", Method, 13, ""},
+		{"(*Transport).CloseIdleConnections", Method, 0, ""},
+		{"(*Transport).NewClientConn", Method, 26, ""},
+		{"(*Transport).RegisterProtocol", Method, 0, ""},
+		{"(*Transport).RoundTrip", Method, 0, ""},
+		{"(CloseNotifier).CloseNotify", Method, 1, ""},
+		{"(ConnState).String", Method, 3, ""},
+		{"(CookieJar).Cookies", Method, 0, ""},
+		{"(CookieJar).SetCookies", Method, 0, ""},
+		{"(Dir).Open", Method, 0, ""},
+		{"(File).Close", Method, 0, ""},
+		{"(File).Read", Method, 0, ""},
+		{"(File).Readdir", Method, 0, ""},
+		{"(File).Seek", Method, 0, ""},
+		{"(File).Stat", Method, 0, ""},
+		{"(FileSystem).Open", Method, 0, ""},
+		{"(Flusher).Flush", Method, 0, ""},
+		{"(Handler).ServeHTTP", Method, 0, ""},
+		{"(HandlerFunc).ServeHTTP", Method, 0, ""},
+		{"(Header).Add", Method, 0, ""},
+		{"(Header).Clone", Method, 13, ""},
+		{"(Header).Del", Method, 0, ""},
+		{"(Header).Get", Method, 0, ""},
+		{"(Header).Set", Method, 0, ""},
+		{"(Header).Values", Method, 14, ""},
+		{"(Header).Write", Method, 0, ""},
+		{"(Header).WriteSubset", Method, 0, ""},
+		{"(Hijacker).Hijack", Method, 0, ""},
+		{"(Protocols).HTTP1", Method, 24, ""},
+		{"(Protocols).HTTP2", Method, 24, ""},
+		{"(Protocols).String", Method, 24, ""},
+		{"(Protocols).UnencryptedHTTP2", Method, 24, ""},
+		{"(Pusher).Push", Method, 8, ""},
+		{"(ResponseWriter).Header", Method, 0, ""},
+		{"(ResponseWriter).Write", Method, 0, ""},
+		{"(ResponseWriter).WriteHeader", Method, 0, ""},
+		{"(RoundTripper).RoundTrip", Method, 0, ""},
+		{"AllowQuerySemicolons", Func, 17, "func(h Handler) Handler"},
+		{"CanonicalHeaderKey", Func, 0, "func(s string) string"},
+		{"Client", Type, 0, ""},
+		{"Client.CheckRedirect", Field, 0, ""},
+		{"Client.Jar", Field, 0, ""},
+		{"Client.Timeout", Field, 3, ""},
+		{"Client.Transport", Field, 0, ""},
+		{"ClientConn", Type, 26, ""},
+		{"CloseNotifier", Type, 1, ""},
+		{"ConnState", Type, 3, ""},
+		{"Cookie", Type, 0, ""},
+		{"Cookie.Domain", Field, 0, ""},
+		{"Cookie.Expires", Field, 0, ""},
+		{"Cookie.HttpOnly", Field, 0, ""},
+		{"Cookie.MaxAge", Field, 0, ""},
+		{"Cookie.Name", Field, 0, ""},
+		{"Cookie.Partitioned", Field, 23, ""},
+		{"Cookie.Path", Field, 0, ""},
+		{"Cookie.Quoted", Field, 23, ""},
+		{"Cookie.Raw", Field, 0, ""},
+		{"Cookie.RawExpires", Field, 0, ""},
+		{"Cookie.SameSite", Field, 11, ""},
+		{"Cookie.Secure", Field, 0, ""},
+		{"Cookie.Unparsed", Field, 0, ""},
+		{"Cookie.Value", Field, 0, ""},
+		{"CookieJar", Type, 0, ""},
+		{"CrossOriginProtection", Type, 25, ""},
+		{"DefaultClient", Var, 0, ""},
+		{"DefaultMaxHeaderBytes", Const, 0, ""},
+		{"DefaultMaxIdleConnsPerHost", Const, 0, ""},
+		{"DefaultServeMux", Var, 0, ""},
+		{"DefaultTransport", Var, 0, ""},
+		{"DetectContentType", Func, 0, "func(data []byte) string"},
+		{"Dir", Type, 0, ""},
+		{"ErrAbortHandler", Var, 8, ""},
+		{"ErrBodyNotAllowed", Var, 0, ""},
+		{"ErrBodyReadAfterClose", Var, 0, ""},
+		{"ErrContentLength", Var, 0, ""},
+		{"ErrHandlerTimeout", Var, 0, ""},
+		{"ErrHeaderTooLong", Var, 0, ""},
+		{"ErrHijacked", Var, 0, ""},
+		{"ErrLineTooLong", Var, 0, ""},
+		{"ErrMissingBoundary", Var, 0, ""},
+		{"ErrMissingContentLength", Var, 0, ""},
+		{"ErrMissingFile", Var, 0, ""},
+		{"ErrNoCookie", Var, 0, ""},
+		{"ErrNoLocation", Var, 0, ""},
+		{"ErrNotMultipart", Var, 0, ""},
+		{"ErrNotSupported", Var, 0, ""},
+		{"ErrSchemeMismatch", Var, 21, ""},
+		{"ErrServerClosed", Var, 8, ""},
+		{"ErrShortBody", Var, 0, ""},
+		{"ErrSkipAltProtocol", Var, 6, ""},
+		{"ErrUnexpectedTrailer", Var, 0, ""},
+		{"ErrUseLastResponse", Var, 7, ""},
+		{"ErrWriteAfterFlush", Var, 0, ""},
+		{"Error", Func, 0, "func(w ResponseWriter, error string, code int)"},
+		{"FS", Func, 16, "func(fsys fs.FS) FileSystem"},
+		{"File", Type, 0, ""},
+		{"FileServer", Func, 0, "func(root FileSystem) Handler"},
+		{"FileServerFS", Func, 22, "func(root fs.FS) Handler"},
+		{"FileSystem", Type, 0, ""},
+		{"Flusher", Type, 0, ""},
+		{"Get", Func, 0, "func(url string) (resp *Response, err error)"},
+		{"HTTP2Config", Type, 24, ""},
+		{"HTTP2Config.CountError", Field, 24, ""},
+		{"HTTP2Config.MaxConcurrentStreams", Field, 24, ""},
+		{"HTTP2Config.MaxDecoderHeaderTableSize", Field, 24, ""},
+		{"HTTP2Config.MaxEncoderHeaderTableSize", Field, 24, ""},
+		{"HTTP2Config.MaxReadFrameSize", Field, 24, ""},
+		{"HTTP2Config.MaxReceiveBufferPerConnection", Field, 24, ""},
+		{"HTTP2Config.MaxReceiveBufferPerStream", Field, 24, ""},
+		{"HTTP2Config.PermitProhibitedCipherSuites", Field, 24, ""},
+		{"HTTP2Config.PingTimeout", Field, 24, ""},
+		{"HTTP2Config.SendPingTimeout", Field, 24, ""},
+		{"HTTP2Config.StrictMaxConcurrentRequests", Field, 26, ""},
+		{"HTTP2Config.WriteByteTimeout", Field, 24, ""},
+		{"Handle", Func, 0, "func(pattern string, handler Handler)"},
+		{"HandleFunc", Func, 0, "func(pattern string, handler func(ResponseWriter, *Request))"},
+		{"Handler", Type, 0, ""},
+		{"HandlerFunc", Type, 0, ""},
+		{"Head", Func, 0, "func(url string) (resp *Response, err error)"},
+		{"Header", Type, 0, ""},
+		{"Hijacker", Type, 0, ""},
+		{"ListenAndServe", Func, 0, "func(addr string, handler Handler) error"},
+		{"ListenAndServeTLS", Func, 0, "func(addr string, certFile string, keyFile string, handler Handler) error"},
+		{"LocalAddrContextKey", Var, 7, ""},
+		{"MaxBytesError", Type, 19, ""},
+		{"MaxBytesError.Limit", Field, 19, ""},
+		{"MaxBytesHandler", Func, 18, "func(h Handler, n int64) Handler"},
+		{"MaxBytesReader", Func, 0, "func(w ResponseWriter, r io.ReadCloser, n int64) io.ReadCloser"},
+		{"MethodConnect", Const, 6, ""},
+		{"MethodDelete", Const, 6, ""},
+		{"MethodGet", Const, 6, ""},
+		{"MethodHead", Const, 6, ""},
+		{"MethodOptions", Const, 6, ""},
+		{"MethodPatch", Const, 6, ""},
+		{"MethodPost", Const, 6, ""},
+		{"MethodPut", Const, 6, ""},
+		{"MethodTrace", Const, 6, ""},
+		{"NewCrossOriginProtection", Func, 25, "func() *CrossOriginProtection"},
+		{"NewFileTransport", Func, 0, "func(fs FileSystem) RoundTripper"},
+		{"NewFileTransportFS", Func, 22, "func(fsys fs.FS) RoundTripper"},
+		{"NewRequest", Func, 0, "func(method string, url string, body io.Reader) (*Request, error)"},
+		{"NewRequestWithContext", Func, 13, "func(ctx context.Context, method string, url string, body io.Reader) (*Request, error)"},
+		{"NewResponseController", Func, 20, "func(rw ResponseWriter) *ResponseController"},
+		{"NewServeMux", Func, 0, "func() *ServeMux"},
+		{"NoBody", Var, 8, ""},
+		{"NotFound", Func, 0, "func(w ResponseWriter, r *Request)"},
+		{"NotFoundHandler", Func, 0, "func() Handler"},
+		{"ParseCookie", Func, 23, "func(line string) ([]*Cookie, error)"},
+		{"ParseHTTPVersion", Func, 0, "func(vers string) (major int, minor int, ok bool)"},
+		{"ParseSetCookie", Func, 23, "func(line string) (*Cookie, error)"},
+		{"ParseTime", Func, 1, "func(text string) (t time.Time, err error)"},
+		{"Post", Func, 0, "func(url string, contentType string, body io.Reader) (resp *Response, err error)"},
+		{"PostForm", Func, 0, "func(url string, data url.Values) (resp *Response, err error)"},
+		{"ProtocolError", Type, 0, ""},
+		{"ProtocolError.ErrorString", Field, 0, ""},
+		{"Protocols", Type, 24, ""},
+		{"ProxyFromEnvironment", Func, 0, "func(req *Request) (*url.URL, error)"},
+		{"ProxyURL", Func, 0, "func(fixedURL *url.URL) func(*Request) (*url.URL, error)"},
+		{"PushOptions", Type, 8, ""},
+		{"PushOptions.Header", Field, 8, ""},
+		{"PushOptions.Method", Field, 8, ""},
+		{"Pusher", Type, 8, ""},
+		{"ReadRequest", Func, 0, "func(b *bufio.Reader) (*Request, error)"},
+		{"ReadResponse", Func, 0, "func(r *bufio.Reader, req *Request) (*Response, error)"},
+		{"Redirect", Func, 0, "func(w ResponseWriter, r *Request, url string, code int)"},
+		{"RedirectHandler", Func, 0, "func(url string, code int) Handler"},
+		{"Request", Type, 0, ""},
+		{"Request.Body", Field, 0, ""},
+		{"Request.Cancel", Field, 5, ""},
+		{"Request.Close", Field, 0, ""},
+		{"Request.ContentLength", Field, 0, ""},
+		{"Request.Form", Field, 0, ""},
+		{"Request.GetBody", Field, 8, ""},
+		{"Request.Header", Field, 0, ""},
+		{"Request.Host", Field, 0, ""},
+		{"Request.Method", Field, 0, ""},
+		{"Request.MultipartForm", Field, 0, ""},
+		{"Request.Pattern", Field, 23, ""},
+		{"Request.PostForm", Field, 1, ""},
+		{"Request.Proto", Field, 0, ""},
+		{"Request.ProtoMajor", Field, 0, ""},
+		{"Request.ProtoMinor", Field, 0, ""},
+		{"Request.RemoteAddr", Field, 0, ""},
+		{"Request.RequestURI", Field, 0, ""},
+		{"Request.Response", Field, 7, ""},
+		{"Request.TLS", Field, 0, ""},
+		{"Request.Trailer", Field, 0, ""},
+		{"Request.TransferEncoding", Field, 0, ""},
+		{"Request.URL", Field, 0, ""},
+		{"Response", Type, 0, ""},
+		{"Response.Body", Field, 0, ""},
+		{"Response.Close", Field, 0, ""},
+		{"Response.ContentLength", Field, 0, ""},
+		{"Response.Header", Field, 0, ""},
+		{"Response.Proto", Field, 0, ""},
+		{"Response.ProtoMajor", Field, 0, ""},
+		{"Response.ProtoMinor", Field, 0, ""},
+		{"Response.Request", Field, 0, ""},
+		{"Response.Status", Field, 0, ""},
+		{"Response.StatusCode", Field, 0, ""},
+		{"Response.TLS", Field, 3, ""},
+		{"Response.Trailer", Field, 0, ""},
+		{"Response.TransferEncoding", Field, 0, ""},
+		{"Response.Uncompressed", Field, 7, ""},
+		{"ResponseController", Type, 20, ""},
+		{"ResponseWriter", Type, 0, ""},
+		{"RoundTripper", Type, 0, ""},
+		{"SameSite", Type, 11, ""},
+		{"SameSiteDefaultMode", Const, 11, ""},
+		{"SameSiteLaxMode", Const, 11, ""},
+		{"SameSiteNoneMode", Const, 13, ""},
+		{"SameSiteStrictMode", Const, 11, ""},
+		{"Serve", Func, 0, "func(l net.Listener, handler Handler) error"},
+		{"ServeContent", Func, 0, "func(w ResponseWriter, req *Request, name string, modtime time.Time, content io.ReadSeeker)"},
+		{"ServeFile", Func, 0, "func(w ResponseWriter, r *Request, name string)"},
+		{"ServeFileFS", Func, 22, "func(w ResponseWriter, r *Request, fsys fs.FS, name string)"},
+		{"ServeMux", Type, 0, ""},
+		{"ServeTLS", Func, 9, "func(l net.Listener, handler Handler, certFile string, keyFile string) error"},
+		{"Server", Type, 0, ""},
+		{"Server.Addr", Field, 0, ""},
+		{"Server.BaseContext", Field, 13, ""},
+		{"Server.ConnContext", Field, 13, ""},
+		{"Server.ConnState", Field, 3, ""},
+		{"Server.DisableGeneralOptionsHandler", Field, 20, ""},
+		{"Server.ErrorLog", Field, 3, ""},
+		{"Server.HTTP2", Field, 24, ""},
+		{"Server.Handler", Field, 0, ""},
+		{"Server.IdleTimeout", Field, 8, ""},
+		{"Server.MaxHeaderBytes", Field, 0, ""},
+		{"Server.Protocols", Field, 24, ""},
+		{"Server.ReadHeaderTimeout", Field, 8, ""},
+		{"Server.ReadTimeout", Field, 0, ""},
+		{"Server.TLSConfig", Field, 0, ""},
+		{"Server.TLSNextProto", Field, 1, ""},
+		{"Server.WriteTimeout", Field, 0, ""},
+		{"ServerContextKey", Var, 7, ""},
+		{"SetCookie", Func, 0, "func(w ResponseWriter, cookie *Cookie)"},
+		{"StateActive", Const, 3, ""},
+		{"StateClosed", Const, 3, ""},
+		{"StateHijacked", Const, 3, ""},
+		{"StateIdle", Const, 3, ""},
+		{"StateNew", Const, 3, ""},
+		{"StatusAccepted", Const, 0, ""},
+		{"StatusAlreadyReported", Const, 7, ""},
+		{"StatusBadGateway", Const, 0, ""},
+		{"StatusBadRequest", Const, 0, ""},
+		{"StatusConflict", Const, 0, ""},
+		{"StatusContinue", Const, 0, ""},
+		{"StatusCreated", Const, 0, ""},
+		{"StatusEarlyHints", Const, 13, ""},
+		{"StatusExpectationFailed", Const, 0, ""},
+		{"StatusFailedDependency", Const, 7, ""},
+		{"StatusForbidden", Const, 0, ""},
+		{"StatusFound", Const, 0, ""},
+		{"StatusGatewayTimeout", Const, 0, ""},
+		{"StatusGone", Const, 0, ""},
+		{"StatusHTTPVersionNotSupported", Const, 0, ""},
+		{"StatusIMUsed", Const, 7, ""},
+		{"StatusInsufficientStorage", Const, 7, ""},
+		{"StatusInternalServerError", Const, 0, ""},
+		{"StatusLengthRequired", Const, 0, ""},
+		{"StatusLocked", Const, 7, ""},
+		{"StatusLoopDetected", Const, 7, ""},
+		{"StatusMethodNotAllowed", Const, 0, ""},
+		{"StatusMisdirectedRequest", Const, 11, ""},
+		{"StatusMovedPermanently", Const, 0, ""},
+		{"StatusMultiStatus", Const, 7, ""},
+		{"StatusMultipleChoices", Const, 0, ""},
+		{"StatusNetworkAuthenticationRequired", Const, 6, ""},
+		{"StatusNoContent", Const, 0, ""},
+		{"StatusNonAuthoritativeInfo", Const, 0, ""},
+		{"StatusNotAcceptable", Const, 0, ""},
+		{"StatusNotExtended", Const, 7, ""},
+		{"StatusNotFound", Const, 0, ""},
+		{"StatusNotImplemented", Const, 0, ""},
+		{"StatusNotModified", Const, 0, ""},
+		{"StatusOK", Const, 0, ""},
+		{"StatusPartialContent", Const, 0, ""},
+		{"StatusPaymentRequired", Const, 0, ""},
+		{"StatusPermanentRedirect", Const, 7, ""},
+		{"StatusPreconditionFailed", Const, 0, ""},
+		{"StatusPreconditionRequired", Const, 6, ""},
+		{"StatusProcessing", Const, 7, ""},
+		{"StatusProxyAuthRequired", Const, 0, ""},
+		{"StatusRequestEntityTooLarge", Const, 0, ""},
+		{"StatusRequestHeaderFieldsTooLarge", Const, 6, ""},
+		{"StatusRequestTimeout", Const, 0, ""},
+		{"StatusRequestURITooLong", Const, 0, ""},
+		{"StatusRequestedRangeNotSatisfiable", Const, 0, ""},
+		{"StatusResetContent", Const, 0, ""},
+		{"StatusSeeOther", Const, 0, ""},
+		{"StatusServiceUnavailable", Const, 0, ""},
+		{"StatusSwitchingProtocols", Const, 0, ""},
+		{"StatusTeapot", Const, 0, ""},
+		{"StatusTemporaryRedirect", Const, 0, ""},
+		{"StatusText", Func, 0, "func(code int) string"},
+		{"StatusTooEarly", Const, 12, ""},
+		{"StatusTooManyRequests", Const, 6, ""},
+		{"StatusUnauthorized", Const, 0, ""},
+		{"StatusUnavailableForLegalReasons", Const, 6, ""},
+		{"StatusUnprocessableEntity", Const, 7, ""},
+		{"StatusUnsupportedMediaType", Const, 0, ""},
+		{"StatusUpgradeRequired", Const, 7, ""},
+		{"StatusUseProxy", Const, 0, ""},
+		{"StatusVariantAlsoNegotiates", Const, 7, ""},
+		{"StripPrefix", Func, 0, "func(prefix string, h Handler) Handler"},
+		{"TimeFormat", Const, 0, ""},
+		{"TimeoutHandler", Func, 0, "func(h Handler, dt time.Duration, msg string) Handler"},
+		{"TrailerPrefix", Const, 8, ""},
+		{"Transport", Type, 0, ""},
+		{"Transport.Dial", Field, 0, ""},
+		{"Transport.DialContext", Field, 7, ""},
+		{"Transport.DialTLS", Field, 4, ""},
+		{"Transport.DialTLSContext", Field, 14, ""},
+		{"Transport.DisableCompression", Field, 0, ""},
+		{"Transport.DisableKeepAlives", Field, 0, ""},
+		{"Transport.ExpectContinueTimeout", Field, 6, ""},
+		{"Transport.ForceAttemptHTTP2", Field, 13, ""},
+		{"Transport.GetProxyConnectHeader", Field, 16, ""},
+		{"Transport.HTTP2", Field, 24, ""},
+		{"Transport.IdleConnTimeout", Field, 7, ""},
+		{"Transport.MaxConnsPerHost", Field, 11, ""},
+		{"Transport.MaxIdleConns", Field, 7, ""},
+		{"Transport.MaxIdleConnsPerHost", Field, 0, ""},
+		{"Transport.MaxResponseHeaderBytes", Field, 7, ""},
+		{"Transport.OnProxyConnectResponse", Field, 20, ""},
+		{"Transport.Protocols", Field, 24, ""},
+		{"Transport.Proxy", Field, 0, ""},
+		{"Transport.ProxyConnectHeader", Field, 8, ""},
+		{"Transport.ReadBufferSize", Field, 13, ""},
+		{"Transport.ResponseHeaderTimeout", Field, 1, ""},
+		{"Transport.TLSClientConfig", Field, 0, ""},
+		{"Transport.TLSHandshakeTimeout", Field, 3, ""},
+		{"Transport.TLSNextProto", Field, 6, ""},
+		{"Transport.WriteBufferSize", Field, 13, ""},
+	},
+	"net/http/cgi": {
+		{"(*Handler).ServeHTTP", Method, 0, ""},
+		{"Handler", Type, 0, ""},
+		{"Handler.Args", Field, 0, ""},
+		{"Handler.Dir", Field, 0, ""},
+		{"Handler.Env", Field, 0, ""},
+		{"Handler.InheritEnv", Field, 0, ""},
+		{"Handler.Logger", Field, 0, ""},
+		{"Handler.Path", Field, 0, ""},
+		{"Handler.PathLocationHandler", Field, 0, ""},
+		{"Handler.Root", Field, 0, ""},
+		{"Handler.Stderr", Field, 7, ""},
+		{"Request", Func, 0, "func() (*http.Request, error)"},
+		{"RequestFromMap", Func, 0, "func(params map[string]string) (*http.Request, error)"},
+		{"Serve", Func, 0, "func(handler http.Handler) error"},
+	},
+	"net/http/cookiejar": {
+		{"(*Jar).Cookies", Method, 1, ""},
+		{"(*Jar).SetCookies", Method, 1, ""},
+		{"(PublicSuffixList).PublicSuffix", Method, 1, ""},
+		{"(PublicSuffixList).String", Method, 1, ""},
+		{"Jar", Type, 1, ""},
+		{"New", Func, 1, "func(o *Options) (*Jar, error)"},
+		{"Options", Type, 1, ""},
+		{"Options.PublicSuffixList", Field, 1, ""},
+		{"PublicSuffixList", Type, 1, ""},
+	},
+	"net/http/fcgi": {
+		{"ErrConnClosed", Var, 5, ""},
+		{"ErrRequestAborted", Var, 5, ""},
+		{"ProcessEnv", Func, 9, "func(r *http.Request) map[string]string"},
+		{"Serve", Func, 0, "func(l net.Listener, handler http.Handler) error"},
+	},
+	"net/http/httptest": {
+		{"(*ResponseRecorder).Flush", Method, 0, ""},
+		{"(*ResponseRecorder).Header", Method, 0, ""},
+		{"(*ResponseRecorder).Result", Method, 7, ""},
+		{"(*ResponseRecorder).Write", Method, 0, ""},
+		{"(*ResponseRecorder).WriteHeader", Method, 0, ""},
+		{"(*ResponseRecorder).WriteString", Method, 6, ""},
+		{"(*Server).Certificate", Method, 9, ""},
+		{"(*Server).Client", Method, 9, ""},
+		{"(*Server).Close", Method, 0, ""},
+		{"(*Server).CloseClientConnections", Method, 0, ""},
+		{"(*Server).Start", Method, 0, ""},
+		{"(*Server).StartTLS", Method, 0, ""},
+		{"DefaultRemoteAddr", Const, 0, ""},
+		{"NewRecorder", Func, 0, "func() *ResponseRecorder"},
+		{"NewRequest", Func, 7, "func(method string, target string, body io.Reader) *http.Request"},
+		{"NewRequestWithContext", Func, 23, "func(ctx context.Context, method string, target string, body io.Reader) *http.Request"},
+		{"NewServer", Func, 0, "func(handler http.Handler) *Server"},
+		{"NewTLSServer", Func, 0, "func(handler http.Handler) *Server"},
+		{"NewUnstartedServer", Func, 0, "func(handler http.Handler) *Server"},
+		{"ResponseRecorder", Type, 0, ""},
+		{"ResponseRecorder.Body", Field, 0, ""},
+		{"ResponseRecorder.Code", Field, 0, ""},
+		{"ResponseRecorder.Flushed", Field, 0, ""},
+		{"ResponseRecorder.HeaderMap", Field, 0, ""},
+		{"Server", Type, 0, ""},
+		{"Server.Config", Field, 0, ""},
+		{"Server.EnableHTTP2", Field, 14, ""},
+		{"Server.Listener", Field, 0, ""},
+		{"Server.TLS", Field, 0, ""},
+		{"Server.URL", Field, 0, ""},
+	},
+	"net/http/httptrace": {
+		{"ClientTrace", Type, 7, ""},
+		{"ClientTrace.ConnectDone", Field, 7, ""},
+		{"ClientTrace.ConnectStart", Field, 7, ""},
+		{"ClientTrace.DNSDone", Field, 7, ""},
+		{"ClientTrace.DNSStart", Field, 7, ""},
+		{"ClientTrace.GetConn", Field, 7, ""},
+		{"ClientTrace.Got100Continue", Field, 7, ""},
+		{"ClientTrace.Got1xxResponse", Field, 11, ""},
+		{"ClientTrace.GotConn", Field, 7, ""},
+		{"ClientTrace.GotFirstResponseByte", Field, 7, ""},
+		{"ClientTrace.PutIdleConn", Field, 7, ""},
+		{"ClientTrace.TLSHandshakeDone", Field, 8, ""},
+		{"ClientTrace.TLSHandshakeStart", Field, 8, ""},
+		{"ClientTrace.Wait100Continue", Field, 7, ""},
+		{"ClientTrace.WroteHeaderField", Field, 11, ""},
+		{"ClientTrace.WroteHeaders", Field, 7, ""},
+		{"ClientTrace.WroteRequest", Field, 7, ""},
+		{"ContextClientTrace", Func, 7, "func(ctx context.Context) *ClientTrace"},
+		{"DNSDoneInfo", Type, 7, ""},
+		{"DNSDoneInfo.Addrs", Field, 7, ""},
+		{"DNSDoneInfo.Coalesced", Field, 7, ""},
+		{"DNSDoneInfo.Err", Field, 7, ""},
+		{"DNSStartInfo", Type, 7, ""},
+		{"DNSStartInfo.Host", Field, 7, ""},
+		{"GotConnInfo", Type, 7, ""},
+		{"GotConnInfo.Conn", Field, 7, ""},
+		{"GotConnInfo.IdleTime", Field, 7, ""},
+		{"GotConnInfo.Reused", Field, 7, ""},
+		{"GotConnInfo.WasIdle", Field, 7, ""},
+		{"WithClientTrace", Func, 7, "func(ctx context.Context, trace *ClientTrace) context.Context"},
+		{"WroteRequestInfo", Type, 7, ""},
+		{"WroteRequestInfo.Err", Field, 7, ""},
+	},
+	"net/http/httputil": {
+		{"(*ClientConn).Close", Method, 0, ""},
+		{"(*ClientConn).Do", Method, 0, ""},
+		{"(*ClientConn).Hijack", Method, 0, ""},
+		{"(*ClientConn).Pending", Method, 0, ""},
+		{"(*ClientConn).Read", Method, 0, ""},
+		{"(*ClientConn).Write", Method, 0, ""},
+		{"(*ProxyRequest).SetURL", Method, 20, ""},
+		{"(*ProxyRequest).SetXForwarded", Method, 20, ""},
+		{"(*ReverseProxy).ServeHTTP", Method, 0, ""},
+		{"(*ServerConn).Close", Method, 0, ""},
+		{"(*ServerConn).Hijack", Method, 0, ""},
+		{"(*ServerConn).Pending", Method, 0, ""},
+		{"(*ServerConn).Read", Method, 0, ""},
+		{"(*ServerConn).Write", Method, 0, ""},
+		{"(BufferPool).Get", Method, 6, ""},
+		{"(BufferPool).Put", Method, 6, ""},
+		{"BufferPool", Type, 6, ""},
+		{"ClientConn", Type, 0, ""},
+		{"DumpRequest", Func, 0, "func(req *http.Request, body bool) ([]byte, error)"},
+		{"DumpRequestOut", Func, 0, "func(req *http.Request, body bool) ([]byte, error)"},
+		{"DumpResponse", Func, 0, "func(resp *http.Response, body bool) ([]byte, error)"},
+		{"ErrClosed", Var, 0, ""},
+		{"ErrLineTooLong", Var, 0, ""},
+		{"ErrPersistEOF", Var, 0, ""},
+		{"ErrPipeline", Var, 0, ""},
+		{"NewChunkedReader", Func, 0, "func(r io.Reader) io.Reader"},
+		{"NewChunkedWriter", Func, 0, "func(w io.Writer) io.WriteCloser"},
+		{"NewClientConn", Func, 0, "func(c net.Conn, r *bufio.Reader) *ClientConn"},
+		{"NewProxyClientConn", Func, 0, "func(c net.Conn, r *bufio.Reader) *ClientConn"},
+		{"NewServerConn", Func, 0, "func(c net.Conn, r *bufio.Reader) *ServerConn"},
+		{"NewSingleHostReverseProxy", Func, 0, "func(target *url.URL) *ReverseProxy"},
+		{"ProxyRequest", Type, 20, ""},
+		{"ProxyRequest.In", Field, 20, ""},
+		{"ProxyRequest.Out", Field, 20, ""},
+		{"ReverseProxy", Type, 0, ""},
+		{"ReverseProxy.BufferPool", Field, 6, ""},
+		{"ReverseProxy.Director", Field, 0, ""},
+		{"ReverseProxy.ErrorHandler", Field, 11, ""},
+		{"ReverseProxy.ErrorLog", Field, 4, ""},
+		{"ReverseProxy.FlushInterval", Field, 0, ""},
+		{"ReverseProxy.ModifyResponse", Field, 8, ""},
+		{"ReverseProxy.Rewrite", Field, 20, ""},
+		{"ReverseProxy.Transport", Field, 0, ""},
+		{"ServerConn", Type, 0, ""},
+	},
+	"net/http/pprof": {
+		{"Cmdline", Func, 0, "func(w http.ResponseWriter, r *http.Request)"},
+		{"Handler", Func, 0, "func(name string) http.Handler"},
+		{"Index", Func, 0, "func(w http.ResponseWriter, r *http.Request)"},
+		{"Profile", Func, 0, "func(w http.ResponseWriter, r *http.Request)"},
+		{"Symbol", Func, 0, "func(w http.ResponseWriter, r *http.Request)"},
+		{"Trace", Func, 5, "func(w http.ResponseWriter, r *http.Request)"},
+	},
+	"net/mail": {
+		{"(*Address).String", Method, 0, ""},
+		{"(*AddressParser).Parse", Method, 5, ""},
+		{"(*AddressParser).ParseList", Method, 5, ""},
+		{"(Header).AddressList", Method, 0, ""},
+		{"(Header).Date", Method, 0, ""},
+		{"(Header).Get", Method, 0, ""},
+		{"Address", Type, 0, ""},
+		{"Address.Address", Field, 0, ""},
+		{"Address.Name", Field, 0, ""},
+		{"AddressParser", Type, 5, ""},
+		{"AddressParser.WordDecoder", Field, 5, ""},
+		{"ErrHeaderNotPresent", Var, 0, ""},
+		{"Header", Type, 0, ""},
+		{"Message", Type, 0, ""},
+		{"Message.Body", Field, 0, ""},
+		{"Message.Header", Field, 0, ""},
+		{"ParseAddress", Func, 1, "func(address string) (*Address, error)"},
+		{"ParseAddressList", Func, 1, "func(list string) ([]*Address, error)"},
+		{"ParseDate", Func, 8, "func(date string) (time.Time, error)"},
+		{"ReadMessage", Func, 0, "func(r io.Reader) (msg *Message, err error)"},
+	},
+	"net/netip": {
+		{"(*Addr).UnmarshalBinary", Method, 18, ""},
+		{"(*Addr).UnmarshalText", Method, 18, ""},
+		{"(*AddrPort).UnmarshalBinary", Method, 18, ""},
+		{"(*AddrPort).UnmarshalText", Method, 18, ""},
+		{"(*Prefix).UnmarshalBinary", Method, 18, ""},
+		{"(*Prefix).UnmarshalText", Method, 18, ""},
+		{"(Addr).AppendBinary", Method, 24, ""},
+		{"(Addr).AppendText", Method, 24, ""},
+		{"(Addr).AppendTo", Method, 18, ""},
+		{"(Addr).As16", Method, 18, ""},
+		{"(Addr).As4", Method, 18, ""},
+		{"(Addr).AsSlice", Method, 18, ""},
+		{"(Addr).BitLen", Method, 18, ""},
+		{"(Addr).Compare", Method, 18, ""},
+		{"(Addr).Is4", Method, 18, ""},
+		{"(Addr).Is4In6", Method, 18, ""},
+		{"(Addr).Is6", Method, 18, ""},
+		{"(Addr).IsGlobalUnicast", Method, 18, ""},
+		{"(Addr).IsInterfaceLocalMulticast", Method, 18, ""},
+		{"(Addr).IsLinkLocalMulticast", Method, 18, ""},
+		{"(Addr).IsLinkLocalUnicast", Method, 18, ""},
+		{"(Addr).IsLoopback", Method, 18, ""},
+		{"(Addr).IsMulticast", Method, 18, ""},
+		{"(Addr).IsPrivate", Method, 18, ""},
+		{"(Addr).IsUnspecified", Method, 18, ""},
+		{"(Addr).IsValid", Method, 18, ""},
+		{"(Addr).Less", Method, 18, ""},
+		{"(Addr).MarshalBinary", Method, 18, ""},
+		{"(Addr).MarshalText", Method, 18, ""},
+		{"(Addr).Next", Method, 18, ""},
+		{"(Addr).Prefix", Method, 18, ""},
+		{"(Addr).Prev", Method, 18, ""},
+		{"(Addr).String", Method, 18, ""},
+		{"(Addr).StringExpanded", Method, 18, ""},
+		{"(Addr).Unmap", Method, 18, ""},
+		{"(Addr).WithZone", Method, 18, ""},
+		{"(Addr).Zone", Method, 18, ""},
+		{"(AddrPort).Addr", Method, 18, ""},
+		{"(AddrPort).AppendBinary", Method, 24, ""},
+		{"(AddrPort).AppendText", Method, 24, ""},
+		{"(AddrPort).AppendTo", Method, 18, ""},
+		{"(AddrPort).Compare", Method, 22, ""},
+		{"(AddrPort).IsValid", Method, 18, ""},
+		{"(AddrPort).MarshalBinary", Method, 18, ""},
+		{"(AddrPort).MarshalText", Method, 18, ""},
+		{"(AddrPort).Port", Method, 18, ""},
+		{"(AddrPort).String", Method, 18, ""},
+		{"(Prefix).Addr", Method, 18, ""},
+		{"(Prefix).AppendBinary", Method, 24, ""},
+		{"(Prefix).AppendText", Method, 24, ""},
+		{"(Prefix).AppendTo", Method, 18, ""},
+		{"(Prefix).Bits", Method, 18, ""},
+		{"(Prefix).Compare", Method, 26, ""},
+		{"(Prefix).Contains", Method, 18, ""},
+		{"(Prefix).IsSingleIP", Method, 18, ""},
+		{"(Prefix).IsValid", Method, 18, ""},
+		{"(Prefix).MarshalBinary", Method, 18, ""},
+		{"(Prefix).MarshalText", Method, 18, ""},
+		{"(Prefix).Masked", Method, 18, ""},
+		{"(Prefix).Overlaps", Method, 18, ""},
+		{"(Prefix).String", Method, 18, ""},
+		{"Addr", Type, 18, ""},
+		{"AddrFrom16", Func, 18, "func(addr [16]byte) Addr"},
+		{"AddrFrom4", Func, 18, "func(addr [4]byte) Addr"},
+		{"AddrFromSlice", Func, 18, "func(slice []byte) (ip Addr, ok bool)"},
+		{"AddrPort", Type, 18, ""},
+		{"AddrPortFrom", Func, 18, "func(ip Addr, port uint16) AddrPort"},
+		{"IPv4Unspecified", Func, 18, "func() Addr"},
+		{"IPv6LinkLocalAllNodes", Func, 18, "func() Addr"},
+		{"IPv6LinkLocalAllRouters", Func, 20, "func() Addr"},
+		{"IPv6Loopback", Func, 20, "func() Addr"},
+		{"IPv6Unspecified", Func, 18, "func() Addr"},
+		{"MustParseAddr", Func, 18, "func(s string) Addr"},
+		{"MustParseAddrPort", Func, 18, "func(s string) AddrPort"},
+		{"MustParsePrefix", Func, 18, "func(s string) Prefix"},
+		{"ParseAddr", Func, 18, "func(s string) (Addr, error)"},
+		{"ParseAddrPort", Func, 18, "func(s string) (AddrPort, error)"},
+		{"ParsePrefix", Func, 18, "func(s string) (Prefix, error)"},
+		{"Prefix", Type, 18, ""},
+		{"PrefixFrom", Func, 18, "func(ip Addr, bits int) Prefix"},
+	},
+	"net/rpc": {
+		{"(*Client).Call", Method, 0, ""},
+		{"(*Client).Close", Method, 0, ""},
+		{"(*Client).Go", Method, 0, ""},
+		{"(*Server).Accept", Method, 0, ""},
+		{"(*Server).HandleHTTP", Method, 0, ""},
+		{"(*Server).Register", Method, 0, ""},
+		{"(*Server).RegisterName", Method, 0, ""},
+		{"(*Server).ServeCodec", Method, 0, ""},
+		{"(*Server).ServeConn", Method, 0, ""},
+		{"(*Server).ServeHTTP", Method, 0, ""},
+		{"(*Server).ServeRequest", Method, 0, ""},
+		{"(ClientCodec).Close", Method, 0, ""},
+		{"(ClientCodec).ReadResponseBody", Method, 0, ""},
+		{"(ClientCodec).ReadResponseHeader", Method, 0, ""},
+		{"(ClientCodec).WriteRequest", Method, 0, ""},
+		{"(ServerCodec).Close", Method, 0, ""},
+		{"(ServerCodec).ReadRequestBody", Method, 0, ""},
+		{"(ServerCodec).ReadRequestHeader", Method, 0, ""},
+		{"(ServerCodec).WriteResponse", Method, 0, ""},
+		{"(ServerError).Error", Method, 0, ""},
+		{"Accept", Func, 0, "func(lis net.Listener)"},
+		{"Call", Type, 0, ""},
+		{"Call.Args", Field, 0, ""},
+		{"Call.Done", Field, 0, ""},
+		{"Call.Error", Field, 0, ""},
+		{"Call.Reply", Field, 0, ""},
+		{"Call.ServiceMethod", Field, 0, ""},
+		{"Client", Type, 0, ""},
+		{"ClientCodec", Type, 0, ""},
+		{"DefaultDebugPath", Const, 0, ""},
+		{"DefaultRPCPath", Const, 0, ""},
+		{"DefaultServer", Var, 0, ""},
+		{"Dial", Func, 0, "func(network string, address string) (*Client, error)"},
+		{"DialHTTP", Func, 0, "func(network string, address string) (*Client, error)"},
+		{"DialHTTPPath", Func, 0, "func(network string, address string, path string) (*Client, error)"},
+		{"ErrShutdown", Var, 0, ""},
+		{"HandleHTTP", Func, 0, "func()"},
+		{"NewClient", Func, 0, "func(conn io.ReadWriteCloser) *Client"},
+		{"NewClientWithCodec", Func, 0, "func(codec ClientCodec) *Client"},
+		{"NewServer", Func, 0, "func() *Server"},
+		{"Register", Func, 0, "func(rcvr any) error"},
+		{"RegisterName", Func, 0, "func(name string, rcvr any) error"},
+		{"Request", Type, 0, ""},
+		{"Request.Seq", Field, 0, ""},
+		{"Request.ServiceMethod", Field, 0, ""},
+		{"Response", Type, 0, ""},
+		{"Response.Error", Field, 0, ""},
+		{"Response.Seq", Field, 0, ""},
+		{"Response.ServiceMethod", Field, 0, ""},
+		{"ServeCodec", Func, 0, "func(codec ServerCodec)"},
+		{"ServeConn", Func, 0, "func(conn io.ReadWriteCloser)"},
+		{"ServeRequest", Func, 0, "func(codec ServerCodec) error"},
+		{"Server", Type, 0, ""},
+		{"ServerCodec", Type, 0, ""},
+		{"ServerError", Type, 0, ""},
+	},
+	"net/rpc/jsonrpc": {
+		{"Dial", Func, 0, "func(network string, address string) (*rpc.Client, error)"},
+		{"NewClient", Func, 0, "func(conn io.ReadWriteCloser) *rpc.Client"},
+		{"NewClientCodec", Func, 0, "func(conn io.ReadWriteCloser) rpc.ClientCodec"},
+		{"NewServerCodec", Func, 0, "func(conn io.ReadWriteCloser) rpc.ServerCodec"},
+		{"ServeConn", Func, 0, "func(conn io.ReadWriteCloser)"},
+	},
+	"net/smtp": {
+		{"(*Client).Auth", Method, 0, ""},
+		{"(*Client).Close", Method, 2, ""},
+		{"(*Client).Data", Method, 0, ""},
+		{"(*Client).Extension", Method, 0, ""},
+		{"(*Client).Hello", Method, 1, ""},
+		{"(*Client).Mail", Method, 0, ""},
+		{"(*Client).Noop", Method, 10, ""},
+		{"(*Client).Quit", Method, 0, ""},
+		{"(*Client).Rcpt", Method, 0, ""},
+		{"(*Client).Reset", Method, 0, ""},
+		{"(*Client).StartTLS", Method, 0, ""},
+		{"(*Client).TLSConnectionState", Method, 5, ""},
+		{"(*Client).Verify", Method, 0, ""},
+		{"(Auth).Next", Method, 0, ""},
+		{"(Auth).Start", Method, 0, ""},
+		{"Auth", Type, 0, ""},
+		{"CRAMMD5Auth", Func, 0, "func(username string, secret string) Auth"},
+		{"Client", Type, 0, ""},
+		{"Client.Text", Field, 0, ""},
+		{"Dial", Func, 0, "func(addr string) (*Client, error)"},
+		{"NewClient", Func, 0, "func(conn net.Conn, host string) (*Client, error)"},
+		{"PlainAuth", Func, 0, "func(identity string, username string, password string, host string) Auth"},
+		{"SendMail", Func, 0, "func(addr string, a Auth, from string, to []string, msg []byte) error"},
+		{"ServerInfo", Type, 0, ""},
+		{"ServerInfo.Auth", Field, 0, ""},
+		{"ServerInfo.Name", Field, 0, ""},
+		{"ServerInfo.TLS", Field, 0, ""},
+	},
+	"net/textproto": {
+		{"(*Conn).Close", Method, 0, ""},
+		{"(*Conn).Cmd", Method, 0, ""},
+		{"(*Conn).DotReader", Method, 0, ""},
+		{"(*Conn).DotWriter", Method, 0, ""},
+		{"(*Conn).EndRequest", Method, 0, ""},
+		{"(*Conn).EndResponse", Method, 0, ""},
+		{"(*Conn).Next", Method, 0, ""},
+		{"(*Conn).PrintfLine", Method, 0, ""},
+		{"(*Conn).ReadCodeLine", Method, 0, ""},
+		{"(*Conn).ReadContinuedLine", Method, 0, ""},
+		{"(*Conn).ReadContinuedLineBytes", Method, 0, ""},
+		{"(*Conn).ReadDotBytes", Method, 0, ""},
+		{"(*Conn).ReadDotLines", Method, 0, ""},
+		{"(*Conn).ReadLine", Method, 0, ""},
+		{"(*Conn).ReadLineBytes", Method, 0, ""},
+		{"(*Conn).ReadMIMEHeader", Method, 0, ""},
+		{"(*Conn).ReadResponse", Method, 0, ""},
+		{"(*Conn).StartRequest", Method, 0, ""},
+		{"(*Conn).StartResponse", Method, 0, ""},
+		{"(*Error).Error", Method, 0, ""},
+		{"(*Pipeline).EndRequest", Method, 0, ""},
+		{"(*Pipeline).EndResponse", Method, 0, ""},
+		{"(*Pipeline).Next", Method, 0, ""},
+		{"(*Pipeline).StartRequest", Method, 0, ""},
+		{"(*Pipeline).StartResponse", Method, 0, ""},
+		{"(*Reader).DotReader", Method, 0, ""},
+		{"(*Reader).ReadCodeLine", Method, 0, ""},
+		{"(*Reader).ReadContinuedLine", Method, 0, ""},
+		{"(*Reader).ReadContinuedLineBytes", Method, 0, ""},
+		{"(*Reader).ReadDotBytes", Method, 0, ""},
+		{"(*Reader).ReadDotLines", Method, 0, ""},
+		{"(*Reader).ReadLine", Method, 0, ""},
+		{"(*Reader).ReadLineBytes", Method, 0, ""},
+		{"(*Reader).ReadMIMEHeader", Method, 0, ""},
+		{"(*Reader).ReadResponse", Method, 0, ""},
+		{"(*Writer).DotWriter", Method, 0, ""},
+		{"(*Writer).PrintfLine", Method, 0, ""},
+		{"(MIMEHeader).Add", Method, 0, ""},
+		{"(MIMEHeader).Del", Method, 0, ""},
+		{"(MIMEHeader).Get", Method, 0, ""},
+		{"(MIMEHeader).Set", Method, 0, ""},
+		{"(MIMEHeader).Values", Method, 14, ""},
+		{"(ProtocolError).Error", Method, 0, ""},
+		{"CanonicalMIMEHeaderKey", Func, 0, "func(s string) string"},
+		{"Conn", Type, 0, ""},
+		{"Conn.Pipeline", Field, 0, ""},
+		{"Conn.Reader", Field, 0, ""},
+		{"Conn.Writer", Field, 0, ""},
+		{"Dial", Func, 0, "func(network string, addr string) (*Conn, error)"},
+		{"Error", Type, 0, ""},
+		{"Error.Code", Field, 0, ""},
+		{"Error.Msg", Field, 0, ""},
+		{"MIMEHeader", Type, 0, ""},
+		{"NewConn", Func, 0, "func(conn io.ReadWriteCloser) *Conn"},
+		{"NewReader", Func, 0, "func(r *bufio.Reader) *Reader"},
+		{"NewWriter", Func, 0, "func(w *bufio.Writer) *Writer"},
+		{"Pipeline", Type, 0, ""},
+		{"ProtocolError", Type, 0, ""},
+		{"Reader", Type, 0, ""},
+		{"Reader.R", Field, 0, ""},
+		{"TrimBytes", Func, 1, "func(b []byte) []byte"},
+		{"TrimString", Func, 1, "func(s string) string"},
+		{"Writer", Type, 0, ""},
+		{"Writer.W", Field, 0, ""},
+	},
+	"net/url": {
+		{"(*Error).Error", Method, 0, ""},
+		{"(*Error).Temporary", Method, 6, ""},
+		{"(*Error).Timeout", Method, 6, ""},
+		{"(*Error).Unwrap", Method, 13, ""},
+		{"(*URL).AppendBinary", Method, 24, ""},
+		{"(*URL).EscapedFragment", Method, 15, ""},
+		{"(*URL).EscapedPath", Method, 5, ""},
+		{"(*URL).Hostname", Method, 8, ""},
+		{"(*URL).IsAbs", Method, 0, ""},
+		{"(*URL).JoinPath", Method, 19, ""},
+		{"(*URL).MarshalBinary", Method, 8, ""},
+		{"(*URL).Parse", Method, 0, ""},
+		{"(*URL).Port", Method, 8, ""},
+		{"(*URL).Query", Method, 0, ""},
+		{"(*URL).Redacted", Method, 15, ""},
+		{"(*URL).RequestURI", Method, 0, ""},
+		{"(*URL).ResolveReference", Method, 0, ""},
+		{"(*URL).String", Method, 0, ""},
+		{"(*URL).UnmarshalBinary", Method, 8, ""},
+		{"(*Userinfo).Password", Method, 0, ""},
+		{"(*Userinfo).String", Method, 0, ""},
+		{"(*Userinfo).Username", Method, 0, ""},
+		{"(EscapeError).Error", Method, 0, ""},
+		{"(InvalidHostError).Error", Method, 6, ""},
+		{"(Values).Add", Method, 0, ""},
+		{"(Values).Del", Method, 0, ""},
+		{"(Values).Encode", Method, 0, ""},
+		{"(Values).Get", Method, 0, ""},
+		{"(Values).Has", Method, 17, ""},
+		{"(Values).Set", Method, 0, ""},
+		{"Error", Type, 0, ""},
+		{"Error.Err", Field, 0, ""},
+		{"Error.Op", Field, 0, ""},
+		{"Error.URL", Field, 0, ""},
+		{"EscapeError", Type, 0, ""},
+		{"InvalidHostError", Type, 6, ""},
+		{"JoinPath", Func, 19, "func(base string, elem ...string) (result string, err error)"},
+		{"Parse", Func, 0, "func(rawURL string) (*URL, error)"},
+		{"ParseQuery", Func, 0, "func(query string) (Values, error)"},
+		{"ParseRequestURI", Func, 0, "func(rawURL string) (*URL, error)"},
+		{"PathEscape", Func, 8, "func(s string) string"},
+		{"PathUnescape", Func, 8, "func(s string) (string, error)"},
+		{"QueryEscape", Func, 0, "func(s string) string"},
+		{"QueryUnescape", Func, 0, "func(s string) (string, error)"},
+		{"URL", Type, 0, ""},
+		{"URL.ForceQuery", Field, 7, ""},
+		{"URL.Fragment", Field, 0, ""},
+		{"URL.Host", Field, 0, ""},
+		{"URL.OmitHost", Field, 19, ""},
+		{"URL.Opaque", Field, 0, ""},
+		{"URL.Path", Field, 0, ""},
+		{"URL.RawFragment", Field, 15, ""},
+		{"URL.RawPath", Field, 5, ""},
+		{"URL.RawQuery", Field, 0, ""},
+		{"URL.Scheme", Field, 0, ""},
+		{"URL.User", Field, 0, ""},
+		{"User", Func, 0, "func(username string) *Userinfo"},
+		{"UserPassword", Func, 0, "func(username string, password string) *Userinfo"},
+		{"Userinfo", Type, 0, ""},
+		{"Values", Type, 0, ""},
+	},
+	"os": {
+		{"(*File).Chdir", Method, 0, ""},
+		{"(*File).Chmod", Method, 0, ""},
+		{"(*File).Chown", Method, 0, ""},
+		{"(*File).Close", Method, 0, ""},
+		{"(*File).Fd", Method, 0, ""},
+		{"(*File).Name", Method, 0, ""},
+		{"(*File).Read", Method, 0, ""},
+		{"(*File).ReadAt", Method, 0, ""},
+		{"(*File).ReadDir", Method, 16, ""},
+		{"(*File).ReadFrom", Method, 15, ""},
+		{"(*File).Readdir", Method, 0, ""},
+		{"(*File).Readdirnames", Method, 0, ""},
+		{"(*File).Seek", Method, 0, ""},
+		{"(*File).SetDeadline", Method, 10, ""},
+		{"(*File).SetReadDeadline", Method, 10, ""},
+		{"(*File).SetWriteDeadline", Method, 10, ""},
+		{"(*File).Stat", Method, 0, ""},
+		{"(*File).Sync", Method, 0, ""},
+		{"(*File).SyscallConn", Method, 12, ""},
+		{"(*File).Truncate", Method, 0, ""},
+		{"(*File).Write", Method, 0, ""},
+		{"(*File).WriteAt", Method, 0, ""},
+		{"(*File).WriteString", Method, 0, ""},
+		{"(*File).WriteTo", Method, 22, ""},
+		{"(*LinkError).Error", Method, 0, ""},
+		{"(*LinkError).Unwrap", Method, 13, ""},
+		{"(*PathError).Error", Method, 0, ""},
+		{"(*PathError).Timeout", Method, 10, ""},
+		{"(*PathError).Unwrap", Method, 13, ""},
+		{"(*Process).Kill", Method, 0, ""},
+		{"(*Process).Release", Method, 0, ""},
+		{"(*Process).Signal", Method, 0, ""},
+		{"(*Process).Wait", Method, 0, ""},
+		{"(*Process).WithHandle", Method, 26, ""},
+		{"(*ProcessState).ExitCode", Method, 12, ""},
+		{"(*ProcessState).Exited", Method, 0, ""},
+		{"(*ProcessState).Pid", Method, 0, ""},
+		{"(*ProcessState).String", Method, 0, ""},
+		{"(*ProcessState).Success", Method, 0, ""},
+		{"(*ProcessState).Sys", Method, 0, ""},
+		{"(*ProcessState).SysUsage", Method, 0, ""},
+		{"(*ProcessState).SystemTime", Method, 0, ""},
+		{"(*ProcessState).UserTime", Method, 0, ""},
+		{"(*Root).Chmod", Method, 25, ""},
+		{"(*Root).Chown", Method, 25, ""},
+		{"(*Root).Chtimes", Method, 25, ""},
+		{"(*Root).Close", Method, 24, ""},
+		{"(*Root).Create", Method, 24, ""},
+		{"(*Root).FS", Method, 24, ""},
+		{"(*Root).Lchown", Method, 25, ""},
+		{"(*Root).Link", Method, 25, ""},
+		{"(*Root).Lstat", Method, 24, ""},
+		{"(*Root).Mkdir", Method, 24, ""},
+		{"(*Root).MkdirAll", Method, 25, ""},
+		{"(*Root).Name", Method, 24, ""},
+		{"(*Root).Open", Method, 24, ""},
+		{"(*Root).OpenFile", Method, 24, ""},
+		{"(*Root).OpenRoot", Method, 24, ""},
+		{"(*Root).ReadFile", Method, 25, ""},
+		{"(*Root).Readlink", Method, 25, ""},
+		{"(*Root).Remove", Method, 24, ""},
+		{"(*Root).RemoveAll", Method, 25, ""},
+		{"(*Root).Rename", Method, 25, ""},
+		{"(*Root).Stat", Method, 24, ""},
+		{"(*Root).Symlink", Method, 25, ""},
+		{"(*Root).WriteFile", Method, 25, ""},
+		{"(*SyscallError).Error", Method, 0, ""},
+		{"(*SyscallError).Timeout", Method, 10, ""},
+		{"(*SyscallError).Unwrap", Method, 13, ""},
+		{"(FileInfo).IsDir", Method, 0, ""},
+		{"(FileInfo).ModTime", Method, 0, ""},
+		{"(FileInfo).Mode", Method, 0, ""},
+		{"(FileInfo).Name", Method, 0, ""},
+		{"(FileInfo).Size", Method, 0, ""},
+		{"(FileInfo).Sys", Method, 0, ""},
+		{"(FileMode).IsDir", Method, 0, ""},
+		{"(FileMode).IsRegular", Method, 1, ""},
+		{"(FileMode).Perm", Method, 0, ""},
+		{"(FileMode).String", Method, 0, ""},
+		{"(Signal).Signal", Method, 0, ""},
+		{"(Signal).String", Method, 0, ""},
+		{"Args", Var, 0, ""},
+		{"Chdir", Func, 0, "func(dir string) error"},
+		{"Chmod", Func, 0, "func(name string, mode FileMode) error"},
+		{"Chown", Func, 0, "func(name string, uid int, gid int) error"},
+		{"Chtimes", Func, 0, "func(name string, atime time.Time, mtime time.Time) error"},
+		{"Clearenv", Func, 0, "func()"},
+		{"CopyFS", Func, 23, "func(dir string, fsys fs.FS) error"},
+		{"Create", Func, 0, "func(name string) (*File, error)"},
+		{"CreateTemp", Func, 16, "func(dir string, pattern string) (*File, error)"},
+		{"DevNull", Const, 0, ""},
+		{"DirEntry", Type, 16, ""},
+		{"DirFS", Func, 16, "func(dir string) fs.FS"},
+		{"Environ", Func, 0, "func() []string"},
+		{"ErrClosed", Var, 8, ""},
+		{"ErrDeadlineExceeded", Var, 15, ""},
+		{"ErrExist", Var, 0, ""},
+		{"ErrInvalid", Var, 0, ""},
+		{"ErrNoDeadline", Var, 10, ""},
+		{"ErrNoHandle", Var, 26, ""},
+		{"ErrNotExist", Var, 0, ""},
+		{"ErrPermission", Var, 0, ""},
+		{"ErrProcessDone", Var, 16, ""},
+		{"Executable", Func, 8, "func() (string, error)"},
+		{"Exit", Func, 0, "func(code int)"},
+		{"Expand", Func, 0, "func(s string, mapping func(string) string) string"},
+		{"ExpandEnv", Func, 0, "func(s string) string"},
+		{"File", Type, 0, ""},
+		{"FileInfo", Type, 0, ""},
+		{"FileMode", Type, 0, ""},
+		{"FindProcess", Func, 0, "func(pid int) (*Process, error)"},
+		{"Getegid", Func, 0, "func() int"},
+		{"Getenv", Func, 0, "func(key string) string"},
+		{"Geteuid", Func, 0, "func() int"},
+		{"Getgid", Func, 0, "func() int"},
+		{"Getgroups", Func, 0, "func() ([]int, error)"},
+		{"Getpagesize", Func, 0, "func() int"},
+		{"Getpid", Func, 0, "func() int"},
+		{"Getppid", Func, 0, "func() int"},
+		{"Getuid", Func, 0, "func() int"},
+		{"Getwd", Func, 0, "func() (dir string, err error)"},
+		{"Hostname", Func, 0, "func() (name string, err error)"},
+		{"Interrupt", Var, 0, ""},
+		{"IsExist", Func, 0, "func(err error) bool"},
+		{"IsNotExist", Func, 0, "func(err error) bool"},
+		{"IsPathSeparator", Func, 0, "func(c uint8) bool"},
+		{"IsPermission", Func, 0, "func(err error) bool"},
+		{"IsTimeout", Func, 10, "func(err error) bool"},
+		{"Kill", Var, 0, ""},
+		{"Lchown", Func, 0, "func(name string, uid int, gid int) error"},
+		{"Link", Func, 0, "func(oldname string, newname string) error"},
+		{"LinkError", Type, 0, ""},
+		{"LinkError.Err", Field, 0, ""},
+		{"LinkError.New", Field, 0, ""},
+		{"LinkError.Old", Field, 0, ""},
+		{"LinkError.Op", Field, 0, ""},
+		{"LookupEnv", Func, 5, "func(key string) (string, bool)"},
+		{"Lstat", Func, 0, "func(name string) (FileInfo, error)"},
+		{"Mkdir", Func, 0, "func(name string, perm FileMode) error"},
+		{"MkdirAll", Func, 0, "func(path string, perm FileMode) error"},
+		{"MkdirTemp", Func, 16, "func(dir string, pattern string) (string, error)"},
+		{"ModeAppend", Const, 0, ""},
+		{"ModeCharDevice", Const, 0, ""},
+		{"ModeDevice", Const, 0, ""},
+		{"ModeDir", Const, 0, ""},
+		{"ModeExclusive", Const, 0, ""},
+		{"ModeIrregular", Const, 11, ""},
+		{"ModeNamedPipe", Const, 0, ""},
+		{"ModePerm", Const, 0, ""},
+		{"ModeSetgid", Const, 0, ""},
+		{"ModeSetuid", Const, 0, ""},
+		{"ModeSocket", Const, 0, ""},
+		{"ModeSticky", Const, 0, ""},
+		{"ModeSymlink", Const, 0, ""},
+		{"ModeTemporary", Const, 0, ""},
+		{"ModeType", Const, 0, ""},
+		{"NewFile", Func, 0, "func(fd uintptr, name string) *File"},
+		{"NewSyscallError", Func, 0, "func(syscall string, err error) error"},
+		{"O_APPEND", Const, 0, ""},
+		{"O_CREATE", Const, 0, ""},
+		{"O_EXCL", Const, 0, ""},
+		{"O_RDONLY", Const, 0, ""},
+		{"O_RDWR", Const, 0, ""},
+		{"O_SYNC", Const, 0, ""},
+		{"O_TRUNC", Const, 0, ""},
+		{"O_WRONLY", Const, 0, ""},
+		{"Open", Func, 0, "func(name string) (*File, error)"},
+		{"OpenFile", Func, 0, "func(name string, flag int, perm FileMode) (*File, error)"},
+		{"OpenInRoot", Func, 24, "func(dir string, name string) (*File, error)"},
+		{"OpenRoot", Func, 24, "func(name string) (*Root, error)"},
+		{"PathError", Type, 0, ""},
+		{"PathError.Err", Field, 0, ""},
+		{"PathError.Op", Field, 0, ""},
+		{"PathError.Path", Field, 0, ""},
+		{"PathListSeparator", Const, 0, ""},
+		{"PathSeparator", Const, 0, ""},
+		{"Pipe", Func, 0, "func() (r *File, w *File, err error)"},
+		{"ProcAttr", Type, 0, ""},
+		{"ProcAttr.Dir", Field, 0, ""},
+		{"ProcAttr.Env", Field, 0, ""},
+		{"ProcAttr.Files", Field, 0, ""},
+		{"ProcAttr.Sys", Field, 0, ""},
+		{"Process", Type, 0, ""},
+		{"Process.Pid", Field, 0, ""},
+		{"ProcessState", Type, 0, ""},
+		{"ReadDir", Func, 16, "func(name string) ([]DirEntry, error)"},
+		{"ReadFile", Func, 16, "func(name string) ([]byte, error)"},
+		{"Readlink", Func, 0, "func(name string) (string, error)"},
+		{"Remove", Func, 0, "func(name string) error"},
+		{"RemoveAll", Func, 0, "func(path string) error"},
+		{"Rename", Func, 0, "func(oldpath string, newpath string) error"},
+		{"Root", Type, 24, ""},
+		{"SEEK_CUR", Const, 0, ""},
+		{"SEEK_END", Const, 0, ""},
+		{"SEEK_SET", Const, 0, ""},
+		{"SameFile", Func, 0, "func(fi1 FileInfo, fi2 FileInfo) bool"},
+		{"Setenv", Func, 0, "func(key string, value string) error"},
+		{"Signal", Type, 0, ""},
+		{"StartProcess", Func, 0, "func(name string, argv []string, attr *ProcAttr) (*Process, error)"},
+		{"Stat", Func, 0, "func(name string) (FileInfo, error)"},
+		{"Stderr", Var, 0, ""},
+		{"Stdin", Var, 0, ""},
+		{"Stdout", Var, 0, ""},
+		{"Symlink", Func, 0, "func(oldname string, newname string) error"},
+		{"SyscallError", Type, 0, ""},
+		{"SyscallError.Err", Field, 0, ""},
+		{"SyscallError.Syscall", Field, 0, ""},
+		{"TempDir", Func, 0, "func() string"},
+		{"Truncate", Func, 0, "func(name string, size int64) error"},
+		{"Unsetenv", Func, 4, "func(key string) error"},
+		{"UserCacheDir", Func, 11, "func() (string, error)"},
+		{"UserConfigDir", Func, 13, "func() (string, error)"},
+		{"UserHomeDir", Func, 12, "func() (string, error)"},
+		{"WriteFile", Func, 16, "func(name string, data []byte, perm FileMode) error"},
+	},
+	"os/exec": {
+		{"(*Cmd).CombinedOutput", Method, 0, ""},
+		{"(*Cmd).Environ", Method, 19, ""},
+		{"(*Cmd).Output", Method, 0, ""},
+		{"(*Cmd).Run", Method, 0, ""},
+		{"(*Cmd).Start", Method, 0, ""},
+		{"(*Cmd).StderrPipe", Method, 0, ""},
+		{"(*Cmd).StdinPipe", Method, 0, ""},
+		{"(*Cmd).StdoutPipe", Method, 0, ""},
+		{"(*Cmd).String", Method, 13, ""},
+		{"(*Cmd).Wait", Method, 0, ""},
+		{"(*Error).Error", Method, 0, ""},
+		{"(*Error).Unwrap", Method, 13, ""},
+		{"(*ExitError).Error", Method, 0, ""},
+		{"(ExitError).ExitCode", Method, 12, ""},
+		{"(ExitError).Exited", Method, 0, ""},
+		{"(ExitError).Pid", Method, 0, ""},
+		{"(ExitError).String", Method, 0, ""},
+		{"(ExitError).Success", Method, 0, ""},
+		{"(ExitError).Sys", Method, 0, ""},
+		{"(ExitError).SysUsage", Method, 0, ""},
+		{"(ExitError).SystemTime", Method, 0, ""},
+		{"(ExitError).UserTime", Method, 0, ""},
+		{"Cmd", Type, 0, ""},
+		{"Cmd.Args", Field, 0, ""},
+		{"Cmd.Cancel", Field, 20, ""},
+		{"Cmd.Dir", Field, 0, ""},
+		{"Cmd.Env", Field, 0, ""},
+		{"Cmd.Err", Field, 19, ""},
+		{"Cmd.ExtraFiles", Field, 0, ""},
+		{"Cmd.Path", Field, 0, ""},
+		{"Cmd.Process", Field, 0, ""},
+		{"Cmd.ProcessState", Field, 0, ""},
+		{"Cmd.Stderr", Field, 0, ""},
+		{"Cmd.Stdin", Field, 0, ""},
+		{"Cmd.Stdout", Field, 0, ""},
+		{"Cmd.SysProcAttr", Field, 0, ""},
+		{"Cmd.WaitDelay", Field, 20, ""},
+		{"Command", Func, 0, "func(name string, arg ...string) *Cmd"},
+		{"CommandContext", Func, 7, "func(ctx context.Context, name string, arg ...string) *Cmd"},
+		{"ErrDot", Var, 19, ""},
+		{"ErrNotFound", Var, 0, ""},
+		{"ErrWaitDelay", Var, 20, ""},
+		{"Error", Type, 0, ""},
+		{"Error.Err", Field, 0, ""},
+		{"Error.Name", Field, 0, ""},
+		{"ExitError", Type, 0, ""},
+		{"ExitError.ProcessState", Field, 0, ""},
+		{"ExitError.Stderr", Field, 6, ""},
+		{"LookPath", Func, 0, "func(file string) (string, error)"},
+	},
+	"os/signal": {
+		{"Ignore", Func, 5, "func(sig ...os.Signal)"},
+		{"Ignored", Func, 11, "func(sig os.Signal) bool"},
+		{"Notify", Func, 0, "func(c chan<- os.Signal, sig ...os.Signal)"},
+		{"NotifyContext", Func, 16, "func(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc)"},
+		{"Reset", Func, 5, "func(sig ...os.Signal)"},
+		{"Stop", Func, 1, "func(c chan<- os.Signal)"},
+	},
+	"os/user": {
+		{"(*User).GroupIds", Method, 7, ""},
+		{"(UnknownGroupError).Error", Method, 7, ""},
+		{"(UnknownGroupIdError).Error", Method, 7, ""},
+		{"(UnknownUserError).Error", Method, 0, ""},
+		{"(UnknownUserIdError).Error", Method, 0, ""},
+		{"Current", Func, 0, "func() (*User, error)"},
+		{"Group", Type, 7, ""},
+		{"Group.Gid", Field, 7, ""},
+		{"Group.Name", Field, 7, ""},
+		{"Lookup", Func, 0, "func(username string) (*User, error)"},
+		{"LookupGroup", Func, 7, "func(name string) (*Group, error)"},
+		{"LookupGroupId", Func, 7, "func(gid string) (*Group, error)"},
+		{"LookupId", Func, 0, "func(uid string) (*User, error)"},
+		{"UnknownGroupError", Type, 7, ""},
+		{"UnknownGroupIdError", Type, 7, ""},
+		{"UnknownUserError", Type, 0, ""},
+		{"UnknownUserIdError", Type, 0, ""},
+		{"User", Type, 0, ""},
+		{"User.Gid", Field, 0, ""},
+		{"User.HomeDir", Field, 0, ""},
+		{"User.Name", Field, 0, ""},
+		{"User.Uid", Field, 0, ""},
+		{"User.Username", Field, 0, ""},
+	},
+	"path": {
+		{"Base", Func, 0, "func(path string) string"},
+		{"Clean", Func, 0, "func(path string) string"},
+		{"Dir", Func, 0, "func(path string) string"},
+		{"ErrBadPattern", Var, 0, ""},
+		{"Ext", Func, 0, "func(path string) string"},
+		{"IsAbs", Func, 0, "func(path string) bool"},
+		{"Join", Func, 0, "func(elem ...string) string"},
+		{"Match", Func, 0, "func(pattern string, name string) (matched bool, err error)"},
+		{"Split", Func, 0, "func(path string) (dir string, file string)"},
+	},
+	"path/filepath": {
+		{"Abs", Func, 0, "func(path string) (string, error)"},
+		{"Base", Func, 0, "func(path string) string"},
+		{"Clean", Func, 0, "func(path string) string"},
+		{"Dir", Func, 0, "func(path string) string"},
+		{"ErrBadPattern", Var, 0, ""},
+		{"EvalSymlinks", Func, 0, "func(path string) (string, error)"},
+		{"Ext", Func, 0, "func(path string) string"},
+		{"FromSlash", Func, 0, "func(path string) string"},
+		{"Glob", Func, 0, "func(pattern string) (matches []string, err error)"},
+		{"HasPrefix", Func, 0, "func(p string, prefix string) bool"},
+		{"IsAbs", Func, 0, "func(path string) bool"},
+		{"IsLocal", Func, 20, "func(path string) bool"},
+		{"Join", Func, 0, "func(elem ...string) string"},
+		{"ListSeparator", Const, 0, ""},
+		{"Localize", Func, 23, "func(path string) (string, error)"},
+		{"Match", Func, 0, "func(pattern string, name string) (matched bool, err error)"},
+		{"Rel", Func, 0, "func(basePath string, targPath string) (string, error)"},
+		{"Separator", Const, 0, ""},
+		{"SkipAll", Var, 20, ""},
+		{"SkipDir", Var, 0, ""},
+		{"Split", Func, 0, "func(path string) (dir string, file string)"},
+		{"SplitList", Func, 0, "func(path string) []string"},
+		{"ToSlash", Func, 0, "func(path string) string"},
+		{"VolumeName", Func, 0, "func(path string) string"},
+		{"Walk", Func, 0, "func(root string, fn WalkFunc) error"},
+		{"WalkDir", Func, 16, "func(root string, fn fs.WalkDirFunc) error"},
+		{"WalkFunc", Type, 0, ""},
+	},
+	"plugin": {
+		{"(*Plugin).Lookup", Method, 8, ""},
+		{"Open", Func, 8, "func(path string) (*Plugin, error)"},
+		{"Plugin", Type, 8, ""},
+		{"Symbol", Type, 8, ""},
+	},
+	"reflect": {
+		{"(*MapIter).Key", Method, 12, ""},
+		{"(*MapIter).Next", Method, 12, ""},
+		{"(*MapIter).Reset", Method, 18, ""},
+		{"(*MapIter).Value", Method, 12, ""},
+		{"(*ValueError).Error", Method, 0, ""},
+		{"(ChanDir).String", Method, 0, ""},
+		{"(Kind).String", Method, 0, ""},
+		{"(Method).IsExported", Method, 17, ""},
+		{"(StructField).IsExported", Method, 17, ""},
+		{"(StructTag).Get", Method, 0, ""},
+		{"(StructTag).Lookup", Method, 7, ""},
+		{"(Type).Align", Method, 0, ""},
+		{"(Type).AssignableTo", Method, 0, ""},
+		{"(Type).Bits", Method, 0, ""},
+		{"(Type).CanSeq", Method, 23, ""},
+		{"(Type).CanSeq2", Method, 23, ""},
+		{"(Type).ChanDir", Method, 0, ""},
+		{"(Type).Comparable", Method, 4, ""},
+		{"(Type).ConvertibleTo", Method, 1, ""},
+		{"(Type).Elem", Method, 0, ""},
+		{"(Type).Field", Method, 0, ""},
+		{"(Type).FieldAlign", Method, 0, ""},
+		{"(Type).FieldByIndex", Method, 0, ""},
+		{"(Type).FieldByName", Method, 0, ""},
+		{"(Type).FieldByNameFunc", Method, 0, ""},
+		{"(Type).Fields", Method, 26, ""},
+		{"(Type).Implements", Method, 0, ""},
+		{"(Type).In", Method, 0, ""},
+		{"(Type).Ins", Method, 26, ""},
+		{"(Type).IsVariadic", Method, 0, ""},
+		{"(Type).Key", Method, 0, ""},
+		{"(Type).Kind", Method, 0, ""},
+		{"(Type).Len", Method, 0, ""},
+		{"(Type).Method", Method, 0, ""},
+		{"(Type).MethodByName", Method, 0, ""},
+		{"(Type).Methods", Method, 26, ""},
+		{"(Type).Name", Method, 0, ""},
+		{"(Type).NumField", Method, 0, ""},
+		{"(Type).NumIn", Method, 0, ""},
+		{"(Type).NumMethod", Method, 0, ""},
+		{"(Type).NumOut", Method, 0, ""},
+		{"(Type).Out", Method, 0, ""},
+		{"(Type).Outs", Method, 26, ""},
+		{"(Type).OverflowComplex", Method, 23, ""},
+		{"(Type).OverflowFloat", Method, 23, ""},
+		{"(Type).OverflowInt", Method, 23, ""},
+		{"(Type).OverflowUint", Method, 23, ""},
+		{"(Type).PkgPath", Method, 0, ""},
+		{"(Type).Size", Method, 0, ""},
+		{"(Type).String", Method, 0, ""},
+		{"(Value).Addr", Method, 0, ""},
+		{"(Value).Bool", Method, 0, ""},
+		{"(Value).Bytes", Method, 0, ""},
+		{"(Value).Call", Method, 0, ""},
+		{"(Value).CallSlice", Method, 0, ""},
+		{"(Value).CanAddr", Method, 0, ""},
+		{"(Value).CanComplex", Method, 18, ""},
+		{"(Value).CanConvert", Method, 17, ""},
+		{"(Value).CanFloat", Method, 18, ""},
+		{"(Value).CanInt", Method, 18, ""},
+		{"(Value).CanInterface", Method, 0, ""},
+		{"(Value).CanSet", Method, 0, ""},
+		{"(Value).CanUint", Method, 18, ""},
+		{"(Value).Cap", Method, 0, ""},
+		{"(Value).Clear", Method, 21, ""},
+		{"(Value).Close", Method, 0, ""},
+		{"(Value).Comparable", Method, 20, ""},
+		{"(Value).Complex", Method, 0, ""},
+		{"(Value).Convert", Method, 1, ""},
+		{"(Value).Elem", Method, 0, ""},
+		{"(Value).Equal", Method, 20, ""},
+		{"(Value).Field", Method, 0, ""},
+		{"(Value).FieldByIndex", Method, 0, ""},
+		{"(Value).FieldByIndexErr", Method, 18, ""},
+		{"(Value).FieldByName", Method, 0, ""},
+		{"(Value).FieldByNameFunc", Method, 0, ""},
+		{"(Value).Fields", Method, 26, ""},
+		{"(Value).Float", Method, 0, ""},
+		{"(Value).Grow", Method, 20, ""},
+		{"(Value).Index", Method, 0, ""},
+		{"(Value).Int", Method, 0, ""},
+		{"(Value).Interface", Method, 0, ""},
+		{"(Value).InterfaceData", Method, 0, ""},
+		{"(Value).IsNil", Method, 0, ""},
+		{"(Value).IsValid", Method, 0, ""},
+		{"(Value).IsZero", Method, 13, ""},
+		{"(Value).Kind", Method, 0, ""},
+		{"(Value).Len", Method, 0, ""},
+		{"(Value).MapIndex", Method, 0, ""},
+		{"(Value).MapKeys", Method, 0, ""},
+		{"(Value).MapRange", Method, 12, ""},
+		{"(Value).Method", Method, 0, ""},
+		{"(Value).MethodByName", Method, 0, ""},
+		{"(Value).Methods", Method, 26, ""},
+		{"(Value).NumField", Method, 0, ""},
+		{"(Value).NumMethod", Method, 0, ""},
+		{"(Value).OverflowComplex", Method, 0, ""},
+		{"(Value).OverflowFloat", Method, 0, ""},
+		{"(Value).OverflowInt", Method, 0, ""},
+		{"(Value).OverflowUint", Method, 0, ""},
+		{"(Value).Pointer", Method, 0, ""},
+		{"(Value).Recv", Method, 0, ""},
+		{"(Value).Send", Method, 0, ""},
+		{"(Value).Seq", Method, 23, ""},
+		{"(Value).Seq2", Method, 23, ""},
+		{"(Value).Set", Method, 0, ""},
+		{"(Value).SetBool", Method, 0, ""},
+		{"(Value).SetBytes", Method, 0, ""},
+		{"(Value).SetCap", Method, 2, ""},
+		{"(Value).SetComplex", Method, 0, ""},
+		{"(Value).SetFloat", Method, 0, ""},
+		{"(Value).SetInt", Method, 0, ""},
+		{"(Value).SetIterKey", Method, 18, ""},
+		{"(Value).SetIterValue", Method, 18, ""},
+		{"(Value).SetLen", Method, 0, ""},
+		{"(Value).SetMapIndex", Method, 0, ""},
+		{"(Value).SetPointer", Method, 0, ""},
+		{"(Value).SetString", Method, 0, ""},
+		{"(Value).SetUint", Method, 0, ""},
+		{"(Value).SetZero", Method, 20, ""},
+		{"(Value).Slice", Method, 0, ""},
+		{"(Value).Slice3", Method, 2, ""},
+		{"(Value).String", Method, 0, ""},
+		{"(Value).TryRecv", Method, 0, ""},
+		{"(Value).TrySend", Method, 0, ""},
+		{"(Value).Type", Method, 0, ""},
+		{"(Value).Uint", Method, 0, ""},
+		{"(Value).UnsafeAddr", Method, 0, ""},
+		{"(Value).UnsafePointer", Method, 18, ""},
+		{"Append", Func, 0, "func(s Value, x ...Value) Value"},
+		{"AppendSlice", Func, 0, "func(s Value, t Value) Value"},
+		{"Array", Const, 0, ""},
+		{"ArrayOf", Func, 5, "func(length int, elem Type) Type"},
+		{"Bool", Const, 0, ""},
+		{"BothDir", Const, 0, ""},
+		{"Chan", Const, 0, ""},
+		{"ChanDir", Type, 0, ""},
+		{"ChanOf", Func, 1, "func(dir ChanDir, t Type) Type"},
+		{"Complex128", Const, 0, ""},
+		{"Complex64", Const, 0, ""},
+		{"Copy", Func, 0, "func(dst Value, src Value) int"},
+		{"DeepEqual", Func, 0, "func(x any, y any) bool"},
+		{"Float32", Const, 0, ""},
+		{"Float64", Const, 0, ""},
+		{"Func", Const, 0, ""},
+		{"FuncOf", Func, 5, "func(in []Type, out []Type, variadic bool) Type"},
+		{"Indirect", Func, 0, "func(v Value) Value"},
+		{"Int", Const, 0, ""},
+		{"Int16", Const, 0, ""},
+		{"Int32", Const, 0, ""},
+		{"Int64", Const, 0, ""},
+		{"Int8", Const, 0, ""},
+		{"Interface", Const, 0, ""},
+		{"Invalid", Const, 0, ""},
+		{"Kind", Type, 0, ""},
+		{"MakeChan", Func, 0, "func(typ Type, buffer int) Value"},
+		{"MakeFunc", Func, 1, "func(typ Type, fn func(args []Value) (results []Value)) Value"},
+		{"MakeMap", Func, 0, "func(typ Type) Value"},
+		{"MakeMapWithSize", Func, 9, "func(typ Type, n int) Value"},
+		{"MakeSlice", Func, 0, "func(typ Type, len int, cap int) Value"},
+		{"Map", Const, 0, ""},
+		{"MapIter", Type, 12, ""},
+		{"MapOf", Func, 1, "func(key Type, elem Type) Type"},
+		{"Method", Type, 0, ""},
+		{"Method.Func", Field, 0, ""},
+		{"Method.Index", Field, 0, ""},
+		{"Method.Name", Field, 0, ""},
+		{"Method.PkgPath", Field, 0, ""},
+		{"Method.Type", Field, 0, ""},
+		{"New", Func, 0, "func(typ Type) Value"},
+		{"NewAt", Func, 0, "func(typ Type, p unsafe.Pointer) Value"},
+		{"Pointer", Const, 18, ""},
+		{"PointerTo", Func, 18, "func(t Type) Type"},
+		{"Ptr", Const, 0, ""},
+		{"PtrTo", Func, 0, "func(t Type) Type"},
+		{"RecvDir", Const, 0, ""},
+		{"Select", Func, 1, "func(cases []SelectCase) (chosen int, recv Value, recvOK bool)"},
+		{"SelectCase", Type, 1, ""},
+		{"SelectCase.Chan", Field, 1, ""},
+		{"SelectCase.Dir", Field, 1, ""},
+		{"SelectCase.Send", Field, 1, ""},
+		{"SelectDefault", Const, 1, ""},
+		{"SelectDir", Type, 1, ""},
+		{"SelectRecv", Const, 1, ""},
+		{"SelectSend", Const, 1, ""},
+		{"SendDir", Const, 0, ""},
+		{"Slice", Const, 0, ""},
+		{"SliceAt", Func, 23, "func(typ Type, p unsafe.Pointer, n int) Value"},
+		{"SliceHeader", Type, 0, ""},
+		{"SliceHeader.Cap", Field, 0, ""},
+		{"SliceHeader.Data", Field, 0, ""},
+		{"SliceHeader.Len", Field, 0, ""},
+		{"SliceOf", Func, 1, "func(t Type) Type"},
+		{"String", Const, 0, ""},
+		{"StringHeader", Type, 0, ""},
+		{"StringHeader.Data", Field, 0, ""},
+		{"StringHeader.Len", Field, 0, ""},
+		{"Struct", Const, 0, ""},
+		{"StructField", Type, 0, ""},
+		{"StructField.Anonymous", Field, 0, ""},
+		{"StructField.Index", Field, 0, ""},
+		{"StructField.Name", Field, 0, ""},
+		{"StructField.Offset", Field, 0, ""},
+		{"StructField.PkgPath", Field, 0, ""},
+		{"StructField.Tag", Field, 0, ""},
+		{"StructField.Type", Field, 0, ""},
+		{"StructOf", Func, 7, "func(fields []StructField) Type"},
+		{"StructTag", Type, 0, ""},
+		{"Swapper", Func, 8, "func(slice any) func(i int, j int)"},
+		{"TypeAssert", Func, 25, "func[T any](v Value) (T, bool)"},
+		{"TypeFor", Func, 22, "func[T any]() Type"},
+		{"TypeOf", Func, 0, "func(i any) Type"},
+		{"Uint", Const, 0, ""},
+		{"Uint16", Const, 0, ""},
+		{"Uint32", Const, 0, ""},
+		{"Uint64", Const, 0, ""},
+		{"Uint8", Const, 0, ""},
+		{"Uintptr", Const, 0, ""},
+		{"UnsafePointer", Const, 0, ""},
+		{"Value", Type, 0, ""},
+		{"ValueError", Type, 0, ""},
+		{"ValueError.Kind", Field, 0, ""},
+		{"ValueError.Method", Field, 0, ""},
+		{"ValueOf", Func, 0, "func(i any) Value"},
+		{"VisibleFields", Func, 17, "func(t Type) []StructField"},
+		{"Zero", Func, 0, "func(typ Type) Value"},
+	},
+	"regexp": {
+		{"(*Regexp).AppendText", Method, 24, ""},
+		{"(*Regexp).Copy", Method, 6, ""},
+		{"(*Regexp).Expand", Method, 0, ""},
+		{"(*Regexp).ExpandString", Method, 0, ""},
+		{"(*Regexp).Find", Method, 0, ""},
+		{"(*Regexp).FindAll", Method, 0, ""},
+		{"(*Regexp).FindAllIndex", Method, 0, ""},
+		{"(*Regexp).FindAllString", Method, 0, ""},
+		{"(*Regexp).FindAllStringIndex", Method, 0, ""},
+		{"(*Regexp).FindAllStringSubmatch", Method, 0, ""},
+		{"(*Regexp).FindAllStringSubmatchIndex", Method, 0, ""},
+		{"(*Regexp).FindAllSubmatch", Method, 0, ""},
+		{"(*Regexp).FindAllSubmatchIndex", Method, 0, ""},
+		{"(*Regexp).FindIndex", Method, 0, ""},
+		{"(*Regexp).FindReaderIndex", Method, 0, ""},
+		{"(*Regexp).FindReaderSubmatchIndex", Method, 0, ""},
+		{"(*Regexp).FindString", Method, 0, ""},
+		{"(*Regexp).FindStringIndex", Method, 0, ""},
+		{"(*Regexp).FindStringSubmatch", Method, 0, ""},
+		{"(*Regexp).FindStringSubmatchIndex", Method, 0, ""},
+		{"(*Regexp).FindSubmatch", Method, 0, ""},
+		{"(*Regexp).FindSubmatchIndex", Method, 0, ""},
+		{"(*Regexp).LiteralPrefix", Method, 0, ""},
+		{"(*Regexp).Longest", Method, 1, ""},
+		{"(*Regexp).MarshalText", Method, 21, ""},
+		{"(*Regexp).Match", Method, 0, ""},
+		{"(*Regexp).MatchReader", Method, 0, ""},
+		{"(*Regexp).MatchString", Method, 0, ""},
+		{"(*Regexp).NumSubexp", Method, 0, ""},
+		{"(*Regexp).ReplaceAll", Method, 0, ""},
+		{"(*Regexp).ReplaceAllFunc", Method, 0, ""},
+		{"(*Regexp).ReplaceAllLiteral", Method, 0, ""},
+		{"(*Regexp).ReplaceAllLiteralString", Method, 0, ""},
+		{"(*Regexp).ReplaceAllString", Method, 0, ""},
+		{"(*Regexp).ReplaceAllStringFunc", Method, 0, ""},
+		{"(*Regexp).Split", Method, 1, ""},
+		{"(*Regexp).String", Method, 0, ""},
+		{"(*Regexp).SubexpIndex", Method, 15, ""},
+		{"(*Regexp).SubexpNames", Method, 0, ""},
+		{"(*Regexp).UnmarshalText", Method, 21, ""},
+		{"Compile", Func, 0, "func(expr string) (*Regexp, error)"},
+		{"CompilePOSIX", Func, 0, "func(expr string) (*Regexp, error)"},
+		{"Match", Func, 0, "func(pattern string, b []byte) (matched bool, err error)"},
+		{"MatchReader", Func, 0, "func(pattern string, r io.RuneReader) (matched bool, err error)"},
+		{"MatchString", Func, 0, "func(pattern string, s string) (matched bool, err error)"},
+		{"MustCompile", Func, 0, "func(str string) *Regexp"},
+		{"MustCompilePOSIX", Func, 0, "func(str string) *Regexp"},
+		{"QuoteMeta", Func, 0, "func(s string) string"},
+		{"Regexp", Type, 0, ""},
+	},
+	"regexp/syntax": {
+		{"(*Error).Error", Method, 0, ""},
+		{"(*Inst).MatchEmptyWidth", Method, 0, ""},
+		{"(*Inst).MatchRune", Method, 0, ""},
+		{"(*Inst).MatchRunePos", Method, 3, ""},
+		{"(*Inst).String", Method, 0, ""},
+		{"(*Prog).Prefix", Method, 0, ""},
+		{"(*Prog).StartCond", Method, 0, ""},
+		{"(*Prog).String", Method, 0, ""},
+		{"(*Regexp).CapNames", Method, 0, ""},
+		{"(*Regexp).Equal", Method, 0, ""},
+		{"(*Regexp).MaxCap", Method, 0, ""},
+		{"(*Regexp).Simplify", Method, 0, ""},
+		{"(*Regexp).String", Method, 0, ""},
+		{"(ErrorCode).String", Method, 0, ""},
+		{"(InstOp).String", Method, 3, ""},
+		{"(Op).String", Method, 11, ""},
+		{"ClassNL", Const, 0, ""},
+		{"Compile", Func, 0, "func(re *Regexp) (*Prog, error)"},
+		{"DotNL", Const, 0, ""},
+		{"EmptyBeginLine", Const, 0, ""},
+		{"EmptyBeginText", Const, 0, ""},
+		{"EmptyEndLine", Const, 0, ""},
+		{"EmptyEndText", Const, 0, ""},
+		{"EmptyNoWordBoundary", Const, 0, ""},
+		{"EmptyOp", Type, 0, ""},
+		{"EmptyOpContext", Func, 0, "func(r1 rune, r2 rune) EmptyOp"},
+		{"EmptyWordBoundary", Const, 0, ""},
+		{"ErrInternalError", Const, 0, ""},
+		{"ErrInvalidCharClass", Const, 0, ""},
+		{"ErrInvalidCharRange", Const, 0, ""},
+		{"ErrInvalidEscape", Const, 0, ""},
+		{"ErrInvalidNamedCapture", Const, 0, ""},
+		{"ErrInvalidPerlOp", Const, 0, ""},
+		{"ErrInvalidRepeatOp", Const, 0, ""},
+		{"ErrInvalidRepeatSize", Const, 0, ""},
+		{"ErrInvalidUTF8", Const, 0, ""},
+		{"ErrLarge", Const, 20, ""},
+		{"ErrMissingBracket", Const, 0, ""},
+		{"ErrMissingParen", Const, 0, ""},
+		{"ErrMissingRepeatArgument", Const, 0, ""},
+		{"ErrNestingDepth", Const, 19, ""},
+		{"ErrTrailingBackslash", Const, 0, ""},
+		{"ErrUnexpectedParen", Const, 1, ""},
+		{"Error", Type, 0, ""},
+		{"Error.Code", Field, 0, ""},
+		{"Error.Expr", Field, 0, ""},
+		{"ErrorCode", Type, 0, ""},
+		{"Flags", Type, 0, ""},
+		{"FoldCase", Const, 0, ""},
+		{"Inst", Type, 0, ""},
+		{"Inst.Arg", Field, 0, ""},
+		{"Inst.Op", Field, 0, ""},
+		{"Inst.Out", Field, 0, ""},
+		{"Inst.Rune", Field, 0, ""},
+		{"InstAlt", Const, 0, ""},
+		{"InstAltMatch", Const, 0, ""},
+		{"InstCapture", Const, 0, ""},
+		{"InstEmptyWidth", Const, 0, ""},
+		{"InstFail", Const, 0, ""},
+		{"InstMatch", Const, 0, ""},
+		{"InstNop", Const, 0, ""},
+		{"InstOp", Type, 0, ""},
+		{"InstRune", Const, 0, ""},
+		{"InstRune1", Const, 0, ""},
+		{"InstRuneAny", Const, 0, ""},
+		{"InstRuneAnyNotNL", Const, 0, ""},
+		{"IsWordChar", Func, 0, "func(r rune) bool"},
+		{"Literal", Const, 0, ""},
+		{"MatchNL", Const, 0, ""},
+		{"NonGreedy", Const, 0, ""},
+		{"OneLine", Const, 0, ""},
+		{"Op", Type, 0, ""},
+		{"OpAlternate", Const, 0, ""},
+		{"OpAnyChar", Const, 0, ""},
+		{"OpAnyCharNotNL", Const, 0, ""},
+		{"OpBeginLine", Const, 0, ""},
+		{"OpBeginText", Const, 0, ""},
+		{"OpCapture", Const, 0, ""},
+		{"OpCharClass", Const, 0, ""},
+		{"OpConcat", Const, 0, ""},
+		{"OpEmptyMatch", Const, 0, ""},
+		{"OpEndLine", Const, 0, ""},
+		{"OpEndText", Const, 0, ""},
+		{"OpLiteral", Const, 0, ""},
+		{"OpNoMatch", Const, 0, ""},
+		{"OpNoWordBoundary", Const, 0, ""},
+		{"OpPlus", Const, 0, ""},
+		{"OpQuest", Const, 0, ""},
+		{"OpRepeat", Const, 0, ""},
+		{"OpStar", Const, 0, ""},
+		{"OpWordBoundary", Const, 0, ""},
+		{"POSIX", Const, 0, ""},
+		{"Parse", Func, 0, "func(s string, flags Flags) (*Regexp, error)"},
+		{"Perl", Const, 0, ""},
+		{"PerlX", Const, 0, ""},
+		{"Prog", Type, 0, ""},
+		{"Prog.Inst", Field, 0, ""},
+		{"Prog.NumCap", Field, 0, ""},
+		{"Prog.Start", Field, 0, ""},
+		{"Regexp", Type, 0, ""},
+		{"Regexp.Cap", Field, 0, ""},
+		{"Regexp.Flags", Field, 0, ""},
+		{"Regexp.Max", Field, 0, ""},
+		{"Regexp.Min", Field, 0, ""},
+		{"Regexp.Name", Field, 0, ""},
+		{"Regexp.Op", Field, 0, ""},
+		{"Regexp.Rune", Field, 0, ""},
+		{"Regexp.Rune0", Field, 0, ""},
+		{"Regexp.Sub", Field, 0, ""},
+		{"Regexp.Sub0", Field, 0, ""},
+		{"Simple", Const, 0, ""},
+		{"UnicodeGroups", Const, 0, ""},
+		{"WasDollar", Const, 0, ""},
+	},
+	"runtime": {
+		{"(*BlockProfileRecord).Stack", Method, 1, ""},
+		{"(*Frames).Next", Method, 7, ""},
+		{"(*Func).Entry", Method, 0, ""},
+		{"(*Func).FileLine", Method, 0, ""},
+		{"(*Func).Name", Method, 0, ""},
+		{"(*MemProfileRecord).InUseBytes", Method, 0, ""},
+		{"(*MemProfileRecord).InUseObjects", Method, 0, ""},
+		{"(*MemProfileRecord).Stack", Method, 0, ""},
+		{"(*PanicNilError).Error", Method, 21, ""},
+		{"(*PanicNilError).RuntimeError", Method, 21, ""},
+		{"(*Pinner).Pin", Method, 21, ""},
+		{"(*Pinner).Unpin", Method, 21, ""},
+		{"(*StackRecord).Stack", Method, 0, ""},
+		{"(*TypeAssertionError).Error", Method, 0, ""},
+		{"(*TypeAssertionError).RuntimeError", Method, 0, ""},
+		{"(Cleanup).Stop", Method, 24, ""},
+		{"(Error).Error", Method, 0, ""},
+		{"(Error).RuntimeError", Method, 0, ""},
+		{"AddCleanup", Func, 24, "func[T, S any](ptr *T, cleanup func(S), arg S) Cleanup"},
+		{"BlockProfile", Func, 1, "func(p []BlockProfileRecord) (n int, ok bool)"},
+		{"BlockProfileRecord", Type, 1, ""},
+		{"BlockProfileRecord.Count", Field, 1, ""},
+		{"BlockProfileRecord.Cycles", Field, 1, ""},
+		{"BlockProfileRecord.StackRecord", Field, 1, ""},
+		{"Breakpoint", Func, 0, "func()"},
+		{"CPUProfile", Func, 0, "func() []byte"},
+		{"Caller", Func, 0, "func(skip int) (pc uintptr, file string, line int, ok bool)"},
+		{"Callers", Func, 0, "func(skip int, pc []uintptr) int"},
+		{"CallersFrames", Func, 7, "func(callers []uintptr) *Frames"},
+		{"Cleanup", Type, 24, ""},
+		{"Compiler", Const, 0, ""},
+		{"Error", Type, 0, ""},
+		{"Frame", Type, 7, ""},
+		{"Frame.Entry", Field, 7, ""},
+		{"Frame.File", Field, 7, ""},
+		{"Frame.Func", Field, 7, ""},
+		{"Frame.Function", Field, 7, ""},
+		{"Frame.Line", Field, 7, ""},
+		{"Frame.PC", Field, 7, ""},
+		{"Frames", Type, 7, ""},
+		{"Func", Type, 0, ""},
+		{"FuncForPC", Func, 0, "func(pc uintptr) *Func"},
+		{"GC", Func, 0, "func()"},
+		{"GOARCH", Const, 0, ""},
+		{"GOMAXPROCS", Func, 0, "func(n int) int"},
+		{"GOOS", Const, 0, ""},
+		{"GOROOT", Func, 0, "func() string"},
+		{"Goexit", Func, 0, "func()"},
+		{"GoroutineProfile", Func, 0, "func(p []StackRecord) (n int, ok bool)"},
+		{"Gosched", Func, 0, "func()"},
+		{"KeepAlive", Func, 7, "func(x any)"},
+		{"LockOSThread", Func, 0, "func()"},
+		{"MemProfile", Func, 0, "func(p []MemProfileRecord, inuseZero bool) (n int, ok bool)"},
+		{"MemProfileRate", Var, 0, ""},
+		{"MemProfileRecord", Type, 0, ""},
+		{"MemProfileRecord.AllocBytes", Field, 0, ""},
+		{"MemProfileRecord.AllocObjects", Field, 0, ""},
+		{"MemProfileRecord.FreeBytes", Field, 0, ""},
+		{"MemProfileRecord.FreeObjects", Field, 0, ""},
+		{"MemProfileRecord.Stack0", Field, 0, ""},
+		{"MemStats", Type, 0, ""},
+		{"MemStats.Alloc", Field, 0, ""},
+		{"MemStats.BuckHashSys", Field, 0, ""},
+		{"MemStats.BySize", Field, 0, ""},
+		{"MemStats.DebugGC", Field, 0, ""},
+		{"MemStats.EnableGC", Field, 0, ""},
+		{"MemStats.Frees", Field, 0, ""},
+		{"MemStats.GCCPUFraction", Field, 5, ""},
+		{"MemStats.GCSys", Field, 2, ""},
+		{"MemStats.HeapAlloc", Field, 0, ""},
+		{"MemStats.HeapIdle", Field, 0, ""},
+		{"MemStats.HeapInuse", Field, 0, ""},
+		{"MemStats.HeapObjects", Field, 0, ""},
+		{"MemStats.HeapReleased", Field, 0, ""},
+		{"MemStats.HeapSys", Field, 0, ""},
+		{"MemStats.LastGC", Field, 0, ""},
+		{"MemStats.Lookups", Field, 0, ""},
+		{"MemStats.MCacheInuse", Field, 0, ""},
+		{"MemStats.MCacheSys", Field, 0, ""},
+		{"MemStats.MSpanInuse", Field, 0, ""},
+		{"MemStats.MSpanSys", Field, 0, ""},
+		{"MemStats.Mallocs", Field, 0, ""},
+		{"MemStats.NextGC", Field, 0, ""},
+		{"MemStats.NumForcedGC", Field, 8, ""},
+		{"MemStats.NumGC", Field, 0, ""},
+		{"MemStats.OtherSys", Field, 2, ""},
+		{"MemStats.PauseEnd", Field, 4, ""},
+		{"MemStats.PauseNs", Field, 0, ""},
+		{"MemStats.PauseTotalNs", Field, 0, ""},
+		{"MemStats.StackInuse", Field, 0, ""},
+		{"MemStats.StackSys", Field, 0, ""},
+		{"MemStats.Sys", Field, 0, ""},
+		{"MemStats.TotalAlloc", Field, 0, ""},
+		{"MutexProfile", Func, 8, "func(p []BlockProfileRecord) (n int, ok bool)"},
+		{"NumCPU", Func, 0, "func() int"},
+		{"NumCgoCall", Func, 0, "func() int64"},
+		{"NumGoroutine", Func, 0, "func() int"},
+		{"PanicNilError", Type, 21, ""},
+		{"Pinner", Type, 21, ""},
+		{"ReadMemStats", Func, 0, "func(m *MemStats)"},
+		{"ReadTrace", Func, 5, "func() (buf []byte)"},
+		{"SetBlockProfileRate", Func, 1, "func(rate int)"},
+		{"SetCPUProfileRate", Func, 0, "func(hz int)"},
+		{"SetCgoTraceback", Func, 7, "func(version int, traceback unsafe.Pointer, context unsafe.Pointer, symbolizer unsafe.Pointer)"},
+		{"SetDefaultGOMAXPROCS", Func, 25, "func()"},
+		{"SetFinalizer", Func, 0, "func(obj any, finalizer any)"},
+		{"SetMutexProfileFraction", Func, 8, "func(rate int) int"},
+		{"Stack", Func, 0, "func(buf []byte, all bool) int"},
+		{"StackRecord", Type, 0, ""},
+		{"StackRecord.Stack0", Field, 0, ""},
+		{"StartTrace", Func, 5, "func() error"},
+		{"StopTrace", Func, 5, "func()"},
+		{"ThreadCreateProfile", Func, 0, "func(p []StackRecord) (n int, ok bool)"},
+		{"TypeAssertionError", Type, 0, ""},
+		{"UnlockOSThread", Func, 0, "func()"},
+		{"Version", Func, 0, "func() string"},
+	},
+	"runtime/cgo": {
+		{"(Handle).Delete", Method, 17, ""},
+		{"(Handle).Value", Method, 17, ""},
+		{"Handle", Type, 17, ""},
+		{"Incomplete", Type, 20, ""},
+		{"NewHandle", Func, 17, ""},
+	},
+	"runtime/coverage": {
+		{"ClearCounters", Func, 20, "func() error"},
+		{"WriteCounters", Func, 20, "func(w io.Writer) error"},
+		{"WriteCountersDir", Func, 20, "func(dir string) error"},
+		{"WriteMeta", Func, 20, "func(w io.Writer) error"},
+		{"WriteMetaDir", Func, 20, "func(dir string) error"},
+	},
+	"runtime/debug": {
+		{"(*BuildInfo).String", Method, 18, ""},
+		{"BuildInfo", Type, 12, ""},
+		{"BuildInfo.Deps", Field, 12, ""},
+		{"BuildInfo.GoVersion", Field, 18, ""},
+		{"BuildInfo.Main", Field, 12, ""},
+		{"BuildInfo.Path", Field, 12, ""},
+		{"BuildInfo.Settings", Field, 18, ""},
+		{"BuildSetting", Type, 18, ""},
+		{"BuildSetting.Key", Field, 18, ""},
+		{"BuildSetting.Value", Field, 18, ""},
+		{"CrashOptions", Type, 23, ""},
+		{"FreeOSMemory", Func, 1, "func()"},
+		{"GCStats", Type, 1, ""},
+		{"GCStats.LastGC", Field, 1, ""},
+		{"GCStats.NumGC", Field, 1, ""},
+		{"GCStats.Pause", Field, 1, ""},
+		{"GCStats.PauseEnd", Field, 4, ""},
+		{"GCStats.PauseQuantiles", Field, 1, ""},
+		{"GCStats.PauseTotal", Field, 1, ""},
+		{"Module", Type, 12, ""},
+		{"Module.Path", Field, 12, ""},
+		{"Module.Replace", Field, 12, ""},
+		{"Module.Sum", Field, 12, ""},
+		{"Module.Version", Field, 12, ""},
+		{"ParseBuildInfo", Func, 18, "func(data string) (bi *BuildInfo, err error)"},
+		{"PrintStack", Func, 0, "func()"},
+		{"ReadBuildInfo", Func, 12, "func() (info *BuildInfo, ok bool)"},
+		{"ReadGCStats", Func, 1, "func(stats *GCStats)"},
+		{"SetCrashOutput", Func, 23, "func(f *os.File, opts CrashOptions) error"},
+		{"SetGCPercent", Func, 1, "func(percent int) int"},
+		{"SetMaxStack", Func, 2, "func(bytes int) int"},
+		{"SetMaxThreads", Func, 2, "func(threads int) int"},
+		{"SetMemoryLimit", Func, 19, "func(limit int64) int64"},
+		{"SetPanicOnFault", Func, 3, "func(enabled bool) bool"},
+		{"SetTraceback", Func, 6, "func(level string)"},
+		{"Stack", Func, 0, "func() []byte"},
+		{"WriteHeapDump", Func, 3, "func(fd uintptr)"},
+	},
+	"runtime/metrics": {
+		{"(Value).Float64", Method, 16, ""},
+		{"(Value).Float64Histogram", Method, 16, ""},
+		{"(Value).Kind", Method, 16, ""},
+		{"(Value).Uint64", Method, 16, ""},
+		{"All", Func, 16, "func() []Description"},
+		{"Description", Type, 16, ""},
+		{"Description.Cumulative", Field, 16, ""},
+		{"Description.Description", Field, 16, ""},
+		{"Description.Kind", Field, 16, ""},
+		{"Description.Name", Field, 16, ""},
+		{"Float64Histogram", Type, 16, ""},
+		{"Float64Histogram.Buckets", Field, 16, ""},
+		{"Float64Histogram.Counts", Field, 16, ""},
+		{"KindBad", Const, 16, ""},
+		{"KindFloat64", Const, 16, ""},
+		{"KindFloat64Histogram", Const, 16, ""},
+		{"KindUint64", Const, 16, ""},
+		{"Read", Func, 16, "func(m []Sample)"},
+		{"Sample", Type, 16, ""},
+		{"Sample.Name", Field, 16, ""},
+		{"Sample.Value", Field, 16, ""},
+		{"Value", Type, 16, ""},
+		{"ValueKind", Type, 16, ""},
+	},
+	"runtime/pprof": {
+		{"(*Profile).Add", Method, 0, ""},
+		{"(*Profile).Count", Method, 0, ""},
+		{"(*Profile).Name", Method, 0, ""},
+		{"(*Profile).Remove", Method, 0, ""},
+		{"(*Profile).WriteTo", Method, 0, ""},
+		{"Do", Func, 9, "func(ctx context.Context, labels LabelSet, f func(context.Context))"},
+		{"ForLabels", Func, 9, "func(ctx context.Context, f func(key string, value string) bool)"},
+		{"Label", Func, 9, "func(ctx context.Context, key string) (string, bool)"},
+		{"LabelSet", Type, 9, ""},
+		{"Labels", Func, 9, "func(args ...string) LabelSet"},
+		{"Lookup", Func, 0, "func(name string) *Profile"},
+		{"NewProfile", Func, 0, "func(name string) *Profile"},
+		{"Profile", Type, 0, ""},
+		{"Profiles", Func, 0, "func() []*Profile"},
+		{"SetGoroutineLabels", Func, 9, "func(ctx context.Context)"},
+		{"StartCPUProfile", Func, 0, "func(w io.Writer) error"},
+		{"StopCPUProfile", Func, 0, "func()"},
+		{"WithLabels", Func, 9, "func(ctx context.Context, labels LabelSet) context.Context"},
+		{"WriteHeapProfile", Func, 0, "func(w io.Writer) error"},
+	},
+	"runtime/trace": {
+		{"(*FlightRecorder).Enabled", Method, 25, ""},
+		{"(*FlightRecorder).Start", Method, 25, ""},
+		{"(*FlightRecorder).Stop", Method, 25, ""},
+		{"(*FlightRecorder).WriteTo", Method, 25, ""},
+		{"(*Region).End", Method, 11, ""},
+		{"(*Task).End", Method, 11, ""},
+		{"FlightRecorder", Type, 25, ""},
+		{"FlightRecorderConfig", Type, 25, ""},
+		{"FlightRecorderConfig.MaxBytes", Field, 25, ""},
+		{"FlightRecorderConfig.MinAge", Field, 25, ""},
+		{"IsEnabled", Func, 11, "func() bool"},
+		{"Log", Func, 11, "func(ctx context.Context, category string, message string)"},
+		{"Logf", Func, 11, "func(ctx context.Context, category string, format string, args ...any)"},
+		{"NewFlightRecorder", Func, 25, "func(cfg FlightRecorderConfig) *FlightRecorder"},
+		{"NewTask", Func, 11, "func(pctx context.Context, taskType string) (ctx context.Context, task *Task)"},
+		{"Region", Type, 11, ""},
+		{"Start", Func, 5, "func(w io.Writer) error"},
+		{"StartRegion", Func, 11, "func(ctx context.Context, regionType string) *Region"},
+		{"Stop", Func, 5, "func()"},
+		{"Task", Type, 11, ""},
+		{"WithRegion", Func, 11, "func(ctx context.Context, regionType string, fn func())"},
+	},
+	"slices": {
+		{"All", Func, 23, "func[Slice ~[]E, E any](s Slice) iter.Seq2[int, E]"},
+		{"AppendSeq", Func, 23, "func[Slice ~[]E, E any](s Slice, seq iter.Seq[E]) Slice"},
+		{"Backward", Func, 23, "func[Slice ~[]E, E any](s Slice) iter.Seq2[int, E]"},
+		{"BinarySearch", Func, 21, "func[S ~[]E, E cmp.Ordered](x S, target E) (int, bool)"},
+		{"BinarySearchFunc", Func, 21, "func[S ~[]E, E, T any](x S, target T, cmp func(E, T) int) (int, bool)"},
+		{"Chunk", Func, 23, "func[Slice ~[]E, E any](s Slice, n int) iter.Seq[Slice]"},
+		{"Clip", Func, 21, "func[S ~[]E, E any](s S) S"},
+		{"Clone", Func, 21, "func[S ~[]E, E any](s S) S"},
+		{"Collect", Func, 23, "func[E any](seq iter.Seq[E]) []E"},
+		{"Compact", Func, 21, "func[S ~[]E, E comparable](s S) S"},
+		{"CompactFunc", Func, 21, "func[S ~[]E, E any](s S, eq func(E, E) bool) S"},
+		{"Compare", Func, 21, "func[S ~[]E, E cmp.Ordered](s1 S, s2 S) int"},
+		{"CompareFunc", Func, 21, "func[S1 ~[]E1, S2 ~[]E2, E1, E2 any](s1 S1, s2 S2, cmp func(E1, E2) int) int"},
+		{"Concat", Func, 22, "func[S ~[]E, E any](slices ...S) S"},
+		{"Contains", Func, 21, "func[S ~[]E, E comparable](s S, v E) bool"},
+		{"ContainsFunc", Func, 21, "func[S ~[]E, E any](s S, f func(E) bool) bool"},
+		{"Delete", Func, 21, "func[S ~[]E, E any](s S, i int, j int) S"},
+		{"DeleteFunc", Func, 21, "func[S ~[]E, E any](s S, del func(E) bool) S"},
+		{"Equal", Func, 21, "func[S ~[]E, E comparable](s1 S, s2 S) bool"},
+		{"EqualFunc", Func, 21, "func[S1 ~[]E1, S2 ~[]E2, E1, E2 any](s1 S1, s2 S2, eq func(E1, E2) bool) bool"},
+		{"Grow", Func, 21, "func[S ~[]E, E any](s S, n int) S"},
+		{"Index", Func, 21, "func[S ~[]E, E comparable](s S, v E) int"},
+		{"IndexFunc", Func, 21, "func[S ~[]E, E any](s S, f func(E) bool) int"},
+		{"Insert", Func, 21, "func[S ~[]E, E any](s S, i int, v ...E) S"},
+		{"IsSorted", Func, 21, "func[S ~[]E, E cmp.Ordered](x S) bool"},
+		{"IsSortedFunc", Func, 21, "func[S ~[]E, E any](x S, cmp func(a E, b E) int) bool"},
+		{"Max", Func, 21, "func[S ~[]E, E cmp.Ordered](x S) E"},
+		{"MaxFunc", Func, 21, "func[S ~[]E, E any](x S, cmp func(a E, b E) int) E"},
+		{"Min", Func, 21, "func[S ~[]E, E cmp.Ordered](x S) E"},
+		{"MinFunc", Func, 21, "func[S ~[]E, E any](x S, cmp func(a E, b E) int) E"},
+		{"Repeat", Func, 23, "func[S ~[]E, E any](x S, count int) S"},
+		{"Replace", Func, 21, "func[S ~[]E, E any](s S, i int, j int, v ...E) S"},
+		{"Reverse", Func, 21, "func[S ~[]E, E any](s S)"},
+		{"Sort", Func, 21, "func[S ~[]E, E cmp.Ordered](x S)"},
+		{"SortFunc", Func, 21, "func[S ~[]E, E any](x S, cmp func(a E, b E) int)"},
+		{"SortStableFunc", Func, 21, "func[S ~[]E, E any](x S, cmp func(a E, b E) int)"},
+		{"Sorted", Func, 23, "func[E cmp.Ordered](seq iter.Seq[E]) []E"},
+		{"SortedFunc", Func, 23, "func[E any](seq iter.Seq[E], cmp func(E, E) int) []E"},
+		{"SortedStableFunc", Func, 23, "func[E any](seq iter.Seq[E], cmp func(E, E) int) []E"},
+		{"Values", Func, 23, "func[Slice ~[]E, E any](s Slice) iter.Seq[E]"},
+	},
+	"sort": {
+		{"(Float64Slice).Len", Method, 0, ""},
+		{"(Float64Slice).Less", Method, 0, ""},
+		{"(Float64Slice).Search", Method, 0, ""},
+		{"(Float64Slice).Sort", Method, 0, ""},
+		{"(Float64Slice).Swap", Method, 0, ""},
+		{"(IntSlice).Len", Method, 0, ""},
+		{"(IntSlice).Less", Method, 0, ""},
+		{"(IntSlice).Search", Method, 0, ""},
+		{"(IntSlice).Sort", Method, 0, ""},
+		{"(IntSlice).Swap", Method, 0, ""},
+		{"(Interface).Len", Method, 0, ""},
+		{"(Interface).Less", Method, 0, ""},
+		{"(Interface).Swap", Method, 0, ""},
+		{"(StringSlice).Len", Method, 0, ""},
+		{"(StringSlice).Less", Method, 0, ""},
+		{"(StringSlice).Search", Method, 0, ""},
+		{"(StringSlice).Sort", Method, 0, ""},
+		{"(StringSlice).Swap", Method, 0, ""},
+		{"Find", Func, 19, "func(n int, cmp func(int) int) (i int, found bool)"},
+		{"Float64Slice", Type, 0, ""},
+		{"Float64s", Func, 0, "func(x []float64)"},
+		{"Float64sAreSorted", Func, 0, "func(x []float64) bool"},
+		{"IntSlice", Type, 0, ""},
+		{"Interface", Type, 0, ""},
+		{"Ints", Func, 0, "func(x []int)"},
+		{"IntsAreSorted", Func, 0, "func(x []int) bool"},
+		{"IsSorted", Func, 0, "func(data Interface) bool"},
+		{"Reverse", Func, 1, "func(data Interface) Interface"},
+		{"Search", Func, 0, "func(n int, f func(int) bool) int"},
+		{"SearchFloat64s", Func, 0, "func(a []float64, x float64) int"},
+		{"SearchInts", Func, 0, "func(a []int, x int) int"},
+		{"SearchStrings", Func, 0, "func(a []string, x string) int"},
+		{"Slice", Func, 8, "func(x any, less func(i int, j int) bool)"},
+		{"SliceIsSorted", Func, 8, "func(x any, less func(i int, j int) bool) bool"},
+		{"SliceStable", Func, 8, "func(x any, less func(i int, j int) bool)"},
+		{"Sort", Func, 0, "func(data Interface)"},
+		{"Stable", Func, 2, "func(data Interface)"},
+		{"StringSlice", Type, 0, ""},
+		{"Strings", Func, 0, "func(x []string)"},
+		{"StringsAreSorted", Func, 0, "func(x []string) bool"},
+	},
+	"strconv": {
+		{"(*NumError).Error", Method, 0, ""},
+		{"(*NumError).Unwrap", Method, 14, ""},
+		{"AppendBool", Func, 0, "func(dst []byte, b bool) []byte"},
+		{"AppendFloat", Func, 0, "func(dst []byte, f float64, fmt byte, prec int, bitSize int) []byte"},
+		{"AppendInt", Func, 0, "func(dst []byte, i int64, base int) []byte"},
+		{"AppendQuote", Func, 0, "func(dst []byte, s string) []byte"},
+		{"AppendQuoteRune", Func, 0, "func(dst []byte, r rune) []byte"},
+		{"AppendQuoteRuneToASCII", Func, 0, "func(dst []byte, r rune) []byte"},
+		{"AppendQuoteRuneToGraphic", Func, 6, "func(dst []byte, r rune) []byte"},
+		{"AppendQuoteToASCII", Func, 0, "func(dst []byte, s string) []byte"},
+		{"AppendQuoteToGraphic", Func, 6, "func(dst []byte, s string) []byte"},
+		{"AppendUint", Func, 0, "func(dst []byte, i uint64, base int) []byte"},
+		{"Atoi", Func, 0, "func(s string) (int, error)"},
+		{"CanBackquote", Func, 0, "func(s string) bool"},
+		{"ErrRange", Var, 0, ""},
+		{"ErrSyntax", Var, 0, ""},
+		{"FormatBool", Func, 0, "func(b bool) string"},
+		{"FormatComplex", Func, 15, "func(c complex128, fmt byte, prec int, bitSize int) string"},
+		{"FormatFloat", Func, 0, "func(f float64, fmt byte, prec int, bitSize int) string"},
+		{"FormatInt", Func, 0, "func(i int64, base int) string"},
+		{"FormatUint", Func, 0, "func(i uint64, base int) string"},
+		{"IntSize", Const, 0, ""},
+		{"IsGraphic", Func, 6, "func(r rune) bool"},
+		{"IsPrint", Func, 0, "func(r rune) bool"},
+		{"Itoa", Func, 0, "func(i int) string"},
+		{"NumError", Type, 0, ""},
+		{"NumError.Err", Field, 0, ""},
+		{"NumError.Func", Field, 0, ""},
+		{"NumError.Num", Field, 0, ""},
+		{"ParseBool", Func, 0, "func(str string) (bool, error)"},
+		{"ParseComplex", Func, 15, "func(s string, bitSize int) (complex128, error)"},
+		{"ParseFloat", Func, 0, "func(s string, bitSize int) (float64, error)"},
+		{"ParseInt", Func, 0, "func(s string, base int, bitSize int) (i int64, err error)"},
+		{"ParseUint", Func, 0, "func(s string, base int, bitSize int) (uint64, error)"},
+		{"Quote", Func, 0, "func(s string) string"},
+		{"QuoteRune", Func, 0, "func(r rune) string"},
+		{"QuoteRuneToASCII", Func, 0, "func(r rune) string"},
+		{"QuoteRuneToGraphic", Func, 6, "func(r rune) string"},
+		{"QuoteToASCII", Func, 0, "func(s string) string"},
+		{"QuoteToGraphic", Func, 6, "func(s string) string"},
+		{"QuotedPrefix", Func, 17, "func(s string) (string, error)"},
+		{"Unquote", Func, 0, "func(s string) (string, error)"},
+		{"UnquoteChar", Func, 0, "func(s string, quote byte) (value rune, multibyte bool, tail string, err error)"},
+	},
+	"strings": {
+		{"(*Builder).Cap", Method, 12, ""},
+		{"(*Builder).Grow", Method, 10, ""},
+		{"(*Builder).Len", Method, 10, ""},
+		{"(*Builder).Reset", Method, 10, ""},
+		{"(*Builder).String", Method, 10, ""},
+		{"(*Builder).Write", Method, 10, ""},
+		{"(*Builder).WriteByte", Method, 10, ""},
+		{"(*Builder).WriteRune", Method, 10, ""},
+		{"(*Builder).WriteString", Method, 10, ""},
+		{"(*Reader).Len", Method, 0, ""},
+		{"(*Reader).Read", Method, 0, ""},
+		{"(*Reader).ReadAt", Method, 0, ""},
+		{"(*Reader).ReadByte", Method, 0, ""},
+		{"(*Reader).ReadRune", Method, 0, ""},
+		{"(*Reader).Reset", Method, 7, ""},
+		{"(*Reader).Seek", Method, 0, ""},
+		{"(*Reader).Size", Method, 5, ""},
+		{"(*Reader).UnreadByte", Method, 0, ""},
+		{"(*Reader).UnreadRune", Method, 0, ""},
+		{"(*Reader).WriteTo", Method, 1, ""},
+		{"(*Replacer).Replace", Method, 0, ""},
+		{"(*Replacer).WriteString", Method, 0, ""},
+		{"Builder", Type, 10, ""},
+		{"Clone", Func, 18, "func(s string) string"},
+		{"Compare", Func, 5, "func(a string, b string) int"},
+		{"Contains", Func, 0, "func(s string, substr string) bool"},
+		{"ContainsAny", Func, 0, "func(s string, chars string) bool"},
+		{"ContainsFunc", Func, 21, "func(s string, f func(rune) bool) bool"},
+		{"ContainsRune", Func, 0, "func(s string, r rune) bool"},
+		{"Count", Func, 0, "func(s string, substr string) int"},
+		{"Cut", Func, 18, "func(s string, sep string) (before string, after string, found bool)"},
+		{"CutPrefix", Func, 20, "func(s string, prefix string) (after string, found bool)"},
+		{"CutSuffix", Func, 20, "func(s string, suffix string) (before string, found bool)"},
+		{"EqualFold", Func, 0, "func(s string, t string) bool"},
+		{"Fields", Func, 0, "func(s string) []string"},
+		{"FieldsFunc", Func, 0, "func(s string, f func(rune) bool) []string"},
+		{"FieldsFuncSeq", Func, 24, "func(s string, f func(rune) bool) iter.Seq[string]"},
+		{"FieldsSeq", Func, 24, "func(s string) iter.Seq[string]"},
+		{"HasPrefix", Func, 0, "func(s string, prefix string) bool"},
+		{"HasSuffix", Func, 0, "func(s string, suffix string) bool"},
+		{"Index", Func, 0, "func(s string, substr string) int"},
+		{"IndexAny", Func, 0, "func(s string, chars string) int"},
+		{"IndexByte", Func, 2, "func(s string, c byte) int"},
+		{"IndexFunc", Func, 0, "func(s string, f func(rune) bool) int"},
+		{"IndexRune", Func, 0, "func(s string, r rune) int"},
+		{"Join", Func, 0, "func(elems []string, sep string) string"},
+		{"LastIndex", Func, 0, "func(s string, substr string) int"},
+		{"LastIndexAny", Func, 0, "func(s string, chars string) int"},
+		{"LastIndexByte", Func, 5, "func(s string, c byte) int"},
+		{"LastIndexFunc", Func, 0, "func(s string, f func(rune) bool) int"},
+		{"Lines", Func, 24, "func(s string) iter.Seq[string]"},
+		{"Map", Func, 0, "func(mapping func(rune) rune, s string) string"},
+		{"NewReader", Func, 0, "func(s string) *Reader"},
+		{"NewReplacer", Func, 0, "func(oldnew ...string) *Replacer"},
+		{"Reader", Type, 0, ""},
+		{"Repeat", Func, 0, "func(s string, count int) string"},
+		{"Replace", Func, 0, "func(s string, old string, new string, n int) string"},
+		{"ReplaceAll", Func, 12, "func(s string, old string, new string) string"},
+		{"Replacer", Type, 0, ""},
+		{"Split", Func, 0, "func(s string, sep string) []string"},
+		{"SplitAfter", Func, 0, "func(s string, sep string) []string"},
+		{"SplitAfterN", Func, 0, "func(s string, sep string, n int) []string"},
+		{"SplitAfterSeq", Func, 24, "func(s string, sep string) iter.Seq[string]"},
+		{"SplitN", Func, 0, "func(s string, sep string, n int) []string"},
+		{"SplitSeq", Func, 24, "func(s string, sep string) iter.Seq[string]"},
+		{"Title", Func, 0, "func(s string) string"},
+		{"ToLower", Func, 0, "func(s string) string"},
+		{"ToLowerSpecial", Func, 0, "func(c unicode.SpecialCase, s string) string"},
+		{"ToTitle", Func, 0, "func(s string) string"},
+		{"ToTitleSpecial", Func, 0, "func(c unicode.SpecialCase, s string) string"},
+		{"ToUpper", Func, 0, "func(s string) string"},
+		{"ToUpperSpecial", Func, 0, "func(c unicode.SpecialCase, s string) string"},
+		{"ToValidUTF8", Func, 13, "func(s string, replacement string) string"},
+		{"Trim", Func, 0, "func(s string, cutset string) string"},
+		{"TrimFunc", Func, 0, "func(s string, f func(rune) bool) string"},
+		{"TrimLeft", Func, 0, "func(s string, cutset string) string"},
+		{"TrimLeftFunc", Func, 0, "func(s string, f func(rune) bool) string"},
+		{"TrimPrefix", Func, 1, "func(s string, prefix string) string"},
+		{"TrimRight", Func, 0, "func(s string, cutset string) string"},
+		{"TrimRightFunc", Func, 0, "func(s string, f func(rune) bool) string"},
+		{"TrimSpace", Func, 0, "func(s string) string"},
+		{"TrimSuffix", Func, 1, "func(s string, suffix string) string"},
+	},
+	"structs": {
+		{"HostLayout", Type, 23, ""},
+	},
+	"sync": {
+		{"(*Cond).Broadcast", Method, 0, ""},
+		{"(*Cond).Signal", Method, 0, ""},
+		{"(*Cond).Wait", Method, 0, ""},
+		{"(*Map).Clear", Method, 23, ""},
+		{"(*Map).CompareAndDelete", Method, 20, ""},
+		{"(*Map).CompareAndSwap", Method, 20, ""},
+		{"(*Map).Delete", Method, 9, ""},
+		{"(*Map).Load", Method, 9, ""},
+		{"(*Map).LoadAndDelete", Method, 15, ""},
+		{"(*Map).LoadOrStore", Method, 9, ""},
+		{"(*Map).Range", Method, 9, ""},
+		{"(*Map).Store", Method, 9, ""},
+		{"(*Map).Swap", Method, 20, ""},
+		{"(*Mutex).Lock", Method, 0, ""},
+		{"(*Mutex).TryLock", Method, 18, ""},
+		{"(*Mutex).Unlock", Method, 0, ""},
+		{"(*Once).Do", Method, 0, ""},
+		{"(*Pool).Get", Method, 3, ""},
+		{"(*Pool).Put", Method, 3, ""},
+		{"(*RWMutex).Lock", Method, 0, ""},
+		{"(*RWMutex).RLock", Method, 0, ""},
+		{"(*RWMutex).RLocker", Method, 0, ""},
+		{"(*RWMutex).RUnlock", Method, 0, ""},
+		{"(*RWMutex).TryLock", Method, 18, ""},
+		{"(*RWMutex).TryRLock", Method, 18, ""},
+		{"(*RWMutex).Unlock", Method, 0, ""},
+		{"(*WaitGroup).Add", Method, 0, ""},
+		{"(*WaitGroup).Done", Method, 0, ""},
+		{"(*WaitGroup).Go", Method, 25, ""},
+		{"(*WaitGroup).Wait", Method, 0, ""},
+		{"(Locker).Lock", Method, 0, ""},
+		{"(Locker).Unlock", Method, 0, ""},
+		{"Cond", Type, 0, ""},
+		{"Cond.L", Field, 0, ""},
+		{"Locker", Type, 0, ""},
+		{"Map", Type, 9, ""},
+		{"Mutex", Type, 0, ""},
+		{"NewCond", Func, 0, "func(l Locker) *Cond"},
+		{"Once", Type, 0, ""},
+		{"OnceFunc", Func, 21, "func(f func()) func()"},
+		{"OnceValue", Func, 21, "func[T any](f func() T) func() T"},
+		{"OnceValues", Func, 21, "func[T1, T2 any](f func() (T1, T2)) func() (T1, T2)"},
+		{"Pool", Type, 3, ""},
+		{"Pool.New", Field, 3, ""},
+		{"RWMutex", Type, 0, ""},
+		{"WaitGroup", Type, 0, ""},
+	},
+	"sync/atomic": {
+		{"(*Bool).CompareAndSwap", Method, 19, ""},
+		{"(*Bool).Load", Method, 19, ""},
+		{"(*Bool).Store", Method, 19, ""},
+		{"(*Bool).Swap", Method, 19, ""},
+		{"(*Int32).Add", Method, 19, ""},
+		{"(*Int32).And", Method, 23, ""},
+		{"(*Int32).CompareAndSwap", Method, 19, ""},
+		{"(*Int32).Load", Method, 19, ""},
+		{"(*Int32).Or", Method, 23, ""},
+		{"(*Int32).Store", Method, 19, ""},
+		{"(*Int32).Swap", Method, 19, ""},
+		{"(*Int64).Add", Method, 19, ""},
+		{"(*Int64).And", Method, 23, ""},
+		{"(*Int64).CompareAndSwap", Method, 19, ""},
+		{"(*Int64).Load", Method, 19, ""},
+		{"(*Int64).Or", Method, 23, ""},
+		{"(*Int64).Store", Method, 19, ""},
+		{"(*Int64).Swap", Method, 19, ""},
+		{"(*Pointer).CompareAndSwap", Method, 19, ""},
+		{"(*Pointer).Load", Method, 19, ""},
+		{"(*Pointer).Store", Method, 19, ""},
+		{"(*Pointer).Swap", Method, 19, ""},
+		{"(*Uint32).Add", Method, 19, ""},
+		{"(*Uint32).And", Method, 23, ""},
+		{"(*Uint32).CompareAndSwap", Method, 19, ""},
+		{"(*Uint32).Load", Method, 19, ""},
+		{"(*Uint32).Or", Method, 23, ""},
+		{"(*Uint32).Store", Method, 19, ""},
+		{"(*Uint32).Swap", Method, 19, ""},
+		{"(*Uint64).Add", Method, 19, ""},
+		{"(*Uint64).And", Method, 23, ""},
+		{"(*Uint64).CompareAndSwap", Method, 19, ""},
+		{"(*Uint64).Load", Method, 19, ""},
+		{"(*Uint64).Or", Method, 23, ""},
+		{"(*Uint64).Store", Method, 19, ""},
+		{"(*Uint64).Swap", Method, 19, ""},
+		{"(*Uintptr).Add", Method, 19, ""},
+		{"(*Uintptr).And", Method, 23, ""},
+		{"(*Uintptr).CompareAndSwap", Method, 19, ""},
+		{"(*Uintptr).Load", Method, 19, ""},
+		{"(*Uintptr).Or", Method, 23, ""},
+		{"(*Uintptr).Store", Method, 19, ""},
+		{"(*Uintptr).Swap", Method, 19, ""},
+		{"(*Value).CompareAndSwap", Method, 17, ""},
+		{"(*Value).Load", Method, 4, ""},
+		{"(*Value).Store", Method, 4, ""},
+		{"(*Value).Swap", Method, 17, ""},
+		{"AddInt32", Func, 0, "func(addr *int32, delta int32) (new int32)"},
+		{"AddInt64", Func, 0, "func(addr *int64, delta int64) (new int64)"},
+		{"AddUint32", Func, 0, "func(addr *uint32, delta uint32) (new uint32)"},
+		{"AddUint64", Func, 0, "func(addr *uint64, delta uint64) (new uint64)"},
+		{"AddUintptr", Func, 0, "func(addr *uintptr, delta uintptr) (new uintptr)"},
+		{"AndInt32", Func, 23, "func(addr *int32, mask int32) (old int32)"},
+		{"AndInt64", Func, 23, "func(addr *int64, mask int64) (old int64)"},
+		{"AndUint32", Func, 23, "func(addr *uint32, mask uint32) (old uint32)"},
+		{"AndUint64", Func, 23, "func(addr *uint64, mask uint64) (old uint64)"},
+		{"AndUintptr", Func, 23, "func(addr *uintptr, mask uintptr) (old uintptr)"},
+		{"Bool", Type, 19, ""},
+		{"CompareAndSwapInt32", Func, 0, "func(addr *int32, old int32, new int32) (swapped bool)"},
+		{"CompareAndSwapInt64", Func, 0, "func(addr *int64, old int64, new int64) (swapped bool)"},
+		{"CompareAndSwapPointer", Func, 0, "func(addr *unsafe.Pointer, old unsafe.Pointer, new unsafe.Pointer) (swapped bool)"},
+		{"CompareAndSwapUint32", Func, 0, "func(addr *uint32, old uint32, new uint32) (swapped bool)"},
+		{"CompareAndSwapUint64", Func, 0, "func(addr *uint64, old uint64, new uint64) (swapped bool)"},
+		{"CompareAndSwapUintptr", Func, 0, "func(addr *uintptr, old uintptr, new uintptr) (swapped bool)"},
+		{"Int32", Type, 19, ""},
+		{"Int64", Type, 19, ""},
+		{"LoadInt32", Func, 0, "func(addr *int32) (val int32)"},
+		{"LoadInt64", Func, 0, "func(addr *int64) (val int64)"},
+		{"LoadPointer", Func, 0, "func(addr *unsafe.Pointer) (val unsafe.Pointer)"},
+		{"LoadUint32", Func, 0, "func(addr *uint32) (val uint32)"},
+		{"LoadUint64", Func, 0, "func(addr *uint64) (val uint64)"},
+		{"LoadUintptr", Func, 0, "func(addr *uintptr) (val uintptr)"},
+		{"OrInt32", Func, 23, "func(addr *int32, mask int32) (old int32)"},
+		{"OrInt64", Func, 23, "func(addr *int64, mask int64) (old int64)"},
+		{"OrUint32", Func, 23, "func(addr *uint32, mask uint32) (old uint32)"},
+		{"OrUint64", Func, 23, "func(addr *uint64, mask uint64) (old uint64)"},
+		{"OrUintptr", Func, 23, "func(addr *uintptr, mask uintptr) (old uintptr)"},
+		{"Pointer", Type, 19, ""},
+		{"StoreInt32", Func, 0, "func(addr *int32, val int32)"},
+		{"StoreInt64", Func, 0, "func(addr *int64, val int64)"},
+		{"StorePointer", Func, 0, "func(addr *unsafe.Pointer, val unsafe.Pointer)"},
+		{"StoreUint32", Func, 0, "func(addr *uint32, val uint32)"},
+		{"StoreUint64", Func, 0, "func(addr *uint64, val uint64)"},
+		{"StoreUintptr", Func, 0, "func(addr *uintptr, val uintptr)"},
+		{"SwapInt32", Func, 2, "func(addr *int32, new int32) (old int32)"},
+		{"SwapInt64", Func, 2, "func(addr *int64, new int64) (old int64)"},
+		{"SwapPointer", Func, 2, "func(addr *unsafe.Pointer, new unsafe.Pointer) (old unsafe.Pointer)"},
+		{"SwapUint32", Func, 2, "func(addr *uint32, new uint32) (old uint32)"},
+		{"SwapUint64", Func, 2, "func(addr *uint64, new uint64) (old uint64)"},
+		{"SwapUintptr", Func, 2, "func(addr *uintptr, new uintptr) (old uintptr)"},
+		{"Uint32", Type, 19, ""},
+		{"Uint64", Type, 19, ""},
+		{"Uintptr", Type, 19, ""},
+		{"Value", Type, 4, ""},
+	},
+	"syscall": {
+		{"(*Cmsghdr).SetLen", Method, 0, ""},
+		{"(*DLL).FindProc", Method, 0, ""},
+		{"(*DLL).MustFindProc", Method, 0, ""},
+		{"(*DLL).Release", Method, 0, ""},
+		{"(*DLLError).Error", Method, 0, ""},
+		{"(*DLLError).Unwrap", Method, 16, ""},
+		{"(*Filetime).Nanoseconds", Method, 0, ""},
+		{"(*Iovec).SetLen", Method, 0, ""},
+		{"(*LazyDLL).Handle", Method, 0, ""},
+		{"(*LazyDLL).Load", Method, 0, ""},
+		{"(*LazyDLL).NewProc", Method, 0, ""},
+		{"(*LazyProc).Addr", Method, 0, ""},
+		{"(*LazyProc).Call", Method, 0, ""},
+		{"(*LazyProc).Find", Method, 0, ""},
+		{"(*Msghdr).SetControllen", Method, 0, ""},
+		{"(*Proc).Addr", Method, 0, ""},
+		{"(*Proc).Call", Method, 0, ""},
+		{"(*PtraceRegs).PC", Method, 0, ""},
+		{"(*PtraceRegs).SetPC", Method, 0, ""},
+		{"(*RawSockaddrAny).Sockaddr", Method, 0, ""},
+		{"(*SID).Copy", Method, 0, ""},
+		{"(*SID).Len", Method, 0, ""},
+		{"(*SID).LookupAccount", Method, 0, ""},
+		{"(*SID).String", Method, 0, ""},
+		{"(*Timespec).Nano", Method, 0, ""},
+		{"(*Timespec).Unix", Method, 0, ""},
+		{"(*Timeval).Nano", Method, 0, ""},
+		{"(*Timeval).Nanoseconds", Method, 0, ""},
+		{"(*Timeval).Unix", Method, 0, ""},
+		{"(Conn).SyscallConn", Method, 9, ""},
+		{"(Errno).Error", Method, 0, ""},
+		{"(Errno).Is", Method, 13, ""},
+		{"(Errno).Temporary", Method, 0, ""},
+		{"(Errno).Timeout", Method, 0, ""},
+		{"(RawConn).Control", Method, 9, ""},
+		{"(RawConn).Read", Method, 9, ""},
+		{"(RawConn).Write", Method, 9, ""},
+		{"(Signal).Signal", Method, 0, ""},
+		{"(Signal).String", Method, 0, ""},
+		{"(Token).Close", Method, 0, ""},
+		{"(Token).GetTokenPrimaryGroup", Method, 0, ""},
+		{"(Token).GetTokenUser", Method, 0, ""},
+		{"(Token).GetUserProfileDirectory", Method, 0, ""},
+		{"(WaitStatus).Continued", Method, 0, ""},
+		{"(WaitStatus).CoreDump", Method, 0, ""},
+		{"(WaitStatus).ExitStatus", Method, 0, ""},
+		{"(WaitStatus).Exited", Method, 0, ""},
+		{"(WaitStatus).Signal", Method, 0, ""},
+		{"(WaitStatus).Signaled", Method, 0, ""},
+		{"(WaitStatus).StopSignal", Method, 0, ""},
+		{"(WaitStatus).Stopped", Method, 0, ""},
+		{"(WaitStatus).TrapCause", Method, 0, ""},
+		{"AF_ALG", Const, 0, ""},
+		{"AF_APPLETALK", Const, 0, ""},
+		{"AF_ARP", Const, 0, ""},
+		{"AF_ASH", Const, 0, ""},
+		{"AF_ATM", Const, 0, ""},
+		{"AF_ATMPVC", Const, 0, ""},
+		{"AF_ATMSVC", Const, 0, ""},
+		{"AF_AX25", Const, 0, ""},
+		{"AF_BLUETOOTH", Const, 0, ""},
+		{"AF_BRIDGE", Const, 0, ""},
+		{"AF_CAIF", Const, 0, ""},
+		{"AF_CAN", Const, 0, ""},
+		{"AF_CCITT", Const, 0, ""},
+		{"AF_CHAOS", Const, 0, ""},
+		{"AF_CNT", Const, 0, ""},
+		{"AF_COIP", Const, 0, ""},
+		{"AF_DATAKIT", Const, 0, ""},
+		{"AF_DECnet", Const, 0, ""},
+		{"AF_DLI", Const, 0, ""},
+		{"AF_E164", Const, 0, ""},
+		{"AF_ECMA", Const, 0, ""},
+		{"AF_ECONET", Const, 0, ""},
+		{"AF_ENCAP", Const, 1, ""},
+		{"AF_FILE", Const, 0, ""},
+		{"AF_HYLINK", Const, 0, ""},
+		{"AF_IEEE80211", Const, 0, ""},
+		{"AF_IEEE802154", Const, 0, ""},
+		{"AF_IMPLINK", Const, 0, ""},
+		{"AF_INET", Const, 0, ""},
+		{"AF_INET6", Const, 0, ""},
+		{"AF_INET6_SDP", Const, 3, ""},
+		{"AF_INET_SDP", Const, 3, ""},
+		{"AF_IPX", Const, 0, ""},
+		{"AF_IRDA", Const, 0, ""},
+		{"AF_ISDN", Const, 0, ""},
+		{"AF_ISO", Const, 0, ""},
+		{"AF_IUCV", Const, 0, ""},
+		{"AF_KEY", Const, 0, ""},
+		{"AF_LAT", Const, 0, ""},
+		{"AF_LINK", Const, 0, ""},
+		{"AF_LLC", Const, 0, ""},
+		{"AF_LOCAL", Const, 0, ""},
+		{"AF_MAX", Const, 0, ""},
+		{"AF_MPLS", Const, 1, ""},
+		{"AF_NATM", Const, 0, ""},
+		{"AF_NDRV", Const, 0, ""},
+		{"AF_NETBEUI", Const, 0, ""},
+		{"AF_NETBIOS", Const, 0, ""},
+		{"AF_NETGRAPH", Const, 0, ""},
+		{"AF_NETLINK", Const, 0, ""},
+		{"AF_NETROM", Const, 0, ""},
+		{"AF_NS", Const, 0, ""},
+		{"AF_OROUTE", Const, 1, ""},
+		{"AF_OSI", Const, 0, ""},
+		{"AF_PACKET", Const, 0, ""},
+		{"AF_PHONET", Const, 0, ""},
+		{"AF_PPP", Const, 0, ""},
+		{"AF_PPPOX", Const, 0, ""},
+		{"AF_PUP", Const, 0, ""},
+		{"AF_RDS", Const, 0, ""},
+		{"AF_RESERVED_36", Const, 0, ""},
+		{"AF_ROSE", Const, 0, ""},
+		{"AF_ROUTE", Const, 0, ""},
+		{"AF_RXRPC", Const, 0, ""},
+		{"AF_SCLUSTER", Const, 0, ""},
+		{"AF_SECURITY", Const, 0, ""},
+		{"AF_SIP", Const, 0, ""},
+		{"AF_SLOW", Const, 0, ""},
+		{"AF_SNA", Const, 0, ""},
+		{"AF_SYSTEM", Const, 0, ""},
+		{"AF_TIPC", Const, 0, ""},
+		{"AF_UNIX", Const, 0, ""},
+		{"AF_UNSPEC", Const, 0, ""},
+		{"AF_UTUN", Const, 16, ""},
+		{"AF_VENDOR00", Const, 0, ""},
+		{"AF_VENDOR01", Const, 0, ""},
+		{"AF_VENDOR02", Const, 0, ""},
+		{"AF_VENDOR03", Const, 0, ""},
+		{"AF_VENDOR04", Const, 0, ""},
+		{"AF_VENDOR05", Const, 0, ""},
+		{"AF_VENDOR06", Const, 0, ""},
+		{"AF_VENDOR07", Const, 0, ""},
+		{"AF_VENDOR08", Const, 0, ""},
+		{"AF_VENDOR09", Const, 0, ""},
+		{"AF_VENDOR10", Const, 0, ""},
+		{"AF_VENDOR11", Const, 0, ""},
+		{"AF_VENDOR12", Const, 0, ""},
+		{"AF_VENDOR13", Const, 0, ""},
+		{"AF_VENDOR14", Const, 0, ""},
+		{"AF_VENDOR15", Const, 0, ""},
+		{"AF_VENDOR16", Const, 0, ""},
+		{"AF_VENDOR17", Const, 0, ""},
+		{"AF_VENDOR18", Const, 0, ""},
+		{"AF_VENDOR19", Const, 0, ""},
+		{"AF_VENDOR20", Const, 0, ""},
+		{"AF_VENDOR21", Const, 0, ""},
+		{"AF_VENDOR22", Const, 0, ""},
+		{"AF_VENDOR23", Const, 0, ""},
+		{"AF_VENDOR24", Const, 0, ""},
+		{"AF_VENDOR25", Const, 0, ""},
+		{"AF_VENDOR26", Const, 0, ""},
+		{"AF_VENDOR27", Const, 0, ""},
+		{"AF_VENDOR28", Const, 0, ""},
+		{"AF_VENDOR29", Const, 0, ""},
+		{"AF_VENDOR30", Const, 0, ""},
+		{"AF_VENDOR31", Const, 0, ""},
+		{"AF_VENDOR32", Const, 0, ""},
+		{"AF_VENDOR33", Const, 0, ""},
+		{"AF_VENDOR34", Const, 0, ""},
+		{"AF_VENDOR35", Const, 0, ""},
+		{"AF_VENDOR36", Const, 0, ""},
+		{"AF_VENDOR37", Const, 0, ""},
+		{"AF_VENDOR38", Const, 0, ""},
+		{"AF_VENDOR39", Const, 0, ""},
+		{"AF_VENDOR40", Const, 0, ""},
+		{"AF_VENDOR41", Const, 0, ""},
+		{"AF_VENDOR42", Const, 0, ""},
+		{"AF_VENDOR43", Const, 0, ""},
+		{"AF_VENDOR44", Const, 0, ""},
+		{"AF_VENDOR45", Const, 0, ""},
+		{"AF_VENDOR46", Const, 0, ""},
+		{"AF_VENDOR47", Const, 0, ""},
+		{"AF_WANPIPE", Const, 0, ""},
+		{"AF_X25", Const, 0, ""},
+		{"AI_CANONNAME", Const, 1, ""},
+		{"AI_NUMERICHOST", Const, 1, ""},
+		{"AI_PASSIVE", Const, 1, ""},
+		{"APPLICATION_ERROR", Const, 0, ""},
+		{"ARPHRD_ADAPT", Const, 0, ""},
+		{"ARPHRD_APPLETLK", Const, 0, ""},
+		{"ARPHRD_ARCNET", Const, 0, ""},
+		{"ARPHRD_ASH", Const, 0, ""},
+		{"ARPHRD_ATM", Const, 0, ""},
+		{"ARPHRD_AX25", Const, 0, ""},
+		{"ARPHRD_BIF", Const, 0, ""},
+		{"ARPHRD_CHAOS", Const, 0, ""},
+		{"ARPHRD_CISCO", Const, 0, ""},
+		{"ARPHRD_CSLIP", Const, 0, ""},
+		{"ARPHRD_CSLIP6", Const, 0, ""},
+		{"ARPHRD_DDCMP", Const, 0, ""},
+		{"ARPHRD_DLCI", Const, 0, ""},
+		{"ARPHRD_ECONET", Const, 0, ""},
+		{"ARPHRD_EETHER", Const, 0, ""},
+		{"ARPHRD_ETHER", Const, 0, ""},
+		{"ARPHRD_EUI64", Const, 0, ""},
+		{"ARPHRD_FCAL", Const, 0, ""},
+		{"ARPHRD_FCFABRIC", Const, 0, ""},
+		{"ARPHRD_FCPL", Const, 0, ""},
+		{"ARPHRD_FCPP", Const, 0, ""},
+		{"ARPHRD_FDDI", Const, 0, ""},
+		{"ARPHRD_FRAD", Const, 0, ""},
+		{"ARPHRD_FRELAY", Const, 1, ""},
+		{"ARPHRD_HDLC", Const, 0, ""},
+		{"ARPHRD_HIPPI", Const, 0, ""},
+		{"ARPHRD_HWX25", Const, 0, ""},
+		{"ARPHRD_IEEE1394", Const, 0, ""},
+		{"ARPHRD_IEEE802", Const, 0, ""},
+		{"ARPHRD_IEEE80211", Const, 0, ""},
+		{"ARPHRD_IEEE80211_PRISM", Const, 0, ""},
+		{"ARPHRD_IEEE80211_RADIOTAP", Const, 0, ""},
+		{"ARPHRD_IEEE802154", Const, 0, ""},
+		{"ARPHRD_IEEE802154_PHY", Const, 0, ""},
+		{"ARPHRD_IEEE802_TR", Const, 0, ""},
+		{"ARPHRD_INFINIBAND", Const, 0, ""},
+		{"ARPHRD_IPDDP", Const, 0, ""},
+		{"ARPHRD_IPGRE", Const, 0, ""},
+		{"ARPHRD_IRDA", Const, 0, ""},
+		{"ARPHRD_LAPB", Const, 0, ""},
+		{"ARPHRD_LOCALTLK", Const, 0, ""},
+		{"ARPHRD_LOOPBACK", Const, 0, ""},
+		{"ARPHRD_METRICOM", Const, 0, ""},
+		{"ARPHRD_NETROM", Const, 0, ""},
+		{"ARPHRD_NONE", Const, 0, ""},
+		{"ARPHRD_PIMREG", Const, 0, ""},
+		{"ARPHRD_PPP", Const, 0, ""},
+		{"ARPHRD_PRONET", Const, 0, ""},
+		{"ARPHRD_RAWHDLC", Const, 0, ""},
+		{"ARPHRD_ROSE", Const, 0, ""},
+		{"ARPHRD_RSRVD", Const, 0, ""},
+		{"ARPHRD_SIT", Const, 0, ""},
+		{"ARPHRD_SKIP", Const, 0, ""},
+		{"ARPHRD_SLIP", Const, 0, ""},
+		{"ARPHRD_SLIP6", Const, 0, ""},
+		{"ARPHRD_STRIP", Const, 1, ""},
+		{"ARPHRD_TUNNEL", Const, 0, ""},
+		{"ARPHRD_TUNNEL6", Const, 0, ""},
+		{"ARPHRD_VOID", Const, 0, ""},
+		{"ARPHRD_X25", Const, 0, ""},
+		{"AUTHTYPE_CLIENT", Const, 0, ""},
+		{"AUTHTYPE_SERVER", Const, 0, ""},
+		{"Accept", Func, 0, "func(fd int) (nfd int, sa Sockaddr, err error)"},
+		{"Accept4", Func, 1, "func(fd int, flags int) (nfd int, sa Sockaddr, err error)"},
+		{"AcceptEx", Func, 0, ""},
+		{"Access", Func, 0, "func(path string, mode uint32) (err error)"},
+		{"Acct", Func, 0, "func(path string) (err error)"},
+		{"AddrinfoW", Type, 1, ""},
+		{"AddrinfoW.Addr", Field, 1, ""},
+		{"AddrinfoW.Addrlen", Field, 1, ""},
+		{"AddrinfoW.Canonname", Field, 1, ""},
+		{"AddrinfoW.Family", Field, 1, ""},
+		{"AddrinfoW.Flags", Field, 1, ""},
+		{"AddrinfoW.Next", Field, 1, ""},
+		{"AddrinfoW.Protocol", Field, 1, ""},
+		{"AddrinfoW.Socktype", Field, 1, ""},
+		{"Adjtime", Func, 0, ""},
+		{"Adjtimex", Func, 0, "func(buf *Timex) (state int, err error)"},
+		{"AllThreadsSyscall", Func, 16, "func(trap uintptr, a1 uintptr, a2 uintptr, a3 uintptr) (r1 uintptr, r2 uintptr, err Errno)"},
+		{"AllThreadsSyscall6", Func, 16, "func(trap uintptr, a1 uintptr, a2 uintptr, a3 uintptr, a4 uintptr, a5 uintptr, a6 uintptr) (r1 uintptr, r2 uintptr, err Errno)"},
+		{"AttachLsf", Func, 0, "func(fd int, i []SockFilter) error"},
+		{"B0", Const, 0, ""},
+		{"B1000000", Const, 0, ""},
+		{"B110", Const, 0, ""},
+		{"B115200", Const, 0, ""},
+		{"B1152000", Const, 0, ""},
+		{"B1200", Const, 0, ""},
+		{"B134", Const, 0, ""},
+		{"B14400", Const, 1, ""},
+		{"B150", Const, 0, ""},
+		{"B1500000", Const, 0, ""},
+		{"B1800", Const, 0, ""},
+		{"B19200", Const, 0, ""},
+		{"B200", Const, 0, ""},
+		{"B2000000", Const, 0, ""},
+		{"B230400", Const, 0, ""},
+		{"B2400", Const, 0, ""},
+		{"B2500000", Const, 0, ""},
+		{"B28800", Const, 1, ""},
+		{"B300", Const, 0, ""},
+		{"B3000000", Const, 0, ""},
+		{"B3500000", Const, 0, ""},
+		{"B38400", Const, 0, ""},
+		{"B4000000", Const, 0, ""},
+		{"B460800", Const, 0, ""},
+		{"B4800", Const, 0, ""},
+		{"B50", Const, 0, ""},
+		{"B500000", Const, 0, ""},
+		{"B57600", Const, 0, ""},
+		{"B576000", Const, 0, ""},
+		{"B600", Const, 0, ""},
+		{"B7200", Const, 1, ""},
+		{"B75", Const, 0, ""},
+		{"B76800", Const, 1, ""},
+		{"B921600", Const, 0, ""},
+		{"B9600", Const, 0, ""},
+		{"BASE_PROTOCOL", Const, 2, ""},
+		{"BIOCFEEDBACK", Const, 0, ""},
+		{"BIOCFLUSH", Const, 0, ""},
+		{"BIOCGBLEN", Const, 0, ""},
+		{"BIOCGDIRECTION", Const, 0, ""},
+		{"BIOCGDIRFILT", Const, 1, ""},
+		{"BIOCGDLT", Const, 0, ""},
+		{"BIOCGDLTLIST", Const, 0, ""},
+		{"BIOCGETBUFMODE", Const, 0, ""},
+		{"BIOCGETIF", Const, 0, ""},
+		{"BIOCGETZMAX", Const, 0, ""},
+		{"BIOCGFEEDBACK", Const, 1, ""},
+		{"BIOCGFILDROP", Const, 1, ""},
+		{"BIOCGHDRCMPLT", Const, 0, ""},
+		{"BIOCGRSIG", Const, 0, ""},
+		{"BIOCGRTIMEOUT", Const, 0, ""},
+		{"BIOCGSEESENT", Const, 0, ""},
+		{"BIOCGSTATS", Const, 0, ""},
+		{"BIOCGSTATSOLD", Const, 1, ""},
+		{"BIOCGTSTAMP", Const, 1, ""},
+		{"BIOCIMMEDIATE", Const, 0, ""},
+		{"BIOCLOCK", Const, 0, ""},
+		{"BIOCPROMISC", Const, 0, ""},
+		{"BIOCROTZBUF", Const, 0, ""},
+		{"BIOCSBLEN", Const, 0, ""},
+		{"BIOCSDIRECTION", Const, 0, ""},
+		{"BIOCSDIRFILT", Const, 1, ""},
+		{"BIOCSDLT", Const, 0, ""},
+		{"BIOCSETBUFMODE", Const, 0, ""},
+		{"BIOCSETF", Const, 0, ""},
+		{"BIOCSETFNR", Const, 0, ""},
+		{"BIOCSETIF", Const, 0, ""},
+		{"BIOCSETWF", Const, 0, ""},
+		{"BIOCSETZBUF", Const, 0, ""},
+		{"BIOCSFEEDBACK", Const, 1, ""},
+		{"BIOCSFILDROP", Const, 1, ""},
+		{"BIOCSHDRCMPLT", Const, 0, ""},
+		{"BIOCSRSIG", Const, 0, ""},
+		{"BIOCSRTIMEOUT", Const, 0, ""},
+		{"BIOCSSEESENT", Const, 0, ""},
+		{"BIOCSTCPF", Const, 1, ""},
+		{"BIOCSTSTAMP", Const, 1, ""},
+		{"BIOCSUDPF", Const, 1, ""},
+		{"BIOCVERSION", Const, 0, ""},
+		{"BPF_A", Const, 0, ""},
+		{"BPF_ABS", Const, 0, ""},
+		{"BPF_ADD", Const, 0, ""},
+		{"BPF_ALIGNMENT", Const, 0, ""},
+		{"BPF_ALIGNMENT32", Const, 1, ""},
+		{"BPF_ALU", Const, 0, ""},
+		{"BPF_AND", Const, 0, ""},
+		{"BPF_B", Const, 0, ""},
+		{"BPF_BUFMODE_BUFFER", Const, 0, ""},
+		{"BPF_BUFMODE_ZBUF", Const, 0, ""},
+		{"BPF_DFLTBUFSIZE", Const, 1, ""},
+		{"BPF_DIRECTION_IN", Const, 1, ""},
+		{"BPF_DIRECTION_OUT", Const, 1, ""},
+		{"BPF_DIV", Const, 0, ""},
+		{"BPF_H", Const, 0, ""},
+		{"BPF_IMM", Const, 0, ""},
+		{"BPF_IND", Const, 0, ""},
+		{"BPF_JA", Const, 0, ""},
+		{"BPF_JEQ", Const, 0, ""},
+		{"BPF_JGE", Const, 0, ""},
+		{"BPF_JGT", Const, 0, ""},
+		{"BPF_JMP", Const, 0, ""},
+		{"BPF_JSET", Const, 0, ""},
+		{"BPF_K", Const, 0, ""},
+		{"BPF_LD", Const, 0, ""},
+		{"BPF_LDX", Const, 0, ""},
+		{"BPF_LEN", Const, 0, ""},
+		{"BPF_LSH", Const, 0, ""},
+		{"BPF_MAJOR_VERSION", Const, 0, ""},
+		{"BPF_MAXBUFSIZE", Const, 0, ""},
+		{"BPF_MAXINSNS", Const, 0, ""},
+		{"BPF_MEM", Const, 0, ""},
+		{"BPF_MEMWORDS", Const, 0, ""},
+		{"BPF_MINBUFSIZE", Const, 0, ""},
+		{"BPF_MINOR_VERSION", Const, 0, ""},
+		{"BPF_MISC", Const, 0, ""},
+		{"BPF_MSH", Const, 0, ""},
+		{"BPF_MUL", Const, 0, ""},
+		{"BPF_NEG", Const, 0, ""},
+		{"BPF_OR", Const, 0, ""},
+		{"BPF_RELEASE", Const, 0, ""},
+		{"BPF_RET", Const, 0, ""},
+		{"BPF_RSH", Const, 0, ""},
+		{"BPF_ST", Const, 0, ""},
+		{"BPF_STX", Const, 0, ""},
+		{"BPF_SUB", Const, 0, ""},
+		{"BPF_TAX", Const, 0, ""},
+		{"BPF_TXA", Const, 0, ""},
+		{"BPF_T_BINTIME", Const, 1, ""},
+		{"BPF_T_BINTIME_FAST", Const, 1, ""},
+		{"BPF_T_BINTIME_MONOTONIC", Const, 1, ""},
+		{"BPF_T_BINTIME_MONOTONIC_FAST", Const, 1, ""},
+		{"BPF_T_FAST", Const, 1, ""},
+		{"BPF_T_FLAG_MASK", Const, 1, ""},
+		{"BPF_T_FORMAT_MASK", Const, 1, ""},
+		{"BPF_T_MICROTIME", Const, 1, ""},
+		{"BPF_T_MICROTIME_FAST", Const, 1, ""},
+		{"BPF_T_MICROTIME_MONOTONIC", Const, 1, ""},
+		{"BPF_T_MICROTIME_MONOTONIC_FAST", Const, 1, ""},
+		{"BPF_T_MONOTONIC", Const, 1, ""},
+		{"BPF_T_MONOTONIC_FAST", Const, 1, ""},
+		{"BPF_T_NANOTIME", Const, 1, ""},
+		{"BPF_T_NANOTIME_FAST", Const, 1, ""},
+		{"BPF_T_NANOTIME_MONOTONIC", Const, 1, ""},
+		{"BPF_T_NANOTIME_MONOTONIC_FAST", Const, 1, ""},
+		{"BPF_T_NONE", Const, 1, ""},
+		{"BPF_T_NORMAL", Const, 1, ""},
+		{"BPF_W", Const, 0, ""},
+		{"BPF_X", Const, 0, ""},
+		{"BRKINT", Const, 0, ""},
+		{"Bind", Func, 0, "func(fd int, sa Sockaddr) (err error)"},
+		{"BindToDevice", Func, 0, "func(fd int, device string) (err error)"},
+		{"BpfBuflen", Func, 0, ""},
+		{"BpfDatalink", Func, 0, ""},
+		{"BpfHdr", Type, 0, ""},
+		{"BpfHdr.Caplen", Field, 0, ""},
+		{"BpfHdr.Datalen", Field, 0, ""},
+		{"BpfHdr.Hdrlen", Field, 0, ""},
+		{"BpfHdr.Pad_cgo_0", Field, 0, ""},
+		{"BpfHdr.Tstamp", Field, 0, ""},
+		{"BpfHeadercmpl", Func, 0, ""},
+		{"BpfInsn", Type, 0, ""},
+		{"BpfInsn.Code", Field, 0, ""},
+		{"BpfInsn.Jf", Field, 0, ""},
+		{"BpfInsn.Jt", Field, 0, ""},
+		{"BpfInsn.K", Field, 0, ""},
+		{"BpfInterface", Func, 0, ""},
+		{"BpfJump", Func, 0, ""},
+		{"BpfProgram", Type, 0, ""},
+		{"BpfProgram.Insns", Field, 0, ""},
+		{"BpfProgram.Len", Field, 0, ""},
+		{"BpfProgram.Pad_cgo_0", Field, 0, ""},
+		{"BpfStat", Type, 0, ""},
+		{"BpfStat.Capt", Field, 2, ""},
+		{"BpfStat.Drop", Field, 0, ""},
+		{"BpfStat.Padding", Field, 2, ""},
+		{"BpfStat.Recv", Field, 0, ""},
+		{"BpfStats", Func, 0, ""},
+		{"BpfStmt", Func, 0, ""},
+		{"BpfTimeout", Func, 0, ""},
+		{"BpfTimeval", Type, 2, ""},
+		{"BpfTimeval.Sec", Field, 2, ""},
+		{"BpfTimeval.Usec", Field, 2, ""},
+		{"BpfVersion", Type, 0, ""},
+		{"BpfVersion.Major", Field, 0, ""},
+		{"BpfVersion.Minor", Field, 0, ""},
+		{"BpfZbuf", Type, 0, ""},
+		{"BpfZbuf.Bufa", Field, 0, ""},
+		{"BpfZbuf.Bufb", Field, 0, ""},
+		{"BpfZbuf.Buflen", Field, 0, ""},
+		{"BpfZbufHeader", Type, 0, ""},
+		{"BpfZbufHeader.Kernel_gen", Field, 0, ""},
+		{"BpfZbufHeader.Kernel_len", Field, 0, ""},
+		{"BpfZbufHeader.User_gen", Field, 0, ""},
+		{"BpfZbufHeader.X_bzh_pad", Field, 0, ""},
+		{"ByHandleFileInformation", Type, 0, ""},
+		{"ByHandleFileInformation.CreationTime", Field, 0, ""},
+		{"ByHandleFileInformation.FileAttributes", Field, 0, ""},
+		{"ByHandleFileInformation.FileIndexHigh", Field, 0, ""},
+		{"ByHandleFileInformation.FileIndexLow", Field, 0, ""},
+		{"ByHandleFileInformation.FileSizeHigh", Field, 0, ""},
+		{"ByHandleFileInformation.FileSizeLow", Field, 0, ""},
+		{"ByHandleFileInformation.LastAccessTime", Field, 0, ""},
+		{"ByHandleFileInformation.LastWriteTime", Field, 0, ""},
+		{"ByHandleFileInformation.NumberOfLinks", Field, 0, ""},
+		{"ByHandleFileInformation.VolumeSerialNumber", Field, 0, ""},
+		{"BytePtrFromString", Func, 1, "func(s string) (*byte, error)"},
+		{"ByteSliceFromString", Func, 1, "func(s string) ([]byte, error)"},
+		{"CCR0_FLUSH", Const, 1, ""},
+		{"CERT_CHAIN_POLICY_AUTHENTICODE", Const, 0, ""},
+		{"CERT_CHAIN_POLICY_AUTHENTICODE_TS", Const, 0, ""},
+		{"CERT_CHAIN_POLICY_BASE", Const, 0, ""},
+		{"CERT_CHAIN_POLICY_BASIC_CONSTRAINTS", Const, 0, ""},
+		{"CERT_CHAIN_POLICY_EV", Const, 0, ""},
+		{"CERT_CHAIN_POLICY_MICROSOFT_ROOT", Const, 0, ""},
+		{"CERT_CHAIN_POLICY_NT_AUTH", Const, 0, ""},
+		{"CERT_CHAIN_POLICY_SSL", Const, 0, ""},
+		{"CERT_E_CN_NO_MATCH", Const, 0, ""},
+		{"CERT_E_EXPIRED", Const, 0, ""},
+		{"CERT_E_PURPOSE", Const, 0, ""},
+		{"CERT_E_ROLE", Const, 0, ""},
+		{"CERT_E_UNTRUSTEDROOT", Const, 0, ""},
+		{"CERT_STORE_ADD_ALWAYS", Const, 0, ""},
+		{"CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG", Const, 0, ""},
+		{"CERT_STORE_PROV_MEMORY", Const, 0, ""},
+		{"CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT", Const, 0, ""},
+		{"CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT", Const, 0, ""},
+		{"CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT", Const, 0, ""},
+		{"CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT", Const, 0, ""},
+		{"CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT", Const, 0, ""},
+		{"CERT_TRUST_INVALID_BASIC_CONSTRAINTS", Const, 0, ""},
+		{"CERT_TRUST_INVALID_EXTENSION", Const, 0, ""},
+		{"CERT_TRUST_INVALID_NAME_CONSTRAINTS", Const, 0, ""},
+		{"CERT_TRUST_INVALID_POLICY_CONSTRAINTS", Const, 0, ""},
+		{"CERT_TRUST_IS_CYCLIC", Const, 0, ""},
+		{"CERT_TRUST_IS_EXPLICIT_DISTRUST", Const, 0, ""},
+		{"CERT_TRUST_IS_NOT_SIGNATURE_VALID", Const, 0, ""},
+		{"CERT_TRUST_IS_NOT_TIME_VALID", Const, 0, ""},
+		{"CERT_TRUST_IS_NOT_VALID_FOR_USAGE", Const, 0, ""},
+		{"CERT_TRUST_IS_OFFLINE_REVOCATION", Const, 0, ""},
+		{"CERT_TRUST_IS_REVOKED", Const, 0, ""},
+		{"CERT_TRUST_IS_UNTRUSTED_ROOT", Const, 0, ""},
+		{"CERT_TRUST_NO_ERROR", Const, 0, ""},
+		{"CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY", Const, 0, ""},
+		{"CERT_TRUST_REVOCATION_STATUS_UNKNOWN", Const, 0, ""},
+		{"CFLUSH", Const, 1, ""},
+		{"CLOCAL", Const, 0, ""},
+		{"CLONE_CHILD_CLEARTID", Const, 2, ""},
+		{"CLONE_CHILD_SETTID", Const, 2, ""},
+		{"CLONE_CLEAR_SIGHAND", Const, 20, ""},
+		{"CLONE_CSIGNAL", Const, 3, ""},
+		{"CLONE_DETACHED", Const, 2, ""},
+		{"CLONE_FILES", Const, 2, ""},
+		{"CLONE_FS", Const, 2, ""},
+		{"CLONE_INTO_CGROUP", Const, 20, ""},
+		{"CLONE_IO", Const, 2, ""},
+		{"CLONE_NEWCGROUP", Const, 20, ""},
+		{"CLONE_NEWIPC", Const, 2, ""},
+		{"CLONE_NEWNET", Const, 2, ""},
+		{"CLONE_NEWNS", Const, 2, ""},
+		{"CLONE_NEWPID", Const, 2, ""},
+		{"CLONE_NEWTIME", Const, 20, ""},
+		{"CLONE_NEWUSER", Const, 2, ""},
+		{"CLONE_NEWUTS", Const, 2, ""},
+		{"CLONE_PARENT", Const, 2, ""},
+		{"CLONE_PARENT_SETTID", Const, 2, ""},
+		{"CLONE_PID", Const, 3, ""},
+		{"CLONE_PIDFD", Const, 20, ""},
+		{"CLONE_PTRACE", Const, 2, ""},
+		{"CLONE_SETTLS", Const, 2, ""},
+		{"CLONE_SIGHAND", Const, 2, ""},
+		{"CLONE_SYSVSEM", Const, 2, ""},
+		{"CLONE_THREAD", Const, 2, ""},
+		{"CLONE_UNTRACED", Const, 2, ""},
+		{"CLONE_VFORK", Const, 2, ""},
+		{"CLONE_VM", Const, 2, ""},
+		{"CPUID_CFLUSH", Const, 1, ""},
+		{"CREAD", Const, 0, ""},
+		{"CREATE_ALWAYS", Const, 0, ""},
+		{"CREATE_NEW", Const, 0, ""},
+		{"CREATE_NEW_PROCESS_GROUP", Const, 1, ""},
+		{"CREATE_UNICODE_ENVIRONMENT", Const, 0, ""},
+		{"CRYPT_DEFAULT_CONTAINER_OPTIONAL", Const, 0, ""},
+		{"CRYPT_DELETEKEYSET", Const, 0, ""},
+		{"CRYPT_MACHINE_KEYSET", Const, 0, ""},
+		{"CRYPT_NEWKEYSET", Const, 0, ""},
+		{"CRYPT_SILENT", Const, 0, ""},
+		{"CRYPT_VERIFYCONTEXT", Const, 0, ""},
+		{"CS5", Const, 0, ""},
+		{"CS6", Const, 0, ""},
+		{"CS7", Const, 0, ""},
+		{"CS8", Const, 0, ""},
+		{"CSIZE", Const, 0, ""},
+		{"CSTART", Const, 1, ""},
+		{"CSTATUS", Const, 1, ""},
+		{"CSTOP", Const, 1, ""},
+		{"CSTOPB", Const, 0, ""},
+		{"CSUSP", Const, 1, ""},
+		{"CTL_MAXNAME", Const, 0, ""},
+		{"CTL_NET", Const, 0, ""},
+		{"CTL_QUERY", Const, 1, ""},
+		{"CTRL_BREAK_EVENT", Const, 1, ""},
+		{"CTRL_CLOSE_EVENT", Const, 14, ""},
+		{"CTRL_C_EVENT", Const, 1, ""},
+		{"CTRL_LOGOFF_EVENT", Const, 14, ""},
+		{"CTRL_SHUTDOWN_EVENT", Const, 14, ""},
+		{"CancelIo", Func, 0, ""},
+		{"CancelIoEx", Func, 1, ""},
+		{"CertAddCertificateContextToStore", Func, 0, ""},
+		{"CertChainContext", Type, 0, ""},
+		{"CertChainContext.ChainCount", Field, 0, ""},
+		{"CertChainContext.Chains", Field, 0, ""},
+		{"CertChainContext.HasRevocationFreshnessTime", Field, 0, ""},
+		{"CertChainContext.LowerQualityChainCount", Field, 0, ""},
+		{"CertChainContext.LowerQualityChains", Field, 0, ""},
+		{"CertChainContext.RevocationFreshnessTime", Field, 0, ""},
+		{"CertChainContext.Size", Field, 0, ""},
+		{"CertChainContext.TrustStatus", Field, 0, ""},
+		{"CertChainElement", Type, 0, ""},
+		{"CertChainElement.ApplicationUsage", Field, 0, ""},
+		{"CertChainElement.CertContext", Field, 0, ""},
+		{"CertChainElement.ExtendedErrorInfo", Field, 0, ""},
+		{"CertChainElement.IssuanceUsage", Field, 0, ""},
+		{"CertChainElement.RevocationInfo", Field, 0, ""},
+		{"CertChainElement.Size", Field, 0, ""},
+		{"CertChainElement.TrustStatus", Field, 0, ""},
+		{"CertChainPara", Type, 0, ""},
+		{"CertChainPara.CacheResync", Field, 0, ""},
+		{"CertChainPara.CheckRevocationFreshnessTime", Field, 0, ""},
+		{"CertChainPara.RequestedUsage", Field, 0, ""},
+		{"CertChainPara.RequstedIssuancePolicy", Field, 0, ""},
+		{"CertChainPara.RevocationFreshnessTime", Field, 0, ""},
+		{"CertChainPara.Size", Field, 0, ""},
+		{"CertChainPara.URLRetrievalTimeout", Field, 0, ""},
+		{"CertChainPolicyPara", Type, 0, ""},
+		{"CertChainPolicyPara.ExtraPolicyPara", Field, 0, ""},
+		{"CertChainPolicyPara.Flags", Field, 0, ""},
+		{"CertChainPolicyPara.Size", Field, 0, ""},
+		{"CertChainPolicyStatus", Type, 0, ""},
+		{"CertChainPolicyStatus.ChainIndex", Field, 0, ""},
+		{"CertChainPolicyStatus.ElementIndex", Field, 0, ""},
+		{"CertChainPolicyStatus.Error", Field, 0, ""},
+		{"CertChainPolicyStatus.ExtraPolicyStatus", Field, 0, ""},
+		{"CertChainPolicyStatus.Size", Field, 0, ""},
+		{"CertCloseStore", Func, 0, ""},
+		{"CertContext", Type, 0, ""},
+		{"CertContext.CertInfo", Field, 0, ""},
+		{"CertContext.EncodedCert", Field, 0, ""},
+		{"CertContext.EncodingType", Field, 0, ""},
+		{"CertContext.Length", Field, 0, ""},
+		{"CertContext.Store", Field, 0, ""},
+		{"CertCreateCertificateContext", Func, 0, ""},
+		{"CertEnhKeyUsage", Type, 0, ""},
+		{"CertEnhKeyUsage.Length", Field, 0, ""},
+		{"CertEnhKeyUsage.UsageIdentifiers", Field, 0, ""},
+		{"CertEnumCertificatesInStore", Func, 0, ""},
+		{"CertFreeCertificateChain", Func, 0, ""},
+		{"CertFreeCertificateContext", Func, 0, ""},
+		{"CertGetCertificateChain", Func, 0, ""},
+		{"CertInfo", Type, 11, ""},
+		{"CertOpenStore", Func, 0, ""},
+		{"CertOpenSystemStore", Func, 0, ""},
+		{"CertRevocationCrlInfo", Type, 11, ""},
+		{"CertRevocationInfo", Type, 0, ""},
+		{"CertRevocationInfo.CrlInfo", Field, 0, ""},
+		{"CertRevocationInfo.FreshnessTime", Field, 0, ""},
+		{"CertRevocationInfo.HasFreshnessTime", Field, 0, ""},
+		{"CertRevocationInfo.OidSpecificInfo", Field, 0, ""},
+		{"CertRevocationInfo.RevocationOid", Field, 0, ""},
+		{"CertRevocationInfo.RevocationResult", Field, 0, ""},
+		{"CertRevocationInfo.Size", Field, 0, ""},
+		{"CertSimpleChain", Type, 0, ""},
+		{"CertSimpleChain.Elements", Field, 0, ""},
+		{"CertSimpleChain.HasRevocationFreshnessTime", Field, 0, ""},
+		{"CertSimpleChain.NumElements", Field, 0, ""},
+		{"CertSimpleChain.RevocationFreshnessTime", Field, 0, ""},
+		{"CertSimpleChain.Size", Field, 0, ""},
+		{"CertSimpleChain.TrustListInfo", Field, 0, ""},
+		{"CertSimpleChain.TrustStatus", Field, 0, ""},
+		{"CertTrustListInfo", Type, 11, ""},
+		{"CertTrustStatus", Type, 0, ""},
+		{"CertTrustStatus.ErrorStatus", Field, 0, ""},
+		{"CertTrustStatus.InfoStatus", Field, 0, ""},
+		{"CertUsageMatch", Type, 0, ""},
+		{"CertUsageMatch.Type", Field, 0, ""},
+		{"CertUsageMatch.Usage", Field, 0, ""},
+		{"CertVerifyCertificateChainPolicy", Func, 0, ""},
+		{"Chdir", Func, 0, "func(path string) (err error)"},
+		{"CheckBpfVersion", Func, 0, ""},
+		{"Chflags", Func, 0, ""},
+		{"Chmod", Func, 0, "func(path string, mode uint32) (err error)"},
+		{"Chown", Func, 0, "func(path string, uid int, gid int) (err error)"},
+		{"Chroot", Func, 0, "func(path string) (err error)"},
+		{"Clearenv", Func, 0, "func()"},
+		{"Close", Func, 0, "func(fd int) (err error)"},
+		{"CloseHandle", Func, 0, ""},
+		{"CloseOnExec", Func, 0, "func(fd int)"},
+		{"Closesocket", Func, 0, ""},
+		{"CmsgLen", Func, 0, "func(datalen int) int"},
+		{"CmsgSpace", Func, 0, "func(datalen int) int"},
+		{"Cmsghdr", Type, 0, ""},
+		{"Cmsghdr.Len", Field, 0, ""},
+		{"Cmsghdr.Level", Field, 0, ""},
+		{"Cmsghdr.Type", Field, 0, ""},
+		{"Cmsghdr.X__cmsg_data", Field, 0, ""},
+		{"CommandLineToArgv", Func, 0, ""},
+		{"ComputerName", Func, 0, ""},
+		{"Conn", Type, 9, ""},
+		{"Connect", Func, 0, "func(fd int, sa Sockaddr) (err error)"},
+		{"ConnectEx", Func, 1, ""},
+		{"ConvertSidToStringSid", Func, 0, ""},
+		{"ConvertStringSidToSid", Func, 0, ""},
+		{"CopySid", Func, 0, ""},
+		{"Creat", Func, 0, "func(path string, mode uint32) (fd int, err error)"},
+		{"CreateDirectory", Func, 0, ""},
+		{"CreateFile", Func, 0, ""},
+		{"CreateFileMapping", Func, 0, ""},
+		{"CreateHardLink", Func, 4, ""},
+		{"CreateIoCompletionPort", Func, 0, ""},
+		{"CreatePipe", Func, 0, ""},
+		{"CreateProcess", Func, 0, ""},
+		{"CreateProcessAsUser", Func, 10, ""},
+		{"CreateSymbolicLink", Func, 4, ""},
+		{"CreateToolhelp32Snapshot", Func, 4, ""},
+		{"Credential", Type, 0, ""},
+		{"Credential.Gid", Field, 0, ""},
+		{"Credential.Groups", Field, 0, ""},
+		{"Credential.NoSetGroups", Field, 9, ""},
+		{"Credential.Uid", Field, 0, ""},
+		{"CryptAcquireContext", Func, 0, ""},
+		{"CryptGenRandom", Func, 0, ""},
+		{"CryptReleaseContext", Func, 0, ""},
+		{"DIOCBSFLUSH", Const, 1, ""},
+		{"DIOCOSFPFLUSH", Const, 1, ""},
+		{"DLL", Type, 0, ""},
+		{"DLL.Handle", Field, 0, ""},
+		{"DLL.Name", Field, 0, ""},
+		{"DLLError", Type, 0, ""},
+		{"DLLError.Err", Field, 0, ""},
+		{"DLLError.Msg", Field, 0, ""},
+		{"DLLError.ObjName", Field, 0, ""},
+		{"DLT_A429", Const, 0, ""},
+		{"DLT_A653_ICM", Const, 0, ""},
+		{"DLT_AIRONET_HEADER", Const, 0, ""},
+		{"DLT_AOS", Const, 1, ""},
+		{"DLT_APPLE_IP_OVER_IEEE1394", Const, 0, ""},
+		{"DLT_ARCNET", Const, 0, ""},
+		{"DLT_ARCNET_LINUX", Const, 0, ""},
+		{"DLT_ATM_CLIP", Const, 0, ""},
+		{"DLT_ATM_RFC1483", Const, 0, ""},
+		{"DLT_AURORA", Const, 0, ""},
+		{"DLT_AX25", Const, 0, ""},
+		{"DLT_AX25_KISS", Const, 0, ""},
+		{"DLT_BACNET_MS_TP", Const, 0, ""},
+		{"DLT_BLUETOOTH_HCI_H4", Const, 0, ""},
+		{"DLT_BLUETOOTH_HCI_H4_WITH_PHDR", Const, 0, ""},
+		{"DLT_CAN20B", Const, 0, ""},
+		{"DLT_CAN_SOCKETCAN", Const, 1, ""},
+		{"DLT_CHAOS", Const, 0, ""},
+		{"DLT_CHDLC", Const, 0, ""},
+		{"DLT_CISCO_IOS", Const, 0, ""},
+		{"DLT_C_HDLC", Const, 0, ""},
+		{"DLT_C_HDLC_WITH_DIR", Const, 0, ""},
+		{"DLT_DBUS", Const, 1, ""},
+		{"DLT_DECT", Const, 1, ""},
+		{"DLT_DOCSIS", Const, 0, ""},
+		{"DLT_DVB_CI", Const, 1, ""},
+		{"DLT_ECONET", Const, 0, ""},
+		{"DLT_EN10MB", Const, 0, ""},
+		{"DLT_EN3MB", Const, 0, ""},
+		{"DLT_ENC", Const, 0, ""},
+		{"DLT_ERF", Const, 0, ""},
+		{"DLT_ERF_ETH", Const, 0, ""},
+		{"DLT_ERF_POS", Const, 0, ""},
+		{"DLT_FC_2", Const, 1, ""},
+		{"DLT_FC_2_WITH_FRAME_DELIMS", Const, 1, ""},
+		{"DLT_FDDI", Const, 0, ""},
+		{"DLT_FLEXRAY", Const, 0, ""},
+		{"DLT_FRELAY", Const, 0, ""},
+		{"DLT_FRELAY_WITH_DIR", Const, 0, ""},
+		{"DLT_GCOM_SERIAL", Const, 0, ""},
+		{"DLT_GCOM_T1E1", Const, 0, ""},
+		{"DLT_GPF_F", Const, 0, ""},
+		{"DLT_GPF_T", Const, 0, ""},
+		{"DLT_GPRS_LLC", Const, 0, ""},
+		{"DLT_GSMTAP_ABIS", Const, 1, ""},
+		{"DLT_GSMTAP_UM", Const, 1, ""},
+		{"DLT_HDLC", Const, 1, ""},
+		{"DLT_HHDLC", Const, 0, ""},
+		{"DLT_HIPPI", Const, 1, ""},
+		{"DLT_IBM_SN", Const, 0, ""},
+		{"DLT_IBM_SP", Const, 0, ""},
+		{"DLT_IEEE802", Const, 0, ""},
+		{"DLT_IEEE802_11", Const, 0, ""},
+		{"DLT_IEEE802_11_RADIO", Const, 0, ""},
+		{"DLT_IEEE802_11_RADIO_AVS", Const, 0, ""},
+		{"DLT_IEEE802_15_4", Const, 0, ""},
+		{"DLT_IEEE802_15_4_LINUX", Const, 0, ""},
+		{"DLT_IEEE802_15_4_NOFCS", Const, 1, ""},
+		{"DLT_IEEE802_15_4_NONASK_PHY", Const, 0, ""},
+		{"DLT_IEEE802_16_MAC_CPS", Const, 0, ""},
+		{"DLT_IEEE802_16_MAC_CPS_RADIO", Const, 0, ""},
+		{"DLT_IPFILTER", Const, 0, ""},
+		{"DLT_IPMB", Const, 0, ""},
+		{"DLT_IPMB_LINUX", Const, 0, ""},
+		{"DLT_IPNET", Const, 1, ""},
+		{"DLT_IPOIB", Const, 1, ""},
+		{"DLT_IPV4", Const, 1, ""},
+		{"DLT_IPV6", Const, 1, ""},
+		{"DLT_IP_OVER_FC", Const, 0, ""},
+		{"DLT_JUNIPER_ATM1", Const, 0, ""},
+		{"DLT_JUNIPER_ATM2", Const, 0, ""},
+		{"DLT_JUNIPER_ATM_CEMIC", Const, 1, ""},
+		{"DLT_JUNIPER_CHDLC", Const, 0, ""},
+		{"DLT_JUNIPER_ES", Const, 0, ""},
+		{"DLT_JUNIPER_ETHER", Const, 0, ""},
+		{"DLT_JUNIPER_FIBRECHANNEL", Const, 1, ""},
+		{"DLT_JUNIPER_FRELAY", Const, 0, ""},
+		{"DLT_JUNIPER_GGSN", Const, 0, ""},
+		{"DLT_JUNIPER_ISM", Const, 0, ""},
+		{"DLT_JUNIPER_MFR", Const, 0, ""},
+		{"DLT_JUNIPER_MLFR", Const, 0, ""},
+		{"DLT_JUNIPER_MLPPP", Const, 0, ""},
+		{"DLT_JUNIPER_MONITOR", Const, 0, ""},
+		{"DLT_JUNIPER_PIC_PEER", Const, 0, ""},
+		{"DLT_JUNIPER_PPP", Const, 0, ""},
+		{"DLT_JUNIPER_PPPOE", Const, 0, ""},
+		{"DLT_JUNIPER_PPPOE_ATM", Const, 0, ""},
+		{"DLT_JUNIPER_SERVICES", Const, 0, ""},
+		{"DLT_JUNIPER_SRX_E2E", Const, 1, ""},
+		{"DLT_JUNIPER_ST", Const, 0, ""},
+		{"DLT_JUNIPER_VP", Const, 0, ""},
+		{"DLT_JUNIPER_VS", Const, 1, ""},
+		{"DLT_LAPB_WITH_DIR", Const, 0, ""},
+		{"DLT_LAPD", Const, 0, ""},
+		{"DLT_LIN", Const, 0, ""},
+		{"DLT_LINUX_EVDEV", Const, 1, ""},
+		{"DLT_LINUX_IRDA", Const, 0, ""},
+		{"DLT_LINUX_LAPD", Const, 0, ""},
+		{"DLT_LINUX_PPP_WITHDIRECTION", Const, 0, ""},
+		{"DLT_LINUX_SLL", Const, 0, ""},
+		{"DLT_LOOP", Const, 0, ""},
+		{"DLT_LTALK", Const, 0, ""},
+		{"DLT_MATCHING_MAX", Const, 1, ""},
+		{"DLT_MATCHING_MIN", Const, 1, ""},
+		{"DLT_MFR", Const, 0, ""},
+		{"DLT_MOST", Const, 0, ""},
+		{"DLT_MPEG_2_TS", Const, 1, ""},
+		{"DLT_MPLS", Const, 1, ""},
+		{"DLT_MTP2", Const, 0, ""},
+		{"DLT_MTP2_WITH_PHDR", Const, 0, ""},
+		{"DLT_MTP3", Const, 0, ""},
+		{"DLT_MUX27010", Const, 1, ""},
+		{"DLT_NETANALYZER", Const, 1, ""},
+		{"DLT_NETANALYZER_TRANSPARENT", Const, 1, ""},
+		{"DLT_NFC_LLCP", Const, 1, ""},
+		{"DLT_NFLOG", Const, 1, ""},
+		{"DLT_NG40", Const, 1, ""},
+		{"DLT_NULL", Const, 0, ""},
+		{"DLT_PCI_EXP", Const, 0, ""},
+		{"DLT_PFLOG", Const, 0, ""},
+		{"DLT_PFSYNC", Const, 0, ""},
+		{"DLT_PPI", Const, 0, ""},
+		{"DLT_PPP", Const, 0, ""},
+		{"DLT_PPP_BSDOS", Const, 0, ""},
+		{"DLT_PPP_ETHER", Const, 0, ""},
+		{"DLT_PPP_PPPD", Const, 0, ""},
+		{"DLT_PPP_SERIAL", Const, 0, ""},
+		{"DLT_PPP_WITH_DIR", Const, 0, ""},
+		{"DLT_PPP_WITH_DIRECTION", Const, 0, ""},
+		{"DLT_PRISM_HEADER", Const, 0, ""},
+		{"DLT_PRONET", Const, 0, ""},
+		{"DLT_RAIF1", Const, 0, ""},
+		{"DLT_RAW", Const, 0, ""},
+		{"DLT_RAWAF_MASK", Const, 1, ""},
+		{"DLT_RIO", Const, 0, ""},
+		{"DLT_SCCP", Const, 0, ""},
+		{"DLT_SITA", Const, 0, ""},
+		{"DLT_SLIP", Const, 0, ""},
+		{"DLT_SLIP_BSDOS", Const, 0, ""},
+		{"DLT_STANAG_5066_D_PDU", Const, 1, ""},
+		{"DLT_SUNATM", Const, 0, ""},
+		{"DLT_SYMANTEC_FIREWALL", Const, 0, ""},
+		{"DLT_TZSP", Const, 0, ""},
+		{"DLT_USB", Const, 0, ""},
+		{"DLT_USB_LINUX", Const, 0, ""},
+		{"DLT_USB_LINUX_MMAPPED", Const, 1, ""},
+		{"DLT_USER0", Const, 0, ""},
+		{"DLT_USER1", Const, 0, ""},
+		{"DLT_USER10", Const, 0, ""},
+		{"DLT_USER11", Const, 0, ""},
+		{"DLT_USER12", Const, 0, ""},
+		{"DLT_USER13", Const, 0, ""},
+		{"DLT_USER14", Const, 0, ""},
+		{"DLT_USER15", Const, 0, ""},
+		{"DLT_USER2", Const, 0, ""},
+		{"DLT_USER3", Const, 0, ""},
+		{"DLT_USER4", Const, 0, ""},
+		{"DLT_USER5", Const, 0, ""},
+		{"DLT_USER6", Const, 0, ""},
+		{"DLT_USER7", Const, 0, ""},
+		{"DLT_USER8", Const, 0, ""},
+		{"DLT_USER9", Const, 0, ""},
+		{"DLT_WIHART", Const, 1, ""},
+		{"DLT_X2E_SERIAL", Const, 0, ""},
+		{"DLT_X2E_XORAYA", Const, 0, ""},
+		{"DNSMXData", Type, 0, ""},
+		{"DNSMXData.NameExchange", Field, 0, ""},
+		{"DNSMXData.Pad", Field, 0, ""},
+		{"DNSMXData.Preference", Field, 0, ""},
+		{"DNSPTRData", Type, 0, ""},
+		{"DNSPTRData.Host", Field, 0, ""},
+		{"DNSRecord", Type, 0, ""},
+		{"DNSRecord.Data", Field, 0, ""},
+		{"DNSRecord.Dw", Field, 0, ""},
+		{"DNSRecord.Length", Field, 0, ""},
+		{"DNSRecord.Name", Field, 0, ""},
+		{"DNSRecord.Next", Field, 0, ""},
+		{"DNSRecord.Reserved", Field, 0, ""},
+		{"DNSRecord.Ttl", Field, 0, ""},
+		{"DNSRecord.Type", Field, 0, ""},
+		{"DNSSRVData", Type, 0, ""},
+		{"DNSSRVData.Pad", Field, 0, ""},
+		{"DNSSRVData.Port", Field, 0, ""},
+		{"DNSSRVData.Priority", Field, 0, ""},
+		{"DNSSRVData.Target", Field, 0, ""},
+		{"DNSSRVData.Weight", Field, 0, ""},
+		{"DNSTXTData", Type, 0, ""},
+		{"DNSTXTData.StringArray", Field, 0, ""},
+		{"DNSTXTData.StringCount", Field, 0, ""},
+		{"DNS_INFO_NO_RECORDS", Const, 4, ""},
+		{"DNS_TYPE_A", Const, 0, ""},
+		{"DNS_TYPE_A6", Const, 0, ""},
+		{"DNS_TYPE_AAAA", Const, 0, ""},
+		{"DNS_TYPE_ADDRS", Const, 0, ""},
+		{"DNS_TYPE_AFSDB", Const, 0, ""},
+		{"DNS_TYPE_ALL", Const, 0, ""},
+		{"DNS_TYPE_ANY", Const, 0, ""},
+		{"DNS_TYPE_ATMA", Const, 0, ""},
+		{"DNS_TYPE_AXFR", Const, 0, ""},
+		{"DNS_TYPE_CERT", Const, 0, ""},
+		{"DNS_TYPE_CNAME", Const, 0, ""},
+		{"DNS_TYPE_DHCID", Const, 0, ""},
+		{"DNS_TYPE_DNAME", Const, 0, ""},
+		{"DNS_TYPE_DNSKEY", Const, 0, ""},
+		{"DNS_TYPE_DS", Const, 0, ""},
+		{"DNS_TYPE_EID", Const, 0, ""},
+		{"DNS_TYPE_GID", Const, 0, ""},
+		{"DNS_TYPE_GPOS", Const, 0, ""},
+		{"DNS_TYPE_HINFO", Const, 0, ""},
+		{"DNS_TYPE_ISDN", Const, 0, ""},
+		{"DNS_TYPE_IXFR", Const, 0, ""},
+		{"DNS_TYPE_KEY", Const, 0, ""},
+		{"DNS_TYPE_KX", Const, 0, ""},
+		{"DNS_TYPE_LOC", Const, 0, ""},
+		{"DNS_TYPE_MAILA", Const, 0, ""},
+		{"DNS_TYPE_MAILB", Const, 0, ""},
+		{"DNS_TYPE_MB", Const, 0, ""},
+		{"DNS_TYPE_MD", Const, 0, ""},
+		{"DNS_TYPE_MF", Const, 0, ""},
+		{"DNS_TYPE_MG", Const, 0, ""},
+		{"DNS_TYPE_MINFO", Const, 0, ""},
+		{"DNS_TYPE_MR", Const, 0, ""},
+		{"DNS_TYPE_MX", Const, 0, ""},
+		{"DNS_TYPE_NAPTR", Const, 0, ""},
+		{"DNS_TYPE_NBSTAT", Const, 0, ""},
+		{"DNS_TYPE_NIMLOC", Const, 0, ""},
+		{"DNS_TYPE_NS", Const, 0, ""},
+		{"DNS_TYPE_NSAP", Const, 0, ""},
+		{"DNS_TYPE_NSAPPTR", Const, 0, ""},
+		{"DNS_TYPE_NSEC", Const, 0, ""},
+		{"DNS_TYPE_NULL", Const, 0, ""},
+		{"DNS_TYPE_NXT", Const, 0, ""},
+		{"DNS_TYPE_OPT", Const, 0, ""},
+		{"DNS_TYPE_PTR", Const, 0, ""},
+		{"DNS_TYPE_PX", Const, 0, ""},
+		{"DNS_TYPE_RP", Const, 0, ""},
+		{"DNS_TYPE_RRSIG", Const, 0, ""},
+		{"DNS_TYPE_RT", Const, 0, ""},
+		{"DNS_TYPE_SIG", Const, 0, ""},
+		{"DNS_TYPE_SINK", Const, 0, ""},
+		{"DNS_TYPE_SOA", Const, 0, ""},
+		{"DNS_TYPE_SRV", Const, 0, ""},
+		{"DNS_TYPE_TEXT", Const, 0, ""},
+		{"DNS_TYPE_TKEY", Const, 0, ""},
+		{"DNS_TYPE_TSIG", Const, 0, ""},
+		{"DNS_TYPE_UID", Const, 0, ""},
+		{"DNS_TYPE_UINFO", Const, 0, ""},
+		{"DNS_TYPE_UNSPEC", Const, 0, ""},
+		{"DNS_TYPE_WINS", Const, 0, ""},
+		{"DNS_TYPE_WINSR", Const, 0, ""},
+		{"DNS_TYPE_WKS", Const, 0, ""},
+		{"DNS_TYPE_X25", Const, 0, ""},
+		{"DT_BLK", Const, 0, ""},
+		{"DT_CHR", Const, 0, ""},
+		{"DT_DIR", Const, 0, ""},
+		{"DT_FIFO", Const, 0, ""},
+		{"DT_LNK", Const, 0, ""},
+		{"DT_REG", Const, 0, ""},
+		{"DT_SOCK", Const, 0, ""},
+		{"DT_UNKNOWN", Const, 0, ""},
+		{"DT_WHT", Const, 0, ""},
+		{"DUPLICATE_CLOSE_SOURCE", Const, 0, ""},
+		{"DUPLICATE_SAME_ACCESS", Const, 0, ""},
+		{"DeleteFile", Func, 0, ""},
+		{"DetachLsf", Func, 0, "func(fd int) error"},
+		{"DeviceIoControl", Func, 4, ""},
+		{"Dirent", Type, 0, ""},
+		{"Dirent.Fileno", Field, 0, ""},
+		{"Dirent.Ino", Field, 0, ""},
+		{"Dirent.Name", Field, 0, ""},
+		{"Dirent.Namlen", Field, 0, ""},
+		{"Dirent.Off", Field, 0, ""},
+		{"Dirent.Pad0", Field, 12, ""},
+		{"Dirent.Pad1", Field, 12, ""},
+		{"Dirent.Pad_cgo_0", Field, 0, ""},
+		{"Dirent.Reclen", Field, 0, ""},
+		{"Dirent.Seekoff", Field, 0, ""},
+		{"Dirent.Type", Field, 0, ""},
+		{"Dirent.X__d_padding", Field, 3, ""},
+		{"DnsNameCompare", Func, 4, ""},
+		{"DnsQuery", Func, 0, ""},
+		{"DnsRecordListFree", Func, 0, ""},
+		{"DnsSectionAdditional", Const, 4, ""},
+		{"DnsSectionAnswer", Const, 4, ""},
+		{"DnsSectionAuthority", Const, 4, ""},
+		{"DnsSectionQuestion", Const, 4, ""},
+		{"Dup", Func, 0, "func(oldfd int) (fd int, err error)"},
+		{"Dup2", Func, 0, "func(oldfd int, newfd int) (err error)"},
+		{"Dup3", Func, 2, "func(oldfd int, newfd int, flags int) (err error)"},
+		{"DuplicateHandle", Func, 0, ""},
+		{"E2BIG", Const, 0, ""},
+		{"EACCES", Const, 0, ""},
+		{"EADDRINUSE", Const, 0, ""},
+		{"EADDRNOTAVAIL", Const, 0, ""},
+		{"EADV", Const, 0, ""},
+		{"EAFNOSUPPORT", Const, 0, ""},
+		{"EAGAIN", Const, 0, ""},
+		{"EALREADY", Const, 0, ""},
+		{"EAUTH", Const, 0, ""},
+		{"EBADARCH", Const, 0, ""},
+		{"EBADE", Const, 0, ""},
+		{"EBADEXEC", Const, 0, ""},
+		{"EBADF", Const, 0, ""},
+		{"EBADFD", Const, 0, ""},
+		{"EBADMACHO", Const, 0, ""},
+		{"EBADMSG", Const, 0, ""},
+		{"EBADR", Const, 0, ""},
+		{"EBADRPC", Const, 0, ""},
+		{"EBADRQC", Const, 0, ""},
+		{"EBADSLT", Const, 0, ""},
+		{"EBFONT", Const, 0, ""},
+		{"EBUSY", Const, 0, ""},
+		{"ECANCELED", Const, 0, ""},
+		{"ECAPMODE", Const, 1, ""},
+		{"ECHILD", Const, 0, ""},
+		{"ECHO", Const, 0, ""},
+		{"ECHOCTL", Const, 0, ""},
+		{"ECHOE", Const, 0, ""},
+		{"ECHOK", Const, 0, ""},
+		{"ECHOKE", Const, 0, ""},
+		{"ECHONL", Const, 0, ""},
+		{"ECHOPRT", Const, 0, ""},
+		{"ECHRNG", Const, 0, ""},
+		{"ECOMM", Const, 0, ""},
+		{"ECONNABORTED", Const, 0, ""},
+		{"ECONNREFUSED", Const, 0, ""},
+		{"ECONNRESET", Const, 0, ""},
+		{"EDEADLK", Const, 0, ""},
+		{"EDEADLOCK", Const, 0, ""},
+		{"EDESTADDRREQ", Const, 0, ""},
+		{"EDEVERR", Const, 0, ""},
+		{"EDOM", Const, 0, ""},
+		{"EDOOFUS", Const, 0, ""},
+		{"EDOTDOT", Const, 0, ""},
+		{"EDQUOT", Const, 0, ""},
+		{"EEXIST", Const, 0, ""},
+		{"EFAULT", Const, 0, ""},
+		{"EFBIG", Const, 0, ""},
+		{"EFER_LMA", Const, 1, ""},
+		{"EFER_LME", Const, 1, ""},
+		{"EFER_NXE", Const, 1, ""},
+		{"EFER_SCE", Const, 1, ""},
+		{"EFTYPE", Const, 0, ""},
+		{"EHOSTDOWN", Const, 0, ""},
+		{"EHOSTUNREACH", Const, 0, ""},
+		{"EHWPOISON", Const, 0, ""},
+		{"EIDRM", Const, 0, ""},
+		{"EILSEQ", Const, 0, ""},
+		{"EINPROGRESS", Const, 0, ""},
+		{"EINTR", Const, 0, ""},
+		{"EINVAL", Const, 0, ""},
+		{"EIO", Const, 0, ""},
+		{"EIPSEC", Const, 1, ""},
+		{"EISCONN", Const, 0, ""},
+		{"EISDIR", Const, 0, ""},
+		{"EISNAM", Const, 0, ""},
+		{"EKEYEXPIRED", Const, 0, ""},
+		{"EKEYREJECTED", Const, 0, ""},
+		{"EKEYREVOKED", Const, 0, ""},
+		{"EL2HLT", Const, 0, ""},
+		{"EL2NSYNC", Const, 0, ""},
+		{"EL3HLT", Const, 0, ""},
+		{"EL3RST", Const, 0, ""},
+		{"ELAST", Const, 0, ""},
+		{"ELF_NGREG", Const, 0, ""},
+		{"ELF_PRARGSZ", Const, 0, ""},
+		{"ELIBACC", Const, 0, ""},
+		{"ELIBBAD", Const, 0, ""},
+		{"ELIBEXEC", Const, 0, ""},
+		{"ELIBMAX", Const, 0, ""},
+		{"ELIBSCN", Const, 0, ""},
+		{"ELNRNG", Const, 0, ""},
+		{"ELOOP", Const, 0, ""},
+		{"EMEDIUMTYPE", Const, 0, ""},
+		{"EMFILE", Const, 0, ""},
+		{"EMLINK", Const, 0, ""},
+		{"EMSGSIZE", Const, 0, ""},
+		{"EMT_TAGOVF", Const, 1, ""},
+		{"EMULTIHOP", Const, 0, ""},
+		{"EMUL_ENABLED", Const, 1, ""},
+		{"EMUL_LINUX", Const, 1, ""},
+		{"EMUL_LINUX32", Const, 1, ""},
+		{"EMUL_MAXID", Const, 1, ""},
+		{"EMUL_NATIVE", Const, 1, ""},
+		{"ENAMETOOLONG", Const, 0, ""},
+		{"ENAVAIL", Const, 0, ""},
+		{"ENDRUNDISC", Const, 1, ""},
+		{"ENEEDAUTH", Const, 0, ""},
+		{"ENETDOWN", Const, 0, ""},
+		{"ENETRESET", Const, 0, ""},
+		{"ENETUNREACH", Const, 0, ""},
+		{"ENFILE", Const, 0, ""},
+		{"ENOANO", Const, 0, ""},
+		{"ENOATTR", Const, 0, ""},
+		{"ENOBUFS", Const, 0, ""},
+		{"ENOCSI", Const, 0, ""},
+		{"ENODATA", Const, 0, ""},
+		{"ENODEV", Const, 0, ""},
+		{"ENOENT", Const, 0, ""},
+		{"ENOEXEC", Const, 0, ""},
+		{"ENOKEY", Const, 0, ""},
+		{"ENOLCK", Const, 0, ""},
+		{"ENOLINK", Const, 0, ""},
+		{"ENOMEDIUM", Const, 0, ""},
+		{"ENOMEM", Const, 0, ""},
+		{"ENOMSG", Const, 0, ""},
+		{"ENONET", Const, 0, ""},
+		{"ENOPKG", Const, 0, ""},
+		{"ENOPOLICY", Const, 0, ""},
+		{"ENOPROTOOPT", Const, 0, ""},
+		{"ENOSPC", Const, 0, ""},
+		{"ENOSR", Const, 0, ""},
+		{"ENOSTR", Const, 0, ""},
+		{"ENOSYS", Const, 0, ""},
+		{"ENOTBLK", Const, 0, ""},
+		{"ENOTCAPABLE", Const, 0, ""},
+		{"ENOTCONN", Const, 0, ""},
+		{"ENOTDIR", Const, 0, ""},
+		{"ENOTEMPTY", Const, 0, ""},
+		{"ENOTNAM", Const, 0, ""},
+		{"ENOTRECOVERABLE", Const, 0, ""},
+		{"ENOTSOCK", Const, 0, ""},
+		{"ENOTSUP", Const, 0, ""},
+		{"ENOTTY", Const, 0, ""},
+		{"ENOTUNIQ", Const, 0, ""},
+		{"ENXIO", Const, 0, ""},
+		{"EN_SW_CTL_INF", Const, 1, ""},
+		{"EN_SW_CTL_PREC", Const, 1, ""},
+		{"EN_SW_CTL_ROUND", Const, 1, ""},
+		{"EN_SW_DATACHAIN", Const, 1, ""},
+		{"EN_SW_DENORM", Const, 1, ""},
+		{"EN_SW_INVOP", Const, 1, ""},
+		{"EN_SW_OVERFLOW", Const, 1, ""},
+		{"EN_SW_PRECLOSS", Const, 1, ""},
+		{"EN_SW_UNDERFLOW", Const, 1, ""},
+		{"EN_SW_ZERODIV", Const, 1, ""},
+		{"EOPNOTSUPP", Const, 0, ""},
+		{"EOVERFLOW", Const, 0, ""},
+		{"EOWNERDEAD", Const, 0, ""},
+		{"EPERM", Const, 0, ""},
+		{"EPFNOSUPPORT", Const, 0, ""},
+		{"EPIPE", Const, 0, ""},
+		{"EPOLLERR", Const, 0, ""},
+		{"EPOLLET", Const, 0, ""},
+		{"EPOLLHUP", Const, 0, ""},
+		{"EPOLLIN", Const, 0, ""},
+		{"EPOLLMSG", Const, 0, ""},
+		{"EPOLLONESHOT", Const, 0, ""},
+		{"EPOLLOUT", Const, 0, ""},
+		{"EPOLLPRI", Const, 0, ""},
+		{"EPOLLRDBAND", Const, 0, ""},
+		{"EPOLLRDHUP", Const, 0, ""},
+		{"EPOLLRDNORM", Const, 0, ""},
+		{"EPOLLWRBAND", Const, 0, ""},
+		{"EPOLLWRNORM", Const, 0, ""},
+		{"EPOLL_CLOEXEC", Const, 0, ""},
+		{"EPOLL_CTL_ADD", Const, 0, ""},
+		{"EPOLL_CTL_DEL", Const, 0, ""},
+		{"EPOLL_CTL_MOD", Const, 0, ""},
+		{"EPOLL_NONBLOCK", Const, 0, ""},
+		{"EPROCLIM", Const, 0, ""},
+		{"EPROCUNAVAIL", Const, 0, ""},
+		{"EPROGMISMATCH", Const, 0, ""},
+		{"EPROGUNAVAIL", Const, 0, ""},
+		{"EPROTO", Const, 0, ""},
+		{"EPROTONOSUPPORT", Const, 0, ""},
+		{"EPROTOTYPE", Const, 0, ""},
+		{"EPWROFF", Const, 0, ""},
+		{"EQFULL", Const, 16, ""},
+		{"ERANGE", Const, 0, ""},
+		{"EREMCHG", Const, 0, ""},
+		{"EREMOTE", Const, 0, ""},
+		{"EREMOTEIO", Const, 0, ""},
+		{"ERESTART", Const, 0, ""},
+		{"ERFKILL", Const, 0, ""},
+		{"EROFS", Const, 0, ""},
+		{"ERPCMISMATCH", Const, 0, ""},
+		{"ERROR_ACCESS_DENIED", Const, 0, ""},
+		{"ERROR_ALREADY_EXISTS", Const, 0, ""},
+		{"ERROR_BROKEN_PIPE", Const, 0, ""},
+		{"ERROR_BUFFER_OVERFLOW", Const, 0, ""},
+		{"ERROR_DIR_NOT_EMPTY", Const, 8, ""},
+		{"ERROR_ENVVAR_NOT_FOUND", Const, 0, ""},
+		{"ERROR_FILE_EXISTS", Const, 0, ""},
+		{"ERROR_FILE_NOT_FOUND", Const, 0, ""},
+		{"ERROR_HANDLE_EOF", Const, 2, ""},
+		{"ERROR_INSUFFICIENT_BUFFER", Const, 0, ""},
+		{"ERROR_IO_PENDING", Const, 0, ""},
+		{"ERROR_MOD_NOT_FOUND", Const, 0, ""},
+		{"ERROR_MORE_DATA", Const, 3, ""},
+		{"ERROR_NETNAME_DELETED", Const, 3, ""},
+		{"ERROR_NOT_FOUND", Const, 1, ""},
+		{"ERROR_NO_MORE_FILES", Const, 0, ""},
+		{"ERROR_OPERATION_ABORTED", Const, 0, ""},
+		{"ERROR_PATH_NOT_FOUND", Const, 0, ""},
+		{"ERROR_PRIVILEGE_NOT_HELD", Const, 4, ""},
+		{"ERROR_PROC_NOT_FOUND", Const, 0, ""},
+		{"ESHLIBVERS", Const, 0, ""},
+		{"ESHUTDOWN", Const, 0, ""},
+		{"ESOCKTNOSUPPORT", Const, 0, ""},
+		{"ESPIPE", Const, 0, ""},
+		{"ESRCH", Const, 0, ""},
+		{"ESRMNT", Const, 0, ""},
+		{"ESTALE", Const, 0, ""},
+		{"ESTRPIPE", Const, 0, ""},
+		{"ETHERCAP_JUMBO_MTU", Const, 1, ""},
+		{"ETHERCAP_VLAN_HWTAGGING", Const, 1, ""},
+		{"ETHERCAP_VLAN_MTU", Const, 1, ""},
+		{"ETHERMIN", Const, 1, ""},
+		{"ETHERMTU", Const, 1, ""},
+		{"ETHERMTU_JUMBO", Const, 1, ""},
+		{"ETHERTYPE_8023", Const, 1, ""},
+		{"ETHERTYPE_AARP", Const, 1, ""},
+		{"ETHERTYPE_ACCTON", Const, 1, ""},
+		{"ETHERTYPE_AEONIC", Const, 1, ""},
+		{"ETHERTYPE_ALPHA", Const, 1, ""},
+		{"ETHERTYPE_AMBER", Const, 1, ""},
+		{"ETHERTYPE_AMOEBA", Const, 1, ""},
+		{"ETHERTYPE_AOE", Const, 1, ""},
+		{"ETHERTYPE_APOLLO", Const, 1, ""},
+		{"ETHERTYPE_APOLLODOMAIN", Const, 1, ""},
+		{"ETHERTYPE_APPLETALK", Const, 1, ""},
+		{"ETHERTYPE_APPLITEK", Const, 1, ""},
+		{"ETHERTYPE_ARGONAUT", Const, 1, ""},
+		{"ETHERTYPE_ARP", Const, 1, ""},
+		{"ETHERTYPE_AT", Const, 1, ""},
+		{"ETHERTYPE_ATALK", Const, 1, ""},
+		{"ETHERTYPE_ATOMIC", Const, 1, ""},
+		{"ETHERTYPE_ATT", Const, 1, ""},
+		{"ETHERTYPE_ATTSTANFORD", Const, 1, ""},
+		{"ETHERTYPE_AUTOPHON", Const, 1, ""},
+		{"ETHERTYPE_AXIS", Const, 1, ""},
+		{"ETHERTYPE_BCLOOP", Const, 1, ""},
+		{"ETHERTYPE_BOFL", Const, 1, ""},
+		{"ETHERTYPE_CABLETRON", Const, 1, ""},
+		{"ETHERTYPE_CHAOS", Const, 1, ""},
+		{"ETHERTYPE_COMDESIGN", Const, 1, ""},
+		{"ETHERTYPE_COMPUGRAPHIC", Const, 1, ""},
+		{"ETHERTYPE_COUNTERPOINT", Const, 1, ""},
+		{"ETHERTYPE_CRONUS", Const, 1, ""},
+		{"ETHERTYPE_CRONUSVLN", Const, 1, ""},
+		{"ETHERTYPE_DCA", Const, 1, ""},
+		{"ETHERTYPE_DDE", Const, 1, ""},
+		{"ETHERTYPE_DEBNI", Const, 1, ""},
+		{"ETHERTYPE_DECAM", Const, 1, ""},
+		{"ETHERTYPE_DECCUST", Const, 1, ""},
+		{"ETHERTYPE_DECDIAG", Const, 1, ""},
+		{"ETHERTYPE_DECDNS", Const, 1, ""},
+		{"ETHERTYPE_DECDTS", Const, 1, ""},
+		{"ETHERTYPE_DECEXPER", Const, 1, ""},
+		{"ETHERTYPE_DECLAST", Const, 1, ""},
+		{"ETHERTYPE_DECLTM", Const, 1, ""},
+		{"ETHERTYPE_DECMUMPS", Const, 1, ""},
+		{"ETHERTYPE_DECNETBIOS", Const, 1, ""},
+		{"ETHERTYPE_DELTACON", Const, 1, ""},
+		{"ETHERTYPE_DIDDLE", Const, 1, ""},
+		{"ETHERTYPE_DLOG1", Const, 1, ""},
+		{"ETHERTYPE_DLOG2", Const, 1, ""},
+		{"ETHERTYPE_DN", Const, 1, ""},
+		{"ETHERTYPE_DOGFIGHT", Const, 1, ""},
+		{"ETHERTYPE_DSMD", Const, 1, ""},
+		{"ETHERTYPE_ECMA", Const, 1, ""},
+		{"ETHERTYPE_ENCRYPT", Const, 1, ""},
+		{"ETHERTYPE_ES", Const, 1, ""},
+		{"ETHERTYPE_EXCELAN", Const, 1, ""},
+		{"ETHERTYPE_EXPERDATA", Const, 1, ""},
+		{"ETHERTYPE_FLIP", Const, 1, ""},
+		{"ETHERTYPE_FLOWCONTROL", Const, 1, ""},
+		{"ETHERTYPE_FRARP", Const, 1, ""},
+		{"ETHERTYPE_GENDYN", Const, 1, ""},
+		{"ETHERTYPE_HAYES", Const, 1, ""},
+		{"ETHERTYPE_HIPPI_FP", Const, 1, ""},
+		{"ETHERTYPE_HITACHI", Const, 1, ""},
+		{"ETHERTYPE_HP", Const, 1, ""},
+		{"ETHERTYPE_IEEEPUP", Const, 1, ""},
+		{"ETHERTYPE_IEEEPUPAT", Const, 1, ""},
+		{"ETHERTYPE_IMLBL", Const, 1, ""},
+		{"ETHERTYPE_IMLBLDIAG", Const, 1, ""},
+		{"ETHERTYPE_IP", Const, 1, ""},
+		{"ETHERTYPE_IPAS", Const, 1, ""},
+		{"ETHERTYPE_IPV6", Const, 1, ""},
+		{"ETHERTYPE_IPX", Const, 1, ""},
+		{"ETHERTYPE_IPXNEW", Const, 1, ""},
+		{"ETHERTYPE_KALPANA", Const, 1, ""},
+		{"ETHERTYPE_LANBRIDGE", Const, 1, ""},
+		{"ETHERTYPE_LANPROBE", Const, 1, ""},
+		{"ETHERTYPE_LAT", Const, 1, ""},
+		{"ETHERTYPE_LBACK", Const, 1, ""},
+		{"ETHERTYPE_LITTLE", Const, 1, ""},
+		{"ETHERTYPE_LLDP", Const, 1, ""},
+		{"ETHERTYPE_LOGICRAFT", Const, 1, ""},
+		{"ETHERTYPE_LOOPBACK", Const, 1, ""},
+		{"ETHERTYPE_MATRA", Const, 1, ""},
+		{"ETHERTYPE_MAX", Const, 1, ""},
+		{"ETHERTYPE_MERIT", Const, 1, ""},
+		{"ETHERTYPE_MICP", Const, 1, ""},
+		{"ETHERTYPE_MOPDL", Const, 1, ""},
+		{"ETHERTYPE_MOPRC", Const, 1, ""},
+		{"ETHERTYPE_MOTOROLA", Const, 1, ""},
+		{"ETHERTYPE_MPLS", Const, 1, ""},
+		{"ETHERTYPE_MPLS_MCAST", Const, 1, ""},
+		{"ETHERTYPE_MUMPS", Const, 1, ""},
+		{"ETHERTYPE_NBPCC", Const, 1, ""},
+		{"ETHERTYPE_NBPCLAIM", Const, 1, ""},
+		{"ETHERTYPE_NBPCLREQ", Const, 1, ""},
+		{"ETHERTYPE_NBPCLRSP", Const, 1, ""},
+		{"ETHERTYPE_NBPCREQ", Const, 1, ""},
+		{"ETHERTYPE_NBPCRSP", Const, 1, ""},
+		{"ETHERTYPE_NBPDG", Const, 1, ""},
+		{"ETHERTYPE_NBPDGB", Const, 1, ""},
+		{"ETHERTYPE_NBPDLTE", Const, 1, ""},
+		{"ETHERTYPE_NBPRAR", Const, 1, ""},
+		{"ETHERTYPE_NBPRAS", Const, 1, ""},
+		{"ETHERTYPE_NBPRST", Const, 1, ""},
+		{"ETHERTYPE_NBPSCD", Const, 1, ""},
+		{"ETHERTYPE_NBPVCD", Const, 1, ""},
+		{"ETHERTYPE_NBS", Const, 1, ""},
+		{"ETHERTYPE_NCD", Const, 1, ""},
+		{"ETHERTYPE_NESTAR", Const, 1, ""},
+		{"ETHERTYPE_NETBEUI", Const, 1, ""},
+		{"ETHERTYPE_NOVELL", Const, 1, ""},
+		{"ETHERTYPE_NS", Const, 1, ""},
+		{"ETHERTYPE_NSAT", Const, 1, ""},
+		{"ETHERTYPE_NSCOMPAT", Const, 1, ""},
+		{"ETHERTYPE_NTRAILER", Const, 1, ""},
+		{"ETHERTYPE_OS9", Const, 1, ""},
+		{"ETHERTYPE_OS9NET", Const, 1, ""},
+		{"ETHERTYPE_PACER", Const, 1, ""},
+		{"ETHERTYPE_PAE", Const, 1, ""},
+		{"ETHERTYPE_PCS", Const, 1, ""},
+		{"ETHERTYPE_PLANNING", Const, 1, ""},
+		{"ETHERTYPE_PPP", Const, 1, ""},
+		{"ETHERTYPE_PPPOE", Const, 1, ""},
+		{"ETHERTYPE_PPPOEDISC", Const, 1, ""},
+		{"ETHERTYPE_PRIMENTS", Const, 1, ""},
+		{"ETHERTYPE_PUP", Const, 1, ""},
+		{"ETHERTYPE_PUPAT", Const, 1, ""},
+		{"ETHERTYPE_QINQ", Const, 1, ""},
+		{"ETHERTYPE_RACAL", Const, 1, ""},
+		{"ETHERTYPE_RATIONAL", Const, 1, ""},
+		{"ETHERTYPE_RAWFR", Const, 1, ""},
+		{"ETHERTYPE_RCL", Const, 1, ""},
+		{"ETHERTYPE_RDP", Const, 1, ""},
+		{"ETHERTYPE_RETIX", Const, 1, ""},
+		{"ETHERTYPE_REVARP", Const, 1, ""},
+		{"ETHERTYPE_SCA", Const, 1, ""},
+		{"ETHERTYPE_SECTRA", Const, 1, ""},
+		{"ETHERTYPE_SECUREDATA", Const, 1, ""},
+		{"ETHERTYPE_SGITW", Const, 1, ""},
+		{"ETHERTYPE_SG_BOUNCE", Const, 1, ""},
+		{"ETHERTYPE_SG_DIAG", Const, 1, ""},
+		{"ETHERTYPE_SG_NETGAMES", Const, 1, ""},
+		{"ETHERTYPE_SG_RESV", Const, 1, ""},
+		{"ETHERTYPE_SIMNET", Const, 1, ""},
+		{"ETHERTYPE_SLOW", Const, 1, ""},
+		{"ETHERTYPE_SLOWPROTOCOLS", Const, 1, ""},
+		{"ETHERTYPE_SNA", Const, 1, ""},
+		{"ETHERTYPE_SNMP", Const, 1, ""},
+		{"ETHERTYPE_SONIX", Const, 1, ""},
+		{"ETHERTYPE_SPIDER", Const, 1, ""},
+		{"ETHERTYPE_SPRITE", Const, 1, ""},
+		{"ETHERTYPE_STP", Const, 1, ""},
+		{"ETHERTYPE_TALARIS", Const, 1, ""},
+		{"ETHERTYPE_TALARISMC", Const, 1, ""},
+		{"ETHERTYPE_TCPCOMP", Const, 1, ""},
+		{"ETHERTYPE_TCPSM", Const, 1, ""},
+		{"ETHERTYPE_TEC", Const, 1, ""},
+		{"ETHERTYPE_TIGAN", Const, 1, ""},
+		{"ETHERTYPE_TRAIL", Const, 1, ""},
+		{"ETHERTYPE_TRANSETHER", Const, 1, ""},
+		{"ETHERTYPE_TYMSHARE", Const, 1, ""},
+		{"ETHERTYPE_UBBST", Const, 1, ""},
+		{"ETHERTYPE_UBDEBUG", Const, 1, ""},
+		{"ETHERTYPE_UBDIAGLOOP", Const, 1, ""},
+		{"ETHERTYPE_UBDL", Const, 1, ""},
+		{"ETHERTYPE_UBNIU", Const, 1, ""},
+		{"ETHERTYPE_UBNMC", Const, 1, ""},
+		{"ETHERTYPE_VALID", Const, 1, ""},
+		{"ETHERTYPE_VARIAN", Const, 1, ""},
+		{"ETHERTYPE_VAXELN", Const, 1, ""},
+		{"ETHERTYPE_VEECO", Const, 1, ""},
+		{"ETHERTYPE_VEXP", Const, 1, ""},
+		{"ETHERTYPE_VGLAB", Const, 1, ""},
+		{"ETHERTYPE_VINES", Const, 1, ""},
+		{"ETHERTYPE_VINESECHO", Const, 1, ""},
+		{"ETHERTYPE_VINESLOOP", Const, 1, ""},
+		{"ETHERTYPE_VITAL", Const, 1, ""},
+		{"ETHERTYPE_VLAN", Const, 1, ""},
+		{"ETHERTYPE_VLTLMAN", Const, 1, ""},
+		{"ETHERTYPE_VPROD", Const, 1, ""},
+		{"ETHERTYPE_VURESERVED", Const, 1, ""},
+		{"ETHERTYPE_WATERLOO", Const, 1, ""},
+		{"ETHERTYPE_WELLFLEET", Const, 1, ""},
+		{"ETHERTYPE_X25", Const, 1, ""},
+		{"ETHERTYPE_X75", Const, 1, ""},
+		{"ETHERTYPE_XNSSM", Const, 1, ""},
+		{"ETHERTYPE_XTP", Const, 1, ""},
+		{"ETHER_ADDR_LEN", Const, 1, ""},
+		{"ETHER_ALIGN", Const, 1, ""},
+		{"ETHER_CRC_LEN", Const, 1, ""},
+		{"ETHER_CRC_POLY_BE", Const, 1, ""},
+		{"ETHER_CRC_POLY_LE", Const, 1, ""},
+		{"ETHER_HDR_LEN", Const, 1, ""},
+		{"ETHER_MAX_DIX_LEN", Const, 1, ""},
+		{"ETHER_MAX_LEN", Const, 1, ""},
+		{"ETHER_MAX_LEN_JUMBO", Const, 1, ""},
+		{"ETHER_MIN_LEN", Const, 1, ""},
+		{"ETHER_PPPOE_ENCAP_LEN", Const, 1, ""},
+		{"ETHER_TYPE_LEN", Const, 1, ""},
+		{"ETHER_VLAN_ENCAP_LEN", Const, 1, ""},
+		{"ETH_P_1588", Const, 0, ""},
+		{"ETH_P_8021Q", Const, 0, ""},
+		{"ETH_P_802_2", Const, 0, ""},
+		{"ETH_P_802_3", Const, 0, ""},
+		{"ETH_P_AARP", Const, 0, ""},
+		{"ETH_P_ALL", Const, 0, ""},
+		{"ETH_P_AOE", Const, 0, ""},
+		{"ETH_P_ARCNET", Const, 0, ""},
+		{"ETH_P_ARP", Const, 0, ""},
+		{"ETH_P_ATALK", Const, 0, ""},
+		{"ETH_P_ATMFATE", Const, 0, ""},
+		{"ETH_P_ATMMPOA", Const, 0, ""},
+		{"ETH_P_AX25", Const, 0, ""},
+		{"ETH_P_BPQ", Const, 0, ""},
+		{"ETH_P_CAIF", Const, 0, ""},
+		{"ETH_P_CAN", Const, 0, ""},
+		{"ETH_P_CONTROL", Const, 0, ""},
+		{"ETH_P_CUST", Const, 0, ""},
+		{"ETH_P_DDCMP", Const, 0, ""},
+		{"ETH_P_DEC", Const, 0, ""},
+		{"ETH_P_DIAG", Const, 0, ""},
+		{"ETH_P_DNA_DL", Const, 0, ""},
+		{"ETH_P_DNA_RC", Const, 0, ""},
+		{"ETH_P_DNA_RT", Const, 0, ""},
+		{"ETH_P_DSA", Const, 0, ""},
+		{"ETH_P_ECONET", Const, 0, ""},
+		{"ETH_P_EDSA", Const, 0, ""},
+		{"ETH_P_FCOE", Const, 0, ""},
+		{"ETH_P_FIP", Const, 0, ""},
+		{"ETH_P_HDLC", Const, 0, ""},
+		{"ETH_P_IEEE802154", Const, 0, ""},
+		{"ETH_P_IEEEPUP", Const, 0, ""},
+		{"ETH_P_IEEEPUPAT", Const, 0, ""},
+		{"ETH_P_IP", Const, 0, ""},
+		{"ETH_P_IPV6", Const, 0, ""},
+		{"ETH_P_IPX", Const, 0, ""},
+		{"ETH_P_IRDA", Const, 0, ""},
+		{"ETH_P_LAT", Const, 0, ""},
+		{"ETH_P_LINK_CTL", Const, 0, ""},
+		{"ETH_P_LOCALTALK", Const, 0, ""},
+		{"ETH_P_LOOP", Const, 0, ""},
+		{"ETH_P_MOBITEX", Const, 0, ""},
+		{"ETH_P_MPLS_MC", Const, 0, ""},
+		{"ETH_P_MPLS_UC", Const, 0, ""},
+		{"ETH_P_PAE", Const, 0, ""},
+		{"ETH_P_PAUSE", Const, 0, ""},
+		{"ETH_P_PHONET", Const, 0, ""},
+		{"ETH_P_PPPTALK", Const, 0, ""},
+		{"ETH_P_PPP_DISC", Const, 0, ""},
+		{"ETH_P_PPP_MP", Const, 0, ""},
+		{"ETH_P_PPP_SES", Const, 0, ""},
+		{"ETH_P_PUP", Const, 0, ""},
+		{"ETH_P_PUPAT", Const, 0, ""},
+		{"ETH_P_RARP", Const, 0, ""},
+		{"ETH_P_SCA", Const, 0, ""},
+		{"ETH_P_SLOW", Const, 0, ""},
+		{"ETH_P_SNAP", Const, 0, ""},
+		{"ETH_P_TEB", Const, 0, ""},
+		{"ETH_P_TIPC", Const, 0, ""},
+		{"ETH_P_TRAILER", Const, 0, ""},
+		{"ETH_P_TR_802_2", Const, 0, ""},
+		{"ETH_P_WAN_PPP", Const, 0, ""},
+		{"ETH_P_WCCP", Const, 0, ""},
+		{"ETH_P_X25", Const, 0, ""},
+		{"ETIME", Const, 0, ""},
+		{"ETIMEDOUT", Const, 0, ""},
+		{"ETOOMANYREFS", Const, 0, ""},
+		{"ETXTBSY", Const, 0, ""},
+		{"EUCLEAN", Const, 0, ""},
+		{"EUNATCH", Const, 0, ""},
+		{"EUSERS", Const, 0, ""},
+		{"EVFILT_AIO", Const, 0, ""},
+		{"EVFILT_FS", Const, 0, ""},
+		{"EVFILT_LIO", Const, 0, ""},
+		{"EVFILT_MACHPORT", Const, 0, ""},
+		{"EVFILT_PROC", Const, 0, ""},
+		{"EVFILT_READ", Const, 0, ""},
+		{"EVFILT_SIGNAL", Const, 0, ""},
+		{"EVFILT_SYSCOUNT", Const, 0, ""},
+		{"EVFILT_THREADMARKER", Const, 0, ""},
+		{"EVFILT_TIMER", Const, 0, ""},
+		{"EVFILT_USER", Const, 0, ""},
+		{"EVFILT_VM", Const, 0, ""},
+		{"EVFILT_VNODE", Const, 0, ""},
+		{"EVFILT_WRITE", Const, 0, ""},
+		{"EV_ADD", Const, 0, ""},
+		{"EV_CLEAR", Const, 0, ""},
+		{"EV_DELETE", Const, 0, ""},
+		{"EV_DISABLE", Const, 0, ""},
+		{"EV_DISPATCH", Const, 0, ""},
+		{"EV_DROP", Const, 3, ""},
+		{"EV_ENABLE", Const, 0, ""},
+		{"EV_EOF", Const, 0, ""},
+		{"EV_ERROR", Const, 0, ""},
+		{"EV_FLAG0", Const, 0, ""},
+		{"EV_FLAG1", Const, 0, ""},
+		{"EV_ONESHOT", Const, 0, ""},
+		{"EV_OOBAND", Const, 0, ""},
+		{"EV_POLL", Const, 0, ""},
+		{"EV_RECEIPT", Const, 0, ""},
+		{"EV_SYSFLAGS", Const, 0, ""},
+		{"EWINDOWS", Const, 0, ""},
+		{"EWOULDBLOCK", Const, 0, ""},
+		{"EXDEV", Const, 0, ""},
+		{"EXFULL", Const, 0, ""},
+		{"EXTA", Const, 0, ""},
+		{"EXTB", Const, 0, ""},
+		{"EXTPROC", Const, 0, ""},
+		{"Environ", Func, 0, "func() []string"},
+		{"EpollCreate", Func, 0, "func(size int) (fd int, err error)"},
+		{"EpollCreate1", Func, 0, "func(flag int) (fd int, err error)"},
+		{"EpollCtl", Func, 0, "func(epfd int, op int, fd int, event *EpollEvent) (err error)"},
+		{"EpollEvent", Type, 0, ""},
+		{"EpollEvent.Events", Field, 0, ""},
+		{"EpollEvent.Fd", Field, 0, ""},
+		{"EpollEvent.Pad", Field, 0, ""},
+		{"EpollEvent.PadFd", Field, 0, ""},
+		{"EpollWait", Func, 0, "func(epfd int, events []EpollEvent, msec int) (n int, err error)"},
+		{"Errno", Type, 0, ""},
+		{"EscapeArg", Func, 0, ""},
+		{"Exchangedata", Func, 0, ""},
+		{"Exec", Func, 0, "func(argv0 string, argv []string, envv []string) (err error)"},
+		{"Exit", Func, 0, "func(code int)"},
+		{"ExitProcess", Func, 0, ""},
+		{"FD_CLOEXEC", Const, 0, ""},
+		{"FD_SETSIZE", Const, 0, ""},
+		{"FILE_ACTION_ADDED", Const, 0, ""},
+		{"FILE_ACTION_MODIFIED", Const, 0, ""},
+		{"FILE_ACTION_REMOVED", Const, 0, ""},
+		{"FILE_ACTION_RENAMED_NEW_NAME", Const, 0, ""},
+		{"FILE_ACTION_RENAMED_OLD_NAME", Const, 0, ""},
+		{"FILE_APPEND_DATA", Const, 0, ""},
+		{"FILE_ATTRIBUTE_ARCHIVE", Const, 0, ""},
+		{"FILE_ATTRIBUTE_DIRECTORY", Const, 0, ""},
+		{"FILE_ATTRIBUTE_HIDDEN", Const, 0, ""},
+		{"FILE_ATTRIBUTE_NORMAL", Const, 0, ""},
+		{"FILE_ATTRIBUTE_READONLY", Const, 0, ""},
+		{"FILE_ATTRIBUTE_REPARSE_POINT", Const, 4, ""},
+		{"FILE_ATTRIBUTE_SYSTEM", Const, 0, ""},
+		{"FILE_BEGIN", Const, 0, ""},
+		{"FILE_CURRENT", Const, 0, ""},
+		{"FILE_END", Const, 0, ""},
+		{"FILE_FLAG_BACKUP_SEMANTICS", Const, 0, ""},
+		{"FILE_FLAG_OPEN_REPARSE_POINT", Const, 4, ""},
+		{"FILE_FLAG_OVERLAPPED", Const, 0, ""},
+		{"FILE_LIST_DIRECTORY", Const, 0, ""},
+		{"FILE_MAP_COPY", Const, 0, ""},
+		{"FILE_MAP_EXECUTE", Const, 0, ""},
+		{"FILE_MAP_READ", Const, 0, ""},
+		{"FILE_MAP_WRITE", Const, 0, ""},
+		{"FILE_NOTIFY_CHANGE_ATTRIBUTES", Const, 0, ""},
+		{"FILE_NOTIFY_CHANGE_CREATION", Const, 0, ""},
+		{"FILE_NOTIFY_CHANGE_DIR_NAME", Const, 0, ""},
+		{"FILE_NOTIFY_CHANGE_FILE_NAME", Const, 0, ""},
+		{"FILE_NOTIFY_CHANGE_LAST_ACCESS", Const, 0, ""},
+		{"FILE_NOTIFY_CHANGE_LAST_WRITE", Const, 0, ""},
+		{"FILE_NOTIFY_CHANGE_SIZE", Const, 0, ""},
+		{"FILE_SHARE_DELETE", Const, 0, ""},
+		{"FILE_SHARE_READ", Const, 0, ""},
+		{"FILE_SHARE_WRITE", Const, 0, ""},
+		{"FILE_SKIP_COMPLETION_PORT_ON_SUCCESS", Const, 2, ""},
+		{"FILE_SKIP_SET_EVENT_ON_HANDLE", Const, 2, ""},
+		{"FILE_TYPE_CHAR", Const, 0, ""},
+		{"FILE_TYPE_DISK", Const, 0, ""},
+		{"FILE_TYPE_PIPE", Const, 0, ""},
+		{"FILE_TYPE_REMOTE", Const, 0, ""},
+		{"FILE_TYPE_UNKNOWN", Const, 0, ""},
+		{"FILE_WRITE_ATTRIBUTES", Const, 0, ""},
+		{"FLUSHO", Const, 0, ""},
+		{"FORMAT_MESSAGE_ALLOCATE_BUFFER", Const, 0, ""},
+		{"FORMAT_MESSAGE_ARGUMENT_ARRAY", Const, 0, ""},
+		{"FORMAT_MESSAGE_FROM_HMODULE", Const, 0, ""},
+		{"FORMAT_MESSAGE_FROM_STRING", Const, 0, ""},
+		{"FORMAT_MESSAGE_FROM_SYSTEM", Const, 0, ""},
+		{"FORMAT_MESSAGE_IGNORE_INSERTS", Const, 0, ""},
+		{"FORMAT_MESSAGE_MAX_WIDTH_MASK", Const, 0, ""},
+		{"FSCTL_GET_REPARSE_POINT", Const, 4, ""},
+		{"F_ADDFILESIGS", Const, 0, ""},
+		{"F_ADDSIGS", Const, 0, ""},
+		{"F_ALLOCATEALL", Const, 0, ""},
+		{"F_ALLOCATECONTIG", Const, 0, ""},
+		{"F_CANCEL", Const, 0, ""},
+		{"F_CHKCLEAN", Const, 0, ""},
+		{"F_CLOSEM", Const, 1, ""},
+		{"F_DUP2FD", Const, 0, ""},
+		{"F_DUP2FD_CLOEXEC", Const, 1, ""},
+		{"F_DUPFD", Const, 0, ""},
+		{"F_DUPFD_CLOEXEC", Const, 0, ""},
+		{"F_EXLCK", Const, 0, ""},
+		{"F_FINDSIGS", Const, 16, ""},
+		{"F_FLUSH_DATA", Const, 0, ""},
+		{"F_FREEZE_FS", Const, 0, ""},
+		{"F_FSCTL", Const, 1, ""},
+		{"F_FSDIRMASK", Const, 1, ""},
+		{"F_FSIN", Const, 1, ""},
+		{"F_FSINOUT", Const, 1, ""},
+		{"F_FSOUT", Const, 1, ""},
+		{"F_FSPRIV", Const, 1, ""},
+		{"F_FSVOID", Const, 1, ""},
+		{"F_FULLFSYNC", Const, 0, ""},
+		{"F_GETCODEDIR", Const, 16, ""},
+		{"F_GETFD", Const, 0, ""},
+		{"F_GETFL", Const, 0, ""},
+		{"F_GETLEASE", Const, 0, ""},
+		{"F_GETLK", Const, 0, ""},
+		{"F_GETLK64", Const, 0, ""},
+		{"F_GETLKPID", Const, 0, ""},
+		{"F_GETNOSIGPIPE", Const, 0, ""},
+		{"F_GETOWN", Const, 0, ""},
+		{"F_GETOWN_EX", Const, 0, ""},
+		{"F_GETPATH", Const, 0, ""},
+		{"F_GETPATH_MTMINFO", Const, 0, ""},
+		{"F_GETPIPE_SZ", Const, 0, ""},
+		{"F_GETPROTECTIONCLASS", Const, 0, ""},
+		{"F_GETPROTECTIONLEVEL", Const, 16, ""},
+		{"F_GETSIG", Const, 0, ""},
+		{"F_GLOBAL_NOCACHE", Const, 0, ""},
+		{"F_LOCK", Const, 0, ""},
+		{"F_LOG2PHYS", Const, 0, ""},
+		{"F_LOG2PHYS_EXT", Const, 0, ""},
+		{"F_MARKDEPENDENCY", Const, 0, ""},
+		{"F_MAXFD", Const, 1, ""},
+		{"F_NOCACHE", Const, 0, ""},
+		{"F_NODIRECT", Const, 0, ""},
+		{"F_NOTIFY", Const, 0, ""},
+		{"F_OGETLK", Const, 0, ""},
+		{"F_OK", Const, 0, ""},
+		{"F_OSETLK", Const, 0, ""},
+		{"F_OSETLKW", Const, 0, ""},
+		{"F_PARAM_MASK", Const, 1, ""},
+		{"F_PARAM_MAX", Const, 1, ""},
+		{"F_PATHPKG_CHECK", Const, 0, ""},
+		{"F_PEOFPOSMODE", Const, 0, ""},
+		{"F_PREALLOCATE", Const, 0, ""},
+		{"F_RDADVISE", Const, 0, ""},
+		{"F_RDAHEAD", Const, 0, ""},
+		{"F_RDLCK", Const, 0, ""},
+		{"F_READAHEAD", Const, 0, ""},
+		{"F_READBOOTSTRAP", Const, 0, ""},
+		{"F_SETBACKINGSTORE", Const, 0, ""},
+		{"F_SETFD", Const, 0, ""},
+		{"F_SETFL", Const, 0, ""},
+		{"F_SETLEASE", Const, 0, ""},
+		{"F_SETLK", Const, 0, ""},
+		{"F_SETLK64", Const, 0, ""},
+		{"F_SETLKW", Const, 0, ""},
+		{"F_SETLKW64", Const, 0, ""},
+		{"F_SETLKWTIMEOUT", Const, 16, ""},
+		{"F_SETLK_REMOTE", Const, 0, ""},
+		{"F_SETNOSIGPIPE", Const, 0, ""},
+		{"F_SETOWN", Const, 0, ""},
+		{"F_SETOWN_EX", Const, 0, ""},
+		{"F_SETPIPE_SZ", Const, 0, ""},
+		{"F_SETPROTECTIONCLASS", Const, 0, ""},
+		{"F_SETSIG", Const, 0, ""},
+		{"F_SETSIZE", Const, 0, ""},
+		{"F_SHLCK", Const, 0, ""},
+		{"F_SINGLE_WRITER", Const, 16, ""},
+		{"F_TEST", Const, 0, ""},
+		{"F_THAW_FS", Const, 0, ""},
+		{"F_TLOCK", Const, 0, ""},
+		{"F_TRANSCODEKEY", Const, 16, ""},
+		{"F_ULOCK", Const, 0, ""},
+		{"F_UNLCK", Const, 0, ""},
+		{"F_UNLCKSYS", Const, 0, ""},
+		{"F_VOLPOSMODE", Const, 0, ""},
+		{"F_WRITEBOOTSTRAP", Const, 0, ""},
+		{"F_WRLCK", Const, 0, ""},
+		{"Faccessat", Func, 0, "func(dirfd int, path string, mode uint32, flags int) (err error)"},
+		{"Fallocate", Func, 0, "func(fd int, mode uint32, off int64, len int64) (err error)"},
+		{"Fbootstraptransfer_t", Type, 0, ""},
+		{"Fbootstraptransfer_t.Buffer", Field, 0, ""},
+		{"Fbootstraptransfer_t.Length", Field, 0, ""},
+		{"Fbootstraptransfer_t.Offset", Field, 0, ""},
+		{"Fchdir", Func, 0, "func(fd int) (err error)"},
+		{"Fchflags", Func, 0, ""},
+		{"Fchmod", Func, 0, "func(fd int, mode uint32) (err error)"},
+		{"Fchmodat", Func, 0, "func(dirfd int, path string, mode uint32, flags int) error"},
+		{"Fchown", Func, 0, "func(fd int, uid int, gid int) (err error)"},
+		{"Fchownat", Func, 0, "func(dirfd int, path string, uid int, gid int, flags int) (err error)"},
+		{"FcntlFlock", Func, 3, "func(fd uintptr, cmd int, lk *Flock_t) error"},
+		{"FdSet", Type, 0, ""},
+		{"FdSet.Bits", Field, 0, ""},
+		{"FdSet.X__fds_bits", Field, 0, ""},
+		{"Fdatasync", Func, 0, "func(fd int) (err error)"},
+		{"FileNotifyInformation", Type, 0, ""},
+		{"FileNotifyInformation.Action", Field, 0, ""},
+		{"FileNotifyInformation.FileName", Field, 0, ""},
+		{"FileNotifyInformation.FileNameLength", Field, 0, ""},
+		{"FileNotifyInformation.NextEntryOffset", Field, 0, ""},
+		{"Filetime", Type, 0, ""},
+		{"Filetime.HighDateTime", Field, 0, ""},
+		{"Filetime.LowDateTime", Field, 0, ""},
+		{"FindClose", Func, 0, ""},
+		{"FindFirstFile", Func, 0, ""},
+		{"FindNextFile", Func, 0, ""},
+		{"Flock", Func, 0, "func(fd int, how int) (err error)"},
+		{"Flock_t", Type, 0, ""},
+		{"Flock_t.Len", Field, 0, ""},
+		{"Flock_t.Pad_cgo_0", Field, 0, ""},
+		{"Flock_t.Pad_cgo_1", Field, 3, ""},
+		{"Flock_t.Pid", Field, 0, ""},
+		{"Flock_t.Start", Field, 0, ""},
+		{"Flock_t.Sysid", Field, 0, ""},
+		{"Flock_t.Type", Field, 0, ""},
+		{"Flock_t.Whence", Field, 0, ""},
+		{"FlushBpf", Func, 0, ""},
+		{"FlushFileBuffers", Func, 0, ""},
+		{"FlushViewOfFile", Func, 0, ""},
+		{"ForkExec", Func, 0, "func(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)"},
+		{"ForkLock", Var, 0, ""},
+		{"FormatMessage", Func, 0, ""},
+		{"Fpathconf", Func, 0, ""},
+		{"FreeAddrInfoW", Func, 1, ""},
+		{"FreeEnvironmentStrings", Func, 0, ""},
+		{"FreeLibrary", Func, 0, ""},
+		{"Fsid", Type, 0, ""},
+		{"Fsid.Val", Field, 0, ""},
+		{"Fsid.X__fsid_val", Field, 2, ""},
+		{"Fsid.X__val", Field, 0, ""},
+		{"Fstat", Func, 0, "func(fd int, stat *Stat_t) (err error)"},
+		{"Fstatat", Func, 12, ""},
+		{"Fstatfs", Func, 0, "func(fd int, buf *Statfs_t) (err error)"},
+		{"Fstore_t", Type, 0, ""},
+		{"Fstore_t.Bytesalloc", Field, 0, ""},
+		{"Fstore_t.Flags", Field, 0, ""},
+		{"Fstore_t.Length", Field, 0, ""},
+		{"Fstore_t.Offset", Field, 0, ""},
+		{"Fstore_t.Posmode", Field, 0, ""},
+		{"Fsync", Func, 0, "func(fd int) (err error)"},
+		{"Ftruncate", Func, 0, "func(fd int, length int64) (err error)"},
+		{"FullPath", Func, 4, ""},
+		{"Futimes", Func, 0, "func(fd int, tv []Timeval) (err error)"},
+		{"Futimesat", Func, 0, "func(dirfd int, path string, tv []Timeval) (err error)"},
+		{"GENERIC_ALL", Const, 0, ""},
+		{"GENERIC_EXECUTE", Const, 0, ""},
+		{"GENERIC_READ", Const, 0, ""},
+		{"GENERIC_WRITE", Const, 0, ""},
+		{"GUID", Type, 1, ""},
+		{"GUID.Data1", Field, 1, ""},
+		{"GUID.Data2", Field, 1, ""},
+		{"GUID.Data3", Field, 1, ""},
+		{"GUID.Data4", Field, 1, ""},
+		{"GetAcceptExSockaddrs", Func, 0, ""},
+		{"GetAdaptersInfo", Func, 0, ""},
+		{"GetAddrInfoW", Func, 1, ""},
+		{"GetCommandLine", Func, 0, ""},
+		{"GetComputerName", Func, 0, ""},
+		{"GetConsoleMode", Func, 1, ""},
+		{"GetCurrentDirectory", Func, 0, ""},
+		{"GetCurrentProcess", Func, 0, ""},
+		{"GetEnvironmentStrings", Func, 0, ""},
+		{"GetEnvironmentVariable", Func, 0, ""},
+		{"GetExitCodeProcess", Func, 0, ""},
+		{"GetFileAttributes", Func, 0, ""},
+		{"GetFileAttributesEx", Func, 0, ""},
+		{"GetFileExInfoStandard", Const, 0, ""},
+		{"GetFileExMaxInfoLevel", Const, 0, ""},
+		{"GetFileInformationByHandle", Func, 0, ""},
+		{"GetFileType", Func, 0, ""},
+		{"GetFullPathName", Func, 0, ""},
+		{"GetHostByName", Func, 0, ""},
+		{"GetIfEntry", Func, 0, ""},
+		{"GetLastError", Func, 0, ""},
+		{"GetLengthSid", Func, 0, ""},
+		{"GetLongPathName", Func, 0, ""},
+		{"GetProcAddress", Func, 0, ""},
+		{"GetProcessTimes", Func, 0, ""},
+		{"GetProtoByName", Func, 0, ""},
+		{"GetQueuedCompletionStatus", Func, 0, ""},
+		{"GetServByName", Func, 0, ""},
+		{"GetShortPathName", Func, 0, ""},
+		{"GetStartupInfo", Func, 0, ""},
+		{"GetStdHandle", Func, 0, ""},
+		{"GetSystemTimeAsFileTime", Func, 0, ""},
+		{"GetTempPath", Func, 0, ""},
+		{"GetTimeZoneInformation", Func, 0, ""},
+		{"GetTokenInformation", Func, 0, ""},
+		{"GetUserNameEx", Func, 0, ""},
+		{"GetUserProfileDirectory", Func, 0, ""},
+		{"GetVersion", Func, 0, ""},
+		{"Getcwd", Func, 0, "func(buf []byte) (n int, err error)"},
+		{"Getdents", Func, 0, "func(fd int, buf []byte) (n int, err error)"},
+		{"Getdirentries", Func, 0, ""},
+		{"Getdtablesize", Func, 0, ""},
+		{"Getegid", Func, 0, "func() (egid int)"},
+		{"Getenv", Func, 0, "func(key string) (value string, found bool)"},
+		{"Geteuid", Func, 0, "func() (euid int)"},
+		{"Getfsstat", Func, 0, ""},
+		{"Getgid", Func, 0, "func() (gid int)"},
+		{"Getgroups", Func, 0, "func() (gids []int, err error)"},
+		{"Getpagesize", Func, 0, "func() int"},
+		{"Getpeername", Func, 0, "func(fd int) (sa Sockaddr, err error)"},
+		{"Getpgid", Func, 0, "func(pid int) (pgid int, err error)"},
+		{"Getpgrp", Func, 0, "func() (pid int)"},
+		{"Getpid", Func, 0, "func() (pid int)"},
+		{"Getppid", Func, 0, "func() (ppid int)"},
+		{"Getpriority", Func, 0, "func(which int, who int) (prio int, err error)"},
+		{"Getrlimit", Func, 0, "func(resource int, rlim *Rlimit) (err error)"},
+		{"Getrusage", Func, 0, "func(who int, rusage *Rusage) (err error)"},
+		{"Getsid", Func, 0, ""},
+		{"Getsockname", Func, 0, "func(fd int) (sa Sockaddr, err error)"},
+		{"Getsockopt", Func, 1, ""},
+		{"GetsockoptByte", Func, 0, ""},
+		{"GetsockoptICMPv6Filter", Func, 2, "func(fd int, level int, opt int) (*ICMPv6Filter, error)"},
+		{"GetsockoptIPMreq", Func, 0, "func(fd int, level int, opt int) (*IPMreq, error)"},
+		{"GetsockoptIPMreqn", Func, 0, "func(fd int, level int, opt int) (*IPMreqn, error)"},
+		{"GetsockoptIPv6MTUInfo", Func, 2, "func(fd int, level int, opt int) (*IPv6MTUInfo, error)"},
+		{"GetsockoptIPv6Mreq", Func, 0, "func(fd int, level int, opt int) (*IPv6Mreq, error)"},
+		{"GetsockoptInet4Addr", Func, 0, "func(fd int, level int, opt int) (value [4]byte, err error)"},
+		{"GetsockoptInt", Func, 0, "func(fd int, level int, opt int) (value int, err error)"},
+		{"GetsockoptUcred", Func, 1, "func(fd int, level int, opt int) (*Ucred, error)"},
+		{"Gettid", Func, 0, "func() (tid int)"},
+		{"Gettimeofday", Func, 0, "func(tv *Timeval) (err error)"},
+		{"Getuid", Func, 0, "func() (uid int)"},
+		{"Getwd", Func, 0, "func() (wd string, err error)"},
+		{"Getxattr", Func, 1, "func(path string, attr string, dest []byte) (sz int, err error)"},
+		{"HANDLE_FLAG_INHERIT", Const, 0, ""},
+		{"HKEY_CLASSES_ROOT", Const, 0, ""},
+		{"HKEY_CURRENT_CONFIG", Const, 0, ""},
+		{"HKEY_CURRENT_USER", Const, 0, ""},
+		{"HKEY_DYN_DATA", Const, 0, ""},
+		{"HKEY_LOCAL_MACHINE", Const, 0, ""},
+		{"HKEY_PERFORMANCE_DATA", Const, 0, ""},
+		{"HKEY_USERS", Const, 0, ""},
+		{"HUPCL", Const, 0, ""},
+		{"Handle", Type, 0, ""},
+		{"Hostent", Type, 0, ""},
+		{"Hostent.AddrList", Field, 0, ""},
+		{"Hostent.AddrType", Field, 0, ""},
+		{"Hostent.Aliases", Field, 0, ""},
+		{"Hostent.Length", Field, 0, ""},
+		{"Hostent.Name", Field, 0, ""},
+		{"ICANON", Const, 0, ""},
+		{"ICMP6_FILTER", Const, 2, ""},
+		{"ICMPV6_FILTER", Const, 2, ""},
+		{"ICMPv6Filter", Type, 2, ""},
+		{"ICMPv6Filter.Data", Field, 2, ""},
+		{"ICMPv6Filter.Filt", Field, 2, ""},
+		{"ICRNL", Const, 0, ""},
+		{"IEXTEN", Const, 0, ""},
+		{"IFAN_ARRIVAL", Const, 1, ""},
+		{"IFAN_DEPARTURE", Const, 1, ""},
+		{"IFA_ADDRESS", Const, 0, ""},
+		{"IFA_ANYCAST", Const, 0, ""},
+		{"IFA_BROADCAST", Const, 0, ""},
+		{"IFA_CACHEINFO", Const, 0, ""},
+		{"IFA_F_DADFAILED", Const, 0, ""},
+		{"IFA_F_DEPRECATED", Const, 0, ""},
+		{"IFA_F_HOMEADDRESS", Const, 0, ""},
+		{"IFA_F_NODAD", Const, 0, ""},
+		{"IFA_F_OPTIMISTIC", Const, 0, ""},
+		{"IFA_F_PERMANENT", Const, 0, ""},
+		{"IFA_F_SECONDARY", Const, 0, ""},
+		{"IFA_F_TEMPORARY", Const, 0, ""},
+		{"IFA_F_TENTATIVE", Const, 0, ""},
+		{"IFA_LABEL", Const, 0, ""},
+		{"IFA_LOCAL", Const, 0, ""},
+		{"IFA_MAX", Const, 0, ""},
+		{"IFA_MULTICAST", Const, 0, ""},
+		{"IFA_ROUTE", Const, 1, ""},
+		{"IFA_UNSPEC", Const, 0, ""},
+		{"IFF_ALLMULTI", Const, 0, ""},
+		{"IFF_ALTPHYS", Const, 0, ""},
+		{"IFF_AUTOMEDIA", Const, 0, ""},
+		{"IFF_BROADCAST", Const, 0, ""},
+		{"IFF_CANTCHANGE", Const, 0, ""},
+		{"IFF_CANTCONFIG", Const, 1, ""},
+		{"IFF_DEBUG", Const, 0, ""},
+		{"IFF_DRV_OACTIVE", Const, 0, ""},
+		{"IFF_DRV_RUNNING", Const, 0, ""},
+		{"IFF_DYING", Const, 0, ""},
+		{"IFF_DYNAMIC", Const, 0, ""},
+		{"IFF_LINK0", Const, 0, ""},
+		{"IFF_LINK1", Const, 0, ""},
+		{"IFF_LINK2", Const, 0, ""},
+		{"IFF_LOOPBACK", Const, 0, ""},
+		{"IFF_MASTER", Const, 0, ""},
+		{"IFF_MONITOR", Const, 0, ""},
+		{"IFF_MULTICAST", Const, 0, ""},
+		{"IFF_NOARP", Const, 0, ""},
+		{"IFF_NOTRAILERS", Const, 0, ""},
+		{"IFF_NO_PI", Const, 0, ""},
+		{"IFF_OACTIVE", Const, 0, ""},
+		{"IFF_ONE_QUEUE", Const, 0, ""},
+		{"IFF_POINTOPOINT", Const, 0, ""},
+		{"IFF_POINTTOPOINT", Const, 0, ""},
+		{"IFF_PORTSEL", Const, 0, ""},
+		{"IFF_PPROMISC", Const, 0, ""},
+		{"IFF_PROMISC", Const, 0, ""},
+		{"IFF_RENAMING", Const, 0, ""},
+		{"IFF_RUNNING", Const, 0, ""},
+		{"IFF_SIMPLEX", Const, 0, ""},
+		{"IFF_SLAVE", Const, 0, ""},
+		{"IFF_SMART", Const, 0, ""},
+		{"IFF_STATICARP", Const, 0, ""},
+		{"IFF_TAP", Const, 0, ""},
+		{"IFF_TUN", Const, 0, ""},
+		{"IFF_TUN_EXCL", Const, 0, ""},
+		{"IFF_UP", Const, 0, ""},
+		{"IFF_VNET_HDR", Const, 0, ""},
+		{"IFLA_ADDRESS", Const, 0, ""},
+		{"IFLA_BROADCAST", Const, 0, ""},
+		{"IFLA_COST", Const, 0, ""},
+		{"IFLA_IFALIAS", Const, 0, ""},
+		{"IFLA_IFNAME", Const, 0, ""},
+		{"IFLA_LINK", Const, 0, ""},
+		{"IFLA_LINKINFO", Const, 0, ""},
+		{"IFLA_LINKMODE", Const, 0, ""},
+		{"IFLA_MAP", Const, 0, ""},
+		{"IFLA_MASTER", Const, 0, ""},
+		{"IFLA_MAX", Const, 0, ""},
+		{"IFLA_MTU", Const, 0, ""},
+		{"IFLA_NET_NS_PID", Const, 0, ""},
+		{"IFLA_OPERSTATE", Const, 0, ""},
+		{"IFLA_PRIORITY", Const, 0, ""},
+		{"IFLA_PROTINFO", Const, 0, ""},
+		{"IFLA_QDISC", Const, 0, ""},
+		{"IFLA_STATS", Const, 0, ""},
+		{"IFLA_TXQLEN", Const, 0, ""},
+		{"IFLA_UNSPEC", Const, 0, ""},
+		{"IFLA_WEIGHT", Const, 0, ""},
+		{"IFLA_WIRELESS", Const, 0, ""},
+		{"IFNAMSIZ", Const, 0, ""},
+		{"IFT_1822", Const, 0, ""},
+		{"IFT_A12MPPSWITCH", Const, 0, ""},
+		{"IFT_AAL2", Const, 0, ""},
+		{"IFT_AAL5", Const, 0, ""},
+		{"IFT_ADSL", Const, 0, ""},
+		{"IFT_AFLANE8023", Const, 0, ""},
+		{"IFT_AFLANE8025", Const, 0, ""},
+		{"IFT_ARAP", Const, 0, ""},
+		{"IFT_ARCNET", Const, 0, ""},
+		{"IFT_ARCNETPLUS", Const, 0, ""},
+		{"IFT_ASYNC", Const, 0, ""},
+		{"IFT_ATM", Const, 0, ""},
+		{"IFT_ATMDXI", Const, 0, ""},
+		{"IFT_ATMFUNI", Const, 0, ""},
+		{"IFT_ATMIMA", Const, 0, ""},
+		{"IFT_ATMLOGICAL", Const, 0, ""},
+		{"IFT_ATMRADIO", Const, 0, ""},
+		{"IFT_ATMSUBINTERFACE", Const, 0, ""},
+		{"IFT_ATMVCIENDPT", Const, 0, ""},
+		{"IFT_ATMVIRTUAL", Const, 0, ""},
+		{"IFT_BGPPOLICYACCOUNTING", Const, 0, ""},
+		{"IFT_BLUETOOTH", Const, 1, ""},
+		{"IFT_BRIDGE", Const, 0, ""},
+		{"IFT_BSC", Const, 0, ""},
+		{"IFT_CARP", Const, 0, ""},
+		{"IFT_CCTEMUL", Const, 0, ""},
+		{"IFT_CELLULAR", Const, 0, ""},
+		{"IFT_CEPT", Const, 0, ""},
+		{"IFT_CES", Const, 0, ""},
+		{"IFT_CHANNEL", Const, 0, ""},
+		{"IFT_CNR", Const, 0, ""},
+		{"IFT_COFFEE", Const, 0, ""},
+		{"IFT_COMPOSITELINK", Const, 0, ""},
+		{"IFT_DCN", Const, 0, ""},
+		{"IFT_DIGITALPOWERLINE", Const, 0, ""},
+		{"IFT_DIGITALWRAPPEROVERHEADCHANNEL", Const, 0, ""},
+		{"IFT_DLSW", Const, 0, ""},
+		{"IFT_DOCSCABLEDOWNSTREAM", Const, 0, ""},
+		{"IFT_DOCSCABLEMACLAYER", Const, 0, ""},
+		{"IFT_DOCSCABLEUPSTREAM", Const, 0, ""},
+		{"IFT_DOCSCABLEUPSTREAMCHANNEL", Const, 1, ""},
+		{"IFT_DS0", Const, 0, ""},
+		{"IFT_DS0BUNDLE", Const, 0, ""},
+		{"IFT_DS1FDL", Const, 0, ""},
+		{"IFT_DS3", Const, 0, ""},
+		{"IFT_DTM", Const, 0, ""},
+		{"IFT_DUMMY", Const, 1, ""},
+		{"IFT_DVBASILN", Const, 0, ""},
+		{"IFT_DVBASIOUT", Const, 0, ""},
+		{"IFT_DVBRCCDOWNSTREAM", Const, 0, ""},
+		{"IFT_DVBRCCMACLAYER", Const, 0, ""},
+		{"IFT_DVBRCCUPSTREAM", Const, 0, ""},
+		{"IFT_ECONET", Const, 1, ""},
+		{"IFT_ENC", Const, 0, ""},
+		{"IFT_EON", Const, 0, ""},
+		{"IFT_EPLRS", Const, 0, ""},
+		{"IFT_ESCON", Const, 0, ""},
+		{"IFT_ETHER", Const, 0, ""},
+		{"IFT_FAITH", Const, 0, ""},
+		{"IFT_FAST", Const, 0, ""},
+		{"IFT_FASTETHER", Const, 0, ""},
+		{"IFT_FASTETHERFX", Const, 0, ""},
+		{"IFT_FDDI", Const, 0, ""},
+		{"IFT_FIBRECHANNEL", Const, 0, ""},
+		{"IFT_FRAMERELAYINTERCONNECT", Const, 0, ""},
+		{"IFT_FRAMERELAYMPI", Const, 0, ""},
+		{"IFT_FRDLCIENDPT", Const, 0, ""},
+		{"IFT_FRELAY", Const, 0, ""},
+		{"IFT_FRELAYDCE", Const, 0, ""},
+		{"IFT_FRF16MFRBUNDLE", Const, 0, ""},
+		{"IFT_FRFORWARD", Const, 0, ""},
+		{"IFT_G703AT2MB", Const, 0, ""},
+		{"IFT_G703AT64K", Const, 0, ""},
+		{"IFT_GIF", Const, 0, ""},
+		{"IFT_GIGABITETHERNET", Const, 0, ""},
+		{"IFT_GR303IDT", Const, 0, ""},
+		{"IFT_GR303RDT", Const, 0, ""},
+		{"IFT_H323GATEKEEPER", Const, 0, ""},
+		{"IFT_H323PROXY", Const, 0, ""},
+		{"IFT_HDH1822", Const, 0, ""},
+		{"IFT_HDLC", Const, 0, ""},
+		{"IFT_HDSL2", Const, 0, ""},
+		{"IFT_HIPERLAN2", Const, 0, ""},
+		{"IFT_HIPPI", Const, 0, ""},
+		{"IFT_HIPPIINTERFACE", Const, 0, ""},
+		{"IFT_HOSTPAD", Const, 0, ""},
+		{"IFT_HSSI", Const, 0, ""},
+		{"IFT_HY", Const, 0, ""},
+		{"IFT_IBM370PARCHAN", Const, 0, ""},
+		{"IFT_IDSL", Const, 0, ""},
+		{"IFT_IEEE1394", Const, 0, ""},
+		{"IFT_IEEE80211", Const, 0, ""},
+		{"IFT_IEEE80212", Const, 0, ""},
+		{"IFT_IEEE8023ADLAG", Const, 0, ""},
+		{"IFT_IFGSN", Const, 0, ""},
+		{"IFT_IMT", Const, 0, ""},
+		{"IFT_INFINIBAND", Const, 1, ""},
+		{"IFT_INTERLEAVE", Const, 0, ""},
+		{"IFT_IP", Const, 0, ""},
+		{"IFT_IPFORWARD", Const, 0, ""},
+		{"IFT_IPOVERATM", Const, 0, ""},
+		{"IFT_IPOVERCDLC", Const, 0, ""},
+		{"IFT_IPOVERCLAW", Const, 0, ""},
+		{"IFT_IPSWITCH", Const, 0, ""},
+		{"IFT_IPXIP", Const, 0, ""},
+		{"IFT_ISDN", Const, 0, ""},
+		{"IFT_ISDNBASIC", Const, 0, ""},
+		{"IFT_ISDNPRIMARY", Const, 0, ""},
+		{"IFT_ISDNS", Const, 0, ""},
+		{"IFT_ISDNU", Const, 0, ""},
+		{"IFT_ISO88022LLC", Const, 0, ""},
+		{"IFT_ISO88023", Const, 0, ""},
+		{"IFT_ISO88024", Const, 0, ""},
+		{"IFT_ISO88025", Const, 0, ""},
+		{"IFT_ISO88025CRFPINT", Const, 0, ""},
+		{"IFT_ISO88025DTR", Const, 0, ""},
+		{"IFT_ISO88025FIBER", Const, 0, ""},
+		{"IFT_ISO88026", Const, 0, ""},
+		{"IFT_ISUP", Const, 0, ""},
+		{"IFT_L2VLAN", Const, 0, ""},
+		{"IFT_L3IPVLAN", Const, 0, ""},
+		{"IFT_L3IPXVLAN", Const, 0, ""},
+		{"IFT_LAPB", Const, 0, ""},
+		{"IFT_LAPD", Const, 0, ""},
+		{"IFT_LAPF", Const, 0, ""},
+		{"IFT_LINEGROUP", Const, 1, ""},
+		{"IFT_LOCALTALK", Const, 0, ""},
+		{"IFT_LOOP", Const, 0, ""},
+		{"IFT_MEDIAMAILOVERIP", Const, 0, ""},
+		{"IFT_MFSIGLINK", Const, 0, ""},
+		{"IFT_MIOX25", Const, 0, ""},
+		{"IFT_MODEM", Const, 0, ""},
+		{"IFT_MPC", Const, 0, ""},
+		{"IFT_MPLS", Const, 0, ""},
+		{"IFT_MPLSTUNNEL", Const, 0, ""},
+		{"IFT_MSDSL", Const, 0, ""},
+		{"IFT_MVL", Const, 0, ""},
+		{"IFT_MYRINET", Const, 0, ""},
+		{"IFT_NFAS", Const, 0, ""},
+		{"IFT_NSIP", Const, 0, ""},
+		{"IFT_OPTICALCHANNEL", Const, 0, ""},
+		{"IFT_OPTICALTRANSPORT", Const, 0, ""},
+		{"IFT_OTHER", Const, 0, ""},
+		{"IFT_P10", Const, 0, ""},
+		{"IFT_P80", Const, 0, ""},
+		{"IFT_PARA", Const, 0, ""},
+		{"IFT_PDP", Const, 0, ""},
+		{"IFT_PFLOG", Const, 0, ""},
+		{"IFT_PFLOW", Const, 1, ""},
+		{"IFT_PFSYNC", Const, 0, ""},
+		{"IFT_PLC", Const, 0, ""},
+		{"IFT_PON155", Const, 1, ""},
+		{"IFT_PON622", Const, 1, ""},
+		{"IFT_POS", Const, 0, ""},
+		{"IFT_PPP", Const, 0, ""},
+		{"IFT_PPPMULTILINKBUNDLE", Const, 0, ""},
+		{"IFT_PROPATM", Const, 1, ""},
+		{"IFT_PROPBWAP2MP", Const, 0, ""},
+		{"IFT_PROPCNLS", Const, 0, ""},
+		{"IFT_PROPDOCSWIRELESSDOWNSTREAM", Const, 0, ""},
+		{"IFT_PROPDOCSWIRELESSMACLAYER", Const, 0, ""},
+		{"IFT_PROPDOCSWIRELESSUPSTREAM", Const, 0, ""},
+		{"IFT_PROPMUX", Const, 0, ""},
+		{"IFT_PROPVIRTUAL", Const, 0, ""},
+		{"IFT_PROPWIRELESSP2P", Const, 0, ""},
+		{"IFT_PTPSERIAL", Const, 0, ""},
+		{"IFT_PVC", Const, 0, ""},
+		{"IFT_Q2931", Const, 1, ""},
+		{"IFT_QLLC", Const, 0, ""},
+		{"IFT_RADIOMAC", Const, 0, ""},
+		{"IFT_RADSL", Const, 0, ""},
+		{"IFT_REACHDSL", Const, 0, ""},
+		{"IFT_RFC1483", Const, 0, ""},
+		{"IFT_RS232", Const, 0, ""},
+		{"IFT_RSRB", Const, 0, ""},
+		{"IFT_SDLC", Const, 0, ""},
+		{"IFT_SDSL", Const, 0, ""},
+		{"IFT_SHDSL", Const, 0, ""},
+		{"IFT_SIP", Const, 0, ""},
+		{"IFT_SIPSIG", Const, 1, ""},
+		{"IFT_SIPTG", Const, 1, ""},
+		{"IFT_SLIP", Const, 0, ""},
+		{"IFT_SMDSDXI", Const, 0, ""},
+		{"IFT_SMDSICIP", Const, 0, ""},
+		{"IFT_SONET", Const, 0, ""},
+		{"IFT_SONETOVERHEADCHANNEL", Const, 0, ""},
+		{"IFT_SONETPATH", Const, 0, ""},
+		{"IFT_SONETVT", Const, 0, ""},
+		{"IFT_SRP", Const, 0, ""},
+		{"IFT_SS7SIGLINK", Const, 0, ""},
+		{"IFT_STACKTOSTACK", Const, 0, ""},
+		{"IFT_STARLAN", Const, 0, ""},
+		{"IFT_STF", Const, 0, ""},
+		{"IFT_T1", Const, 0, ""},
+		{"IFT_TDLC", Const, 0, ""},
+		{"IFT_TELINK", Const, 1, ""},
+		{"IFT_TERMPAD", Const, 0, ""},
+		{"IFT_TR008", Const, 0, ""},
+		{"IFT_TRANSPHDLC", Const, 0, ""},
+		{"IFT_TUNNEL", Const, 0, ""},
+		{"IFT_ULTRA", Const, 0, ""},
+		{"IFT_USB", Const, 0, ""},
+		{"IFT_V11", Const, 0, ""},
+		{"IFT_V35", Const, 0, ""},
+		{"IFT_V36", Const, 0, ""},
+		{"IFT_V37", Const, 0, ""},
+		{"IFT_VDSL", Const, 0, ""},
+		{"IFT_VIRTUALIPADDRESS", Const, 0, ""},
+		{"IFT_VIRTUALTG", Const, 1, ""},
+		{"IFT_VOICEDID", Const, 1, ""},
+		{"IFT_VOICEEM", Const, 0, ""},
+		{"IFT_VOICEEMFGD", Const, 1, ""},
+		{"IFT_VOICEENCAP", Const, 0, ""},
+		{"IFT_VOICEFGDEANA", Const, 1, ""},
+		{"IFT_VOICEFXO", Const, 0, ""},
+		{"IFT_VOICEFXS", Const, 0, ""},
+		{"IFT_VOICEOVERATM", Const, 0, ""},
+		{"IFT_VOICEOVERCABLE", Const, 1, ""},
+		{"IFT_VOICEOVERFRAMERELAY", Const, 0, ""},
+		{"IFT_VOICEOVERIP", Const, 0, ""},
+		{"IFT_X213", Const, 0, ""},
+		{"IFT_X25", Const, 0, ""},
+		{"IFT_X25DDN", Const, 0, ""},
+		{"IFT_X25HUNTGROUP", Const, 0, ""},
+		{"IFT_X25MLP", Const, 0, ""},
+		{"IFT_X25PLE", Const, 0, ""},
+		{"IFT_XETHER", Const, 0, ""},
+		{"IGNBRK", Const, 0, ""},
+		{"IGNCR", Const, 0, ""},
+		{"IGNORE", Const, 0, ""},
+		{"IGNPAR", Const, 0, ""},
+		{"IMAXBEL", Const, 0, ""},
+		{"INFINITE", Const, 0, ""},
+		{"INLCR", Const, 0, ""},
+		{"INPCK", Const, 0, ""},
+		{"INVALID_FILE_ATTRIBUTES", Const, 0, ""},
+		{"IN_ACCESS", Const, 0, ""},
+		{"IN_ALL_EVENTS", Const, 0, ""},
+		{"IN_ATTRIB", Const, 0, ""},
+		{"IN_CLASSA_HOST", Const, 0, ""},
+		{"IN_CLASSA_MAX", Const, 0, ""},
+		{"IN_CLASSA_NET", Const, 0, ""},
+		{"IN_CLASSA_NSHIFT", Const, 0, ""},
+		{"IN_CLASSB_HOST", Const, 0, ""},
+		{"IN_CLASSB_MAX", Const, 0, ""},
+		{"IN_CLASSB_NET", Const, 0, ""},
+		{"IN_CLASSB_NSHIFT", Const, 0, ""},
+		{"IN_CLASSC_HOST", Const, 0, ""},
+		{"IN_CLASSC_NET", Const, 0, ""},
+		{"IN_CLASSC_NSHIFT", Const, 0, ""},
+		{"IN_CLASSD_HOST", Const, 0, ""},
+		{"IN_CLASSD_NET", Const, 0, ""},
+		{"IN_CLASSD_NSHIFT", Const, 0, ""},
+		{"IN_CLOEXEC", Const, 0, ""},
+		{"IN_CLOSE", Const, 0, ""},
+		{"IN_CLOSE_NOWRITE", Const, 0, ""},
+		{"IN_CLOSE_WRITE", Const, 0, ""},
+		{"IN_CREATE", Const, 0, ""},
+		{"IN_DELETE", Const, 0, ""},
+		{"IN_DELETE_SELF", Const, 0, ""},
+		{"IN_DONT_FOLLOW", Const, 0, ""},
+		{"IN_EXCL_UNLINK", Const, 0, ""},
+		{"IN_IGNORED", Const, 0, ""},
+		{"IN_ISDIR", Const, 0, ""},
+		{"IN_LINKLOCALNETNUM", Const, 0, ""},
+		{"IN_LOOPBACKNET", Const, 0, ""},
+		{"IN_MASK_ADD", Const, 0, ""},
+		{"IN_MODIFY", Const, 0, ""},
+		{"IN_MOVE", Const, 0, ""},
+		{"IN_MOVED_FROM", Const, 0, ""},
+		{"IN_MOVED_TO", Const, 0, ""},
+		{"IN_MOVE_SELF", Const, 0, ""},
+		{"IN_NONBLOCK", Const, 0, ""},
+		{"IN_ONESHOT", Const, 0, ""},
+		{"IN_ONLYDIR", Const, 0, ""},
+		{"IN_OPEN", Const, 0, ""},
+		{"IN_Q_OVERFLOW", Const, 0, ""},
+		{"IN_RFC3021_HOST", Const, 1, ""},
+		{"IN_RFC3021_MASK", Const, 1, ""},
+		{"IN_RFC3021_NET", Const, 1, ""},
+		{"IN_RFC3021_NSHIFT", Const, 1, ""},
+		{"IN_UNMOUNT", Const, 0, ""},
+		{"IOC_IN", Const, 1, ""},
+		{"IOC_INOUT", Const, 1, ""},
+		{"IOC_OUT", Const, 1, ""},
+		{"IOC_VENDOR", Const, 3, ""},
+		{"IOC_WS2", Const, 1, ""},
+		{"IO_REPARSE_TAG_SYMLINK", Const, 4, ""},
+		{"IPMreq", Type, 0, ""},
+		{"IPMreq.Interface", Field, 0, ""},
+		{"IPMreq.Multiaddr", Field, 0, ""},
+		{"IPMreqn", Type, 0, ""},
+		{"IPMreqn.Address", Field, 0, ""},
+		{"IPMreqn.Ifindex", Field, 0, ""},
+		{"IPMreqn.Multiaddr", Field, 0, ""},
+		{"IPPROTO_3PC", Const, 0, ""},
+		{"IPPROTO_ADFS", Const, 0, ""},
+		{"IPPROTO_AH", Const, 0, ""},
+		{"IPPROTO_AHIP", Const, 0, ""},
+		{"IPPROTO_APES", Const, 0, ""},
+		{"IPPROTO_ARGUS", Const, 0, ""},
+		{"IPPROTO_AX25", Const, 0, ""},
+		{"IPPROTO_BHA", Const, 0, ""},
+		{"IPPROTO_BLT", Const, 0, ""},
+		{"IPPROTO_BRSATMON", Const, 0, ""},
+		{"IPPROTO_CARP", Const, 0, ""},
+		{"IPPROTO_CFTP", Const, 0, ""},
+		{"IPPROTO_CHAOS", Const, 0, ""},
+		{"IPPROTO_CMTP", Const, 0, ""},
+		{"IPPROTO_COMP", Const, 0, ""},
+		{"IPPROTO_CPHB", Const, 0, ""},
+		{"IPPROTO_CPNX", Const, 0, ""},
+		{"IPPROTO_DCCP", Const, 0, ""},
+		{"IPPROTO_DDP", Const, 0, ""},
+		{"IPPROTO_DGP", Const, 0, ""},
+		{"IPPROTO_DIVERT", Const, 0, ""},
+		{"IPPROTO_DIVERT_INIT", Const, 3, ""},
+		{"IPPROTO_DIVERT_RESP", Const, 3, ""},
+		{"IPPROTO_DONE", Const, 0, ""},
+		{"IPPROTO_DSTOPTS", Const, 0, ""},
+		{"IPPROTO_EGP", Const, 0, ""},
+		{"IPPROTO_EMCON", Const, 0, ""},
+		{"IPPROTO_ENCAP", Const, 0, ""},
+		{"IPPROTO_EON", Const, 0, ""},
+		{"IPPROTO_ESP", Const, 0, ""},
+		{"IPPROTO_ETHERIP", Const, 0, ""},
+		{"IPPROTO_FRAGMENT", Const, 0, ""},
+		{"IPPROTO_GGP", Const, 0, ""},
+		{"IPPROTO_GMTP", Const, 0, ""},
+		{"IPPROTO_GRE", Const, 0, ""},
+		{"IPPROTO_HELLO", Const, 0, ""},
+		{"IPPROTO_HMP", Const, 0, ""},
+		{"IPPROTO_HOPOPTS", Const, 0, ""},
+		{"IPPROTO_ICMP", Const, 0, ""},
+		{"IPPROTO_ICMPV6", Const, 0, ""},
+		{"IPPROTO_IDP", Const, 0, ""},
+		{"IPPROTO_IDPR", Const, 0, ""},
+		{"IPPROTO_IDRP", Const, 0, ""},
+		{"IPPROTO_IGMP", Const, 0, ""},
+		{"IPPROTO_IGP", Const, 0, ""},
+		{"IPPROTO_IGRP", Const, 0, ""},
+		{"IPPROTO_IL", Const, 0, ""},
+		{"IPPROTO_INLSP", Const, 0, ""},
+		{"IPPROTO_INP", Const, 0, ""},
+		{"IPPROTO_IP", Const, 0, ""},
+		{"IPPROTO_IPCOMP", Const, 0, ""},
+		{"IPPROTO_IPCV", Const, 0, ""},
+		{"IPPROTO_IPEIP", Const, 0, ""},
+		{"IPPROTO_IPIP", Const, 0, ""},
+		{"IPPROTO_IPPC", Const, 0, ""},
+		{"IPPROTO_IPV4", Const, 0, ""},
+		{"IPPROTO_IPV6", Const, 0, ""},
+		{"IPPROTO_IPV6_ICMP", Const, 1, ""},
+		{"IPPROTO_IRTP", Const, 0, ""},
+		{"IPPROTO_KRYPTOLAN", Const, 0, ""},
+		{"IPPROTO_LARP", Const, 0, ""},
+		{"IPPROTO_LEAF1", Const, 0, ""},
+		{"IPPROTO_LEAF2", Const, 0, ""},
+		{"IPPROTO_MAX", Const, 0, ""},
+		{"IPPROTO_MAXID", Const, 0, ""},
+		{"IPPROTO_MEAS", Const, 0, ""},
+		{"IPPROTO_MH", Const, 1, ""},
+		{"IPPROTO_MHRP", Const, 0, ""},
+		{"IPPROTO_MICP", Const, 0, ""},
+		{"IPPROTO_MOBILE", Const, 0, ""},
+		{"IPPROTO_MPLS", Const, 1, ""},
+		{"IPPROTO_MTP", Const, 0, ""},
+		{"IPPROTO_MUX", Const, 0, ""},
+		{"IPPROTO_ND", Const, 0, ""},
+		{"IPPROTO_NHRP", Const, 0, ""},
+		{"IPPROTO_NONE", Const, 0, ""},
+		{"IPPROTO_NSP", Const, 0, ""},
+		{"IPPROTO_NVPII", Const, 0, ""},
+		{"IPPROTO_OLD_DIVERT", Const, 0, ""},
+		{"IPPROTO_OSPFIGP", Const, 0, ""},
+		{"IPPROTO_PFSYNC", Const, 0, ""},
+		{"IPPROTO_PGM", Const, 0, ""},
+		{"IPPROTO_PIGP", Const, 0, ""},
+		{"IPPROTO_PIM", Const, 0, ""},
+		{"IPPROTO_PRM", Const, 0, ""},
+		{"IPPROTO_PUP", Const, 0, ""},
+		{"IPPROTO_PVP", Const, 0, ""},
+		{"IPPROTO_RAW", Const, 0, ""},
+		{"IPPROTO_RCCMON", Const, 0, ""},
+		{"IPPROTO_RDP", Const, 0, ""},
+		{"IPPROTO_ROUTING", Const, 0, ""},
+		{"IPPROTO_RSVP", Const, 0, ""},
+		{"IPPROTO_RVD", Const, 0, ""},
+		{"IPPROTO_SATEXPAK", Const, 0, ""},
+		{"IPPROTO_SATMON", Const, 0, ""},
+		{"IPPROTO_SCCSP", Const, 0, ""},
+		{"IPPROTO_SCTP", Const, 0, ""},
+		{"IPPROTO_SDRP", Const, 0, ""},
+		{"IPPROTO_SEND", Const, 1, ""},
+		{"IPPROTO_SEP", Const, 0, ""},
+		{"IPPROTO_SKIP", Const, 0, ""},
+		{"IPPROTO_SPACER", Const, 0, ""},
+		{"IPPROTO_SRPC", Const, 0, ""},
+		{"IPPROTO_ST", Const, 0, ""},
+		{"IPPROTO_SVMTP", Const, 0, ""},
+		{"IPPROTO_SWIPE", Const, 0, ""},
+		{"IPPROTO_TCF", Const, 0, ""},
+		{"IPPROTO_TCP", Const, 0, ""},
+		{"IPPROTO_TLSP", Const, 0, ""},
+		{"IPPROTO_TP", Const, 0, ""},
+		{"IPPROTO_TPXX", Const, 0, ""},
+		{"IPPROTO_TRUNK1", Const, 0, ""},
+		{"IPPROTO_TRUNK2", Const, 0, ""},
+		{"IPPROTO_TTP", Const, 0, ""},
+		{"IPPROTO_UDP", Const, 0, ""},
+		{"IPPROTO_UDPLITE", Const, 0, ""},
+		{"IPPROTO_VINES", Const, 0, ""},
+		{"IPPROTO_VISA", Const, 0, ""},
+		{"IPPROTO_VMTP", Const, 0, ""},
+		{"IPPROTO_VRRP", Const, 1, ""},
+		{"IPPROTO_WBEXPAK", Const, 0, ""},
+		{"IPPROTO_WBMON", Const, 0, ""},
+		{"IPPROTO_WSN", Const, 0, ""},
+		{"IPPROTO_XNET", Const, 0, ""},
+		{"IPPROTO_XTP", Const, 0, ""},
+		{"IPV6_2292DSTOPTS", Const, 0, ""},
+		{"IPV6_2292HOPLIMIT", Const, 0, ""},
+		{"IPV6_2292HOPOPTS", Const, 0, ""},
+		{"IPV6_2292NEXTHOP", Const, 0, ""},
+		{"IPV6_2292PKTINFO", Const, 0, ""},
+		{"IPV6_2292PKTOPTIONS", Const, 0, ""},
+		{"IPV6_2292RTHDR", Const, 0, ""},
+		{"IPV6_ADDRFORM", Const, 0, ""},
+		{"IPV6_ADD_MEMBERSHIP", Const, 0, ""},
+		{"IPV6_AUTHHDR", Const, 0, ""},
+		{"IPV6_AUTH_LEVEL", Const, 1, ""},
+		{"IPV6_AUTOFLOWLABEL", Const, 0, ""},
+		{"IPV6_BINDANY", Const, 0, ""},
+		{"IPV6_BINDV6ONLY", Const, 0, ""},
+		{"IPV6_BOUND_IF", Const, 0, ""},
+		{"IPV6_CHECKSUM", Const, 0, ""},
+		{"IPV6_DEFAULT_MULTICAST_HOPS", Const, 0, ""},
+		{"IPV6_DEFAULT_MULTICAST_LOOP", Const, 0, ""},
+		{"IPV6_DEFHLIM", Const, 0, ""},
+		{"IPV6_DONTFRAG", Const, 0, ""},
+		{"IPV6_DROP_MEMBERSHIP", Const, 0, ""},
+		{"IPV6_DSTOPTS", Const, 0, ""},
+		{"IPV6_ESP_NETWORK_LEVEL", Const, 1, ""},
+		{"IPV6_ESP_TRANS_LEVEL", Const, 1, ""},
+		{"IPV6_FAITH", Const, 0, ""},
+		{"IPV6_FLOWINFO_MASK", Const, 0, ""},
+		{"IPV6_FLOWLABEL_MASK", Const, 0, ""},
+		{"IPV6_FRAGTTL", Const, 0, ""},
+		{"IPV6_FW_ADD", Const, 0, ""},
+		{"IPV6_FW_DEL", Const, 0, ""},
+		{"IPV6_FW_FLUSH", Const, 0, ""},
+		{"IPV6_FW_GET", Const, 0, ""},
+		{"IPV6_FW_ZERO", Const, 0, ""},
+		{"IPV6_HLIMDEC", Const, 0, ""},
+		{"IPV6_HOPLIMIT", Const, 0, ""},
+		{"IPV6_HOPOPTS", Const, 0, ""},
+		{"IPV6_IPCOMP_LEVEL", Const, 1, ""},
+		{"IPV6_IPSEC_POLICY", Const, 0, ""},
+		{"IPV6_JOIN_ANYCAST", Const, 0, ""},
+		{"IPV6_JOIN_GROUP", Const, 0, ""},
+		{"IPV6_LEAVE_ANYCAST", Const, 0, ""},
+		{"IPV6_LEAVE_GROUP", Const, 0, ""},
+		{"IPV6_MAXHLIM", Const, 0, ""},
+		{"IPV6_MAXOPTHDR", Const, 0, ""},
+		{"IPV6_MAXPACKET", Const, 0, ""},
+		{"IPV6_MAX_GROUP_SRC_FILTER", Const, 0, ""},
+		{"IPV6_MAX_MEMBERSHIPS", Const, 0, ""},
+		{"IPV6_MAX_SOCK_SRC_FILTER", Const, 0, ""},
+		{"IPV6_MIN_MEMBERSHIPS", Const, 0, ""},
+		{"IPV6_MMTU", Const, 0, ""},
+		{"IPV6_MSFILTER", Const, 0, ""},
+		{"IPV6_MTU", Const, 0, ""},
+		{"IPV6_MTU_DISCOVER", Const, 0, ""},
+		{"IPV6_MULTICAST_HOPS", Const, 0, ""},
+		{"IPV6_MULTICAST_IF", Const, 0, ""},
+		{"IPV6_MULTICAST_LOOP", Const, 0, ""},
+		{"IPV6_NEXTHOP", Const, 0, ""},
+		{"IPV6_OPTIONS", Const, 1, ""},
+		{"IPV6_PATHMTU", Const, 0, ""},
+		{"IPV6_PIPEX", Const, 1, ""},
+		{"IPV6_PKTINFO", Const, 0, ""},
+		{"IPV6_PMTUDISC_DO", Const, 0, ""},
+		{"IPV6_PMTUDISC_DONT", Const, 0, ""},
+		{"IPV6_PMTUDISC_PROBE", Const, 0, ""},
+		{"IPV6_PMTUDISC_WANT", Const, 0, ""},
+		{"IPV6_PORTRANGE", Const, 0, ""},
+		{"IPV6_PORTRANGE_DEFAULT", Const, 0, ""},
+		{"IPV6_PORTRANGE_HIGH", Const, 0, ""},
+		{"IPV6_PORTRANGE_LOW", Const, 0, ""},
+		{"IPV6_PREFER_TEMPADDR", Const, 0, ""},
+		{"IPV6_RECVDSTOPTS", Const, 0, ""},
+		{"IPV6_RECVDSTPORT", Const, 3, ""},
+		{"IPV6_RECVERR", Const, 0, ""},
+		{"IPV6_RECVHOPLIMIT", Const, 0, ""},
+		{"IPV6_RECVHOPOPTS", Const, 0, ""},
+		{"IPV6_RECVPATHMTU", Const, 0, ""},
+		{"IPV6_RECVPKTINFO", Const, 0, ""},
+		{"IPV6_RECVRTHDR", Const, 0, ""},
+		{"IPV6_RECVTCLASS", Const, 0, ""},
+		{"IPV6_ROUTER_ALERT", Const, 0, ""},
+		{"IPV6_RTABLE", Const, 1, ""},
+		{"IPV6_RTHDR", Const, 0, ""},
+		{"IPV6_RTHDRDSTOPTS", Const, 0, ""},
+		{"IPV6_RTHDR_LOOSE", Const, 0, ""},
+		{"IPV6_RTHDR_STRICT", Const, 0, ""},
+		{"IPV6_RTHDR_TYPE_0", Const, 0, ""},
+		{"IPV6_RXDSTOPTS", Const, 0, ""},
+		{"IPV6_RXHOPOPTS", Const, 0, ""},
+		{"IPV6_SOCKOPT_RESERVED1", Const, 0, ""},
+		{"IPV6_TCLASS", Const, 0, ""},
+		{"IPV6_UNICAST_HOPS", Const, 0, ""},
+		{"IPV6_USE_MIN_MTU", Const, 0, ""},
+		{"IPV6_V6ONLY", Const, 0, ""},
+		{"IPV6_VERSION", Const, 0, ""},
+		{"IPV6_VERSION_MASK", Const, 0, ""},
+		{"IPV6_XFRM_POLICY", Const, 0, ""},
+		{"IP_ADD_MEMBERSHIP", Const, 0, ""},
+		{"IP_ADD_SOURCE_MEMBERSHIP", Const, 0, ""},
+		{"IP_AUTH_LEVEL", Const, 1, ""},
+		{"IP_BINDANY", Const, 0, ""},
+		{"IP_BLOCK_SOURCE", Const, 0, ""},
+		{"IP_BOUND_IF", Const, 0, ""},
+		{"IP_DEFAULT_MULTICAST_LOOP", Const, 0, ""},
+		{"IP_DEFAULT_MULTICAST_TTL", Const, 0, ""},
+		{"IP_DF", Const, 0, ""},
+		{"IP_DIVERTFL", Const, 3, ""},
+		{"IP_DONTFRAG", Const, 0, ""},
+		{"IP_DROP_MEMBERSHIP", Const, 0, ""},
+		{"IP_DROP_SOURCE_MEMBERSHIP", Const, 0, ""},
+		{"IP_DUMMYNET3", Const, 0, ""},
+		{"IP_DUMMYNET_CONFIGURE", Const, 0, ""},
+		{"IP_DUMMYNET_DEL", Const, 0, ""},
+		{"IP_DUMMYNET_FLUSH", Const, 0, ""},
+		{"IP_DUMMYNET_GET", Const, 0, ""},
+		{"IP_EF", Const, 1, ""},
+		{"IP_ERRORMTU", Const, 1, ""},
+		{"IP_ESP_NETWORK_LEVEL", Const, 1, ""},
+		{"IP_ESP_TRANS_LEVEL", Const, 1, ""},
+		{"IP_FAITH", Const, 0, ""},
+		{"IP_FREEBIND", Const, 0, ""},
+		{"IP_FW3", Const, 0, ""},
+		{"IP_FW_ADD", Const, 0, ""},
+		{"IP_FW_DEL", Const, 0, ""},
+		{"IP_FW_FLUSH", Const, 0, ""},
+		{"IP_FW_GET", Const, 0, ""},
+		{"IP_FW_NAT_CFG", Const, 0, ""},
+		{"IP_FW_NAT_DEL", Const, 0, ""},
+		{"IP_FW_NAT_GET_CONFIG", Const, 0, ""},
+		{"IP_FW_NAT_GET_LOG", Const, 0, ""},
+		{"IP_FW_RESETLOG", Const, 0, ""},
+		{"IP_FW_TABLE_ADD", Const, 0, ""},
+		{"IP_FW_TABLE_DEL", Const, 0, ""},
+		{"IP_FW_TABLE_FLUSH", Const, 0, ""},
+		{"IP_FW_TABLE_GETSIZE", Const, 0, ""},
+		{"IP_FW_TABLE_LIST", Const, 0, ""},
+		{"IP_FW_ZERO", Const, 0, ""},
+		{"IP_HDRINCL", Const, 0, ""},
+		{"IP_IPCOMP_LEVEL", Const, 1, ""},
+		{"IP_IPSECFLOWINFO", Const, 1, ""},
+		{"IP_IPSEC_LOCAL_AUTH", Const, 1, ""},
+		{"IP_IPSEC_LOCAL_CRED", Const, 1, ""},
+		{"IP_IPSEC_LOCAL_ID", Const, 1, ""},
+		{"IP_IPSEC_POLICY", Const, 0, ""},
+		{"IP_IPSEC_REMOTE_AUTH", Const, 1, ""},
+		{"IP_IPSEC_REMOTE_CRED", Const, 1, ""},
+		{"IP_IPSEC_REMOTE_ID", Const, 1, ""},
+		{"IP_MAXPACKET", Const, 0, ""},
+		{"IP_MAX_GROUP_SRC_FILTER", Const, 0, ""},
+		{"IP_MAX_MEMBERSHIPS", Const, 0, ""},
+		{"IP_MAX_SOCK_MUTE_FILTER", Const, 0, ""},
+		{"IP_MAX_SOCK_SRC_FILTER", Const, 0, ""},
+		{"IP_MAX_SOURCE_FILTER", Const, 0, ""},
+		{"IP_MF", Const, 0, ""},
+		{"IP_MINFRAGSIZE", Const, 1, ""},
+		{"IP_MINTTL", Const, 0, ""},
+		{"IP_MIN_MEMBERSHIPS", Const, 0, ""},
+		{"IP_MSFILTER", Const, 0, ""},
+		{"IP_MSS", Const, 0, ""},
+		{"IP_MTU", Const, 0, ""},
+		{"IP_MTU_DISCOVER", Const, 0, ""},
+		{"IP_MULTICAST_IF", Const, 0, ""},
+		{"IP_MULTICAST_IFINDEX", Const, 0, ""},
+		{"IP_MULTICAST_LOOP", Const, 0, ""},
+		{"IP_MULTICAST_TTL", Const, 0, ""},
+		{"IP_MULTICAST_VIF", Const, 0, ""},
+		{"IP_NAT__XXX", Const, 0, ""},
+		{"IP_OFFMASK", Const, 0, ""},
+		{"IP_OLD_FW_ADD", Const, 0, ""},
+		{"IP_OLD_FW_DEL", Const, 0, ""},
+		{"IP_OLD_FW_FLUSH", Const, 0, ""},
+		{"IP_OLD_FW_GET", Const, 0, ""},
+		{"IP_OLD_FW_RESETLOG", Const, 0, ""},
+		{"IP_OLD_FW_ZERO", Const, 0, ""},
+		{"IP_ONESBCAST", Const, 0, ""},
+		{"IP_OPTIONS", Const, 0, ""},
+		{"IP_ORIGDSTADDR", Const, 0, ""},
+		{"IP_PASSSEC", Const, 0, ""},
+		{"IP_PIPEX", Const, 1, ""},
+		{"IP_PKTINFO", Const, 0, ""},
+		{"IP_PKTOPTIONS", Const, 0, ""},
+		{"IP_PMTUDISC", Const, 0, ""},
+		{"IP_PMTUDISC_DO", Const, 0, ""},
+		{"IP_PMTUDISC_DONT", Const, 0, ""},
+		{"IP_PMTUDISC_PROBE", Const, 0, ""},
+		{"IP_PMTUDISC_WANT", Const, 0, ""},
+		{"IP_PORTRANGE", Const, 0, ""},
+		{"IP_PORTRANGE_DEFAULT", Const, 0, ""},
+		{"IP_PORTRANGE_HIGH", Const, 0, ""},
+		{"IP_PORTRANGE_LOW", Const, 0, ""},
+		{"IP_RECVDSTADDR", Const, 0, ""},
+		{"IP_RECVDSTPORT", Const, 1, ""},
+		{"IP_RECVERR", Const, 0, ""},
+		{"IP_RECVIF", Const, 0, ""},
+		{"IP_RECVOPTS", Const, 0, ""},
+		{"IP_RECVORIGDSTADDR", Const, 0, ""},
+		{"IP_RECVPKTINFO", Const, 0, ""},
+		{"IP_RECVRETOPTS", Const, 0, ""},
+		{"IP_RECVRTABLE", Const, 1, ""},
+		{"IP_RECVTOS", Const, 0, ""},
+		{"IP_RECVTTL", Const, 0, ""},
+		{"IP_RETOPTS", Const, 0, ""},
+		{"IP_RF", Const, 0, ""},
+		{"IP_ROUTER_ALERT", Const, 0, ""},
+		{"IP_RSVP_OFF", Const, 0, ""},
+		{"IP_RSVP_ON", Const, 0, ""},
+		{"IP_RSVP_VIF_OFF", Const, 0, ""},
+		{"IP_RSVP_VIF_ON", Const, 0, ""},
+		{"IP_RTABLE", Const, 1, ""},
+		{"IP_SENDSRCADDR", Const, 0, ""},
+		{"IP_STRIPHDR", Const, 0, ""},
+		{"IP_TOS", Const, 0, ""},
+		{"IP_TRAFFIC_MGT_BACKGROUND", Const, 0, ""},
+		{"IP_TRANSPARENT", Const, 0, ""},
+		{"IP_TTL", Const, 0, ""},
+		{"IP_UNBLOCK_SOURCE", Const, 0, ""},
+		{"IP_XFRM_POLICY", Const, 0, ""},
+		{"IPv6MTUInfo", Type, 2, ""},
+		{"IPv6MTUInfo.Addr", Field, 2, ""},
+		{"IPv6MTUInfo.Mtu", Field, 2, ""},
+		{"IPv6Mreq", Type, 0, ""},
+		{"IPv6Mreq.Interface", Field, 0, ""},
+		{"IPv6Mreq.Multiaddr", Field, 0, ""},
+		{"ISIG", Const, 0, ""},
+		{"ISTRIP", Const, 0, ""},
+		{"IUCLC", Const, 0, ""},
+		{"IUTF8", Const, 0, ""},
+		{"IXANY", Const, 0, ""},
+		{"IXOFF", Const, 0, ""},
+		{"IXON", Const, 0, ""},
+		{"IfAddrmsg", Type, 0, ""},
+		{"IfAddrmsg.Family", Field, 0, ""},
+		{"IfAddrmsg.Flags", Field, 0, ""},
+		{"IfAddrmsg.Index", Field, 0, ""},
+		{"IfAddrmsg.Prefixlen", Field, 0, ""},
+		{"IfAddrmsg.Scope", Field, 0, ""},
+		{"IfAnnounceMsghdr", Type, 1, ""},
+		{"IfAnnounceMsghdr.Hdrlen", Field, 2, ""},
+		{"IfAnnounceMsghdr.Index", Field, 1, ""},
+		{"IfAnnounceMsghdr.Msglen", Field, 1, ""},
+		{"IfAnnounceMsghdr.Name", Field, 1, ""},
+		{"IfAnnounceMsghdr.Type", Field, 1, ""},
+		{"IfAnnounceMsghdr.Version", Field, 1, ""},
+		{"IfAnnounceMsghdr.What", Field, 1, ""},
+		{"IfData", Type, 0, ""},
+		{"IfData.Addrlen", Field, 0, ""},
+		{"IfData.Baudrate", Field, 0, ""},
+		{"IfData.Capabilities", Field, 2, ""},
+		{"IfData.Collisions", Field, 0, ""},
+		{"IfData.Datalen", Field, 0, ""},
+		{"IfData.Epoch", Field, 0, ""},
+		{"IfData.Hdrlen", Field, 0, ""},
+		{"IfData.Hwassist", Field, 0, ""},
+		{"IfData.Ibytes", Field, 0, ""},
+		{"IfData.Ierrors", Field, 0, ""},
+		{"IfData.Imcasts", Field, 0, ""},
+		{"IfData.Ipackets", Field, 0, ""},
+		{"IfData.Iqdrops", Field, 0, ""},
+		{"IfData.Lastchange", Field, 0, ""},
+		{"IfData.Link_state", Field, 0, ""},
+		{"IfData.Mclpool", Field, 2, ""},
+		{"IfData.Metric", Field, 0, ""},
+		{"IfData.Mtu", Field, 0, ""},
+		{"IfData.Noproto", Field, 0, ""},
+		{"IfData.Obytes", Field, 0, ""},
+		{"IfData.Oerrors", Field, 0, ""},
+		{"IfData.Omcasts", Field, 0, ""},
+		{"IfData.Opackets", Field, 0, ""},
+		{"IfData.Pad", Field, 2, ""},
+		{"IfData.Pad_cgo_0", Field, 2, ""},
+		{"IfData.Pad_cgo_1", Field, 2, ""},
+		{"IfData.Physical", Field, 0, ""},
+		{"IfData.Recvquota", Field, 0, ""},
+		{"IfData.Recvtiming", Field, 0, ""},
+		{"IfData.Reserved1", Field, 0, ""},
+		{"IfData.Reserved2", Field, 0, ""},
+		{"IfData.Spare_char1", Field, 0, ""},
+		{"IfData.Spare_char2", Field, 0, ""},
+		{"IfData.Type", Field, 0, ""},
+		{"IfData.Typelen", Field, 0, ""},
+		{"IfData.Unused1", Field, 0, ""},
+		{"IfData.Unused2", Field, 0, ""},
+		{"IfData.Xmitquota", Field, 0, ""},
+		{"IfData.Xmittiming", Field, 0, ""},
+		{"IfInfomsg", Type, 0, ""},
+		{"IfInfomsg.Change", Field, 0, ""},
+		{"IfInfomsg.Family", Field, 0, ""},
+		{"IfInfomsg.Flags", Field, 0, ""},
+		{"IfInfomsg.Index", Field, 0, ""},
+		{"IfInfomsg.Type", Field, 0, ""},
+		{"IfInfomsg.X__ifi_pad", Field, 0, ""},
+		{"IfMsghdr", Type, 0, ""},
+		{"IfMsghdr.Addrs", Field, 0, ""},
+		{"IfMsghdr.Data", Field, 0, ""},
+		{"IfMsghdr.Flags", Field, 0, ""},
+		{"IfMsghdr.Hdrlen", Field, 2, ""},
+		{"IfMsghdr.Index", Field, 0, ""},
+		{"IfMsghdr.Msglen", Field, 0, ""},
+		{"IfMsghdr.Pad1", Field, 2, ""},
+		{"IfMsghdr.Pad2", Field, 2, ""},
+		{"IfMsghdr.Pad_cgo_0", Field, 0, ""},
+		{"IfMsghdr.Pad_cgo_1", Field, 2, ""},
+		{"IfMsghdr.Tableid", Field, 2, ""},
+		{"IfMsghdr.Type", Field, 0, ""},
+		{"IfMsghdr.Version", Field, 0, ""},
+		{"IfMsghdr.Xflags", Field, 2, ""},
+		{"IfaMsghdr", Type, 0, ""},
+		{"IfaMsghdr.Addrs", Field, 0, ""},
+		{"IfaMsghdr.Flags", Field, 0, ""},
+		{"IfaMsghdr.Hdrlen", Field, 2, ""},
+		{"IfaMsghdr.Index", Field, 0, ""},
+		{"IfaMsghdr.Metric", Field, 0, ""},
+		{"IfaMsghdr.Msglen", Field, 0, ""},
+		{"IfaMsghdr.Pad1", Field, 2, ""},
+		{"IfaMsghdr.Pad2", Field, 2, ""},
+		{"IfaMsghdr.Pad_cgo_0", Field, 0, ""},
+		{"IfaMsghdr.Tableid", Field, 2, ""},
+		{"IfaMsghdr.Type", Field, 0, ""},
+		{"IfaMsghdr.Version", Field, 0, ""},
+		{"IfmaMsghdr", Type, 0, ""},
+		{"IfmaMsghdr.Addrs", Field, 0, ""},
+		{"IfmaMsghdr.Flags", Field, 0, ""},
+		{"IfmaMsghdr.Index", Field, 0, ""},
+		{"IfmaMsghdr.Msglen", Field, 0, ""},
+		{"IfmaMsghdr.Pad_cgo_0", Field, 0, ""},
+		{"IfmaMsghdr.Type", Field, 0, ""},
+		{"IfmaMsghdr.Version", Field, 0, ""},
+		{"IfmaMsghdr2", Type, 0, ""},
+		{"IfmaMsghdr2.Addrs", Field, 0, ""},
+		{"IfmaMsghdr2.Flags", Field, 0, ""},
+		{"IfmaMsghdr2.Index", Field, 0, ""},
+		{"IfmaMsghdr2.Msglen", Field, 0, ""},
+		{"IfmaMsghdr2.Pad_cgo_0", Field, 0, ""},
+		{"IfmaMsghdr2.Refcount", Field, 0, ""},
+		{"IfmaMsghdr2.Type", Field, 0, ""},
+		{"IfmaMsghdr2.Version", Field, 0, ""},
+		{"ImplementsGetwd", Const, 0, ""},
+		{"Inet4Pktinfo", Type, 0, ""},
+		{"Inet4Pktinfo.Addr", Field, 0, ""},
+		{"Inet4Pktinfo.Ifindex", Field, 0, ""},
+		{"Inet4Pktinfo.Spec_dst", Field, 0, ""},
+		{"Inet6Pktinfo", Type, 0, ""},
+		{"Inet6Pktinfo.Addr", Field, 0, ""},
+		{"Inet6Pktinfo.Ifindex", Field, 0, ""},
+		{"InotifyAddWatch", Func, 0, "func(fd int, pathname string, mask uint32) (watchdesc int, err error)"},
+		{"InotifyEvent", Type, 0, ""},
+		{"InotifyEvent.Cookie", Field, 0, ""},
+		{"InotifyEvent.Len", Field, 0, ""},
+		{"InotifyEvent.Mask", Field, 0, ""},
+		{"InotifyEvent.Name", Field, 0, ""},
+		{"InotifyEvent.Wd", Field, 0, ""},
+		{"InotifyInit", Func, 0, "func() (fd int, err error)"},
+		{"InotifyInit1", Func, 0, "func(flags int) (fd int, err error)"},
+		{"InotifyRmWatch", Func, 0, "func(fd int, watchdesc uint32) (success int, err error)"},
+		{"InterfaceAddrMessage", Type, 0, ""},
+		{"InterfaceAddrMessage.Data", Field, 0, ""},
+		{"InterfaceAddrMessage.Header", Field, 0, ""},
+		{"InterfaceAnnounceMessage", Type, 1, ""},
+		{"InterfaceAnnounceMessage.Header", Field, 1, ""},
+		{"InterfaceInfo", Type, 0, ""},
+		{"InterfaceInfo.Address", Field, 0, ""},
+		{"InterfaceInfo.BroadcastAddress", Field, 0, ""},
+		{"InterfaceInfo.Flags", Field, 0, ""},
+		{"InterfaceInfo.Netmask", Field, 0, ""},
+		{"InterfaceMessage", Type, 0, ""},
+		{"InterfaceMessage.Data", Field, 0, ""},
+		{"InterfaceMessage.Header", Field, 0, ""},
+		{"InterfaceMulticastAddrMessage", Type, 0, ""},
+		{"InterfaceMulticastAddrMessage.Data", Field, 0, ""},
+		{"InterfaceMulticastAddrMessage.Header", Field, 0, ""},
+		{"InvalidHandle", Const, 0, ""},
+		{"Ioperm", Func, 0, "func(from int, num int, on int) (err error)"},
+		{"Iopl", Func, 0, "func(level int) (err error)"},
+		{"Iovec", Type, 0, ""},
+		{"Iovec.Base", Field, 0, ""},
+		{"Iovec.Len", Field, 0, ""},
+		{"IpAdapterInfo", Type, 0, ""},
+		{"IpAdapterInfo.AdapterName", Field, 0, ""},
+		{"IpAdapterInfo.Address", Field, 0, ""},
+		{"IpAdapterInfo.AddressLength", Field, 0, ""},
+		{"IpAdapterInfo.ComboIndex", Field, 0, ""},
+		{"IpAdapterInfo.CurrentIpAddress", Field, 0, ""},
+		{"IpAdapterInfo.Description", Field, 0, ""},
+		{"IpAdapterInfo.DhcpEnabled", Field, 0, ""},
+		{"IpAdapterInfo.DhcpServer", Field, 0, ""},
+		{"IpAdapterInfo.GatewayList", Field, 0, ""},
+		{"IpAdapterInfo.HaveWins", Field, 0, ""},
+		{"IpAdapterInfo.Index", Field, 0, ""},
+		{"IpAdapterInfo.IpAddressList", Field, 0, ""},
+		{"IpAdapterInfo.LeaseExpires", Field, 0, ""},
+		{"IpAdapterInfo.LeaseObtained", Field, 0, ""},
+		{"IpAdapterInfo.Next", Field, 0, ""},
+		{"IpAdapterInfo.PrimaryWinsServer", Field, 0, ""},
+		{"IpAdapterInfo.SecondaryWinsServer", Field, 0, ""},
+		{"IpAdapterInfo.Type", Field, 0, ""},
+		{"IpAddrString", Type, 0, ""},
+		{"IpAddrString.Context", Field, 0, ""},
+		{"IpAddrString.IpAddress", Field, 0, ""},
+		{"IpAddrString.IpMask", Field, 0, ""},
+		{"IpAddrString.Next", Field, 0, ""},
+		{"IpAddressString", Type, 0, ""},
+		{"IpAddressString.String", Field, 0, ""},
+		{"IpMaskString", Type, 0, ""},
+		{"IpMaskString.String", Field, 2, ""},
+		{"Issetugid", Func, 0, ""},
+		{"KEY_ALL_ACCESS", Const, 0, ""},
+		{"KEY_CREATE_LINK", Const, 0, ""},
+		{"KEY_CREATE_SUB_KEY", Const, 0, ""},
+		{"KEY_ENUMERATE_SUB_KEYS", Const, 0, ""},
+		{"KEY_EXECUTE", Const, 0, ""},
+		{"KEY_NOTIFY", Const, 0, ""},
+		{"KEY_QUERY_VALUE", Const, 0, ""},
+		{"KEY_READ", Const, 0, ""},
+		{"KEY_SET_VALUE", Const, 0, ""},
+		{"KEY_WOW64_32KEY", Const, 0, ""},
+		{"KEY_WOW64_64KEY", Const, 0, ""},
+		{"KEY_WRITE", Const, 0, ""},
+		{"Kevent", Func, 0, ""},
+		{"Kevent_t", Type, 0, ""},
+		{"Kevent_t.Data", Field, 0, ""},
+		{"Kevent_t.Fflags", Field, 0, ""},
+		{"Kevent_t.Filter", Field, 0, ""},
+		{"Kevent_t.Flags", Field, 0, ""},
+		{"Kevent_t.Ident", Field, 0, ""},
+		{"Kevent_t.Pad_cgo_0", Field, 2, ""},
+		{"Kevent_t.Udata", Field, 0, ""},
+		{"Kill", Func, 0, "func(pid int, sig Signal) (err error)"},
+		{"Klogctl", Func, 0, "func(typ int, buf []byte) (n int, err error)"},
+		{"Kqueue", Func, 0, ""},
+		{"LANG_ENGLISH", Const, 0, ""},
+		{"LAYERED_PROTOCOL", Const, 2, ""},
+		{"LCNT_OVERLOAD_FLUSH", Const, 1, ""},
+		{"LINUX_REBOOT_CMD_CAD_OFF", Const, 0, ""},
+		{"LINUX_REBOOT_CMD_CAD_ON", Const, 0, ""},
+		{"LINUX_REBOOT_CMD_HALT", Const, 0, ""},
+		{"LINUX_REBOOT_CMD_KEXEC", Const, 0, ""},
+		{"LINUX_REBOOT_CMD_POWER_OFF", Const, 0, ""},
+		{"LINUX_REBOOT_CMD_RESTART", Const, 0, ""},
+		{"LINUX_REBOOT_CMD_RESTART2", Const, 0, ""},
+		{"LINUX_REBOOT_CMD_SW_SUSPEND", Const, 0, ""},
+		{"LINUX_REBOOT_MAGIC1", Const, 0, ""},
+		{"LINUX_REBOOT_MAGIC2", Const, 0, ""},
+		{"LOCK_EX", Const, 0, ""},
+		{"LOCK_NB", Const, 0, ""},
+		{"LOCK_SH", Const, 0, ""},
+		{"LOCK_UN", Const, 0, ""},
+		{"LazyDLL", Type, 0, ""},
+		{"LazyDLL.Name", Field, 0, ""},
+		{"LazyProc", Type, 0, ""},
+		{"LazyProc.Name", Field, 0, ""},
+		{"Lchown", Func, 0, "func(path string, uid int, gid int) (err error)"},
+		{"Linger", Type, 0, ""},
+		{"Linger.Linger", Field, 0, ""},
+		{"Linger.Onoff", Field, 0, ""},
+		{"Link", Func, 0, "func(oldpath string, newpath string) (err error)"},
+		{"Listen", Func, 0, "func(s int, n int) (err error)"},
+		{"Listxattr", Func, 1, "func(path string, dest []byte) (sz int, err error)"},
+		{"LoadCancelIoEx", Func, 1, ""},
+		{"LoadConnectEx", Func, 1, ""},
+		{"LoadCreateSymbolicLink", Func, 4, ""},
+		{"LoadDLL", Func, 0, ""},
+		{"LoadGetAddrInfo", Func, 1, ""},
+		{"LoadLibrary", Func, 0, ""},
+		{"LoadSetFileCompletionNotificationModes", Func, 2, ""},
+		{"LocalFree", Func, 0, ""},
+		{"Log2phys_t", Type, 0, ""},
+		{"Log2phys_t.Contigbytes", Field, 0, ""},
+		{"Log2phys_t.Devoffset", Field, 0, ""},
+		{"Log2phys_t.Flags", Field, 0, ""},
+		{"LookupAccountName", Func, 0, ""},
+		{"LookupAccountSid", Func, 0, ""},
+		{"LookupSID", Func, 0, ""},
+		{"LsfJump", Func, 0, "func(code int, k int, jt int, jf int) *SockFilter"},
+		{"LsfSocket", Func, 0, "func(ifindex int, proto int) (int, error)"},
+		{"LsfStmt", Func, 0, "func(code int, k int) *SockFilter"},
+		{"Lstat", Func, 0, "func(path string, stat *Stat_t) (err error)"},
+		{"MADV_AUTOSYNC", Const, 1, ""},
+		{"MADV_CAN_REUSE", Const, 0, ""},
+		{"MADV_CORE", Const, 1, ""},
+		{"MADV_DOFORK", Const, 0, ""},
+		{"MADV_DONTFORK", Const, 0, ""},
+		{"MADV_DONTNEED", Const, 0, ""},
+		{"MADV_FREE", Const, 0, ""},
+		{"MADV_FREE_REUSABLE", Const, 0, ""},
+		{"MADV_FREE_REUSE", Const, 0, ""},
+		{"MADV_HUGEPAGE", Const, 0, ""},
+		{"MADV_HWPOISON", Const, 0, ""},
+		{"MADV_MERGEABLE", Const, 0, ""},
+		{"MADV_NOCORE", Const, 1, ""},
+		{"MADV_NOHUGEPAGE", Const, 0, ""},
+		{"MADV_NORMAL", Const, 0, ""},
+		{"MADV_NOSYNC", Const, 1, ""},
+		{"MADV_PROTECT", Const, 1, ""},
+		{"MADV_RANDOM", Const, 0, ""},
+		{"MADV_REMOVE", Const, 0, ""},
+		{"MADV_SEQUENTIAL", Const, 0, ""},
+		{"MADV_SPACEAVAIL", Const, 3, ""},
+		{"MADV_UNMERGEABLE", Const, 0, ""},
+		{"MADV_WILLNEED", Const, 0, ""},
+		{"MADV_ZERO_WIRED_PAGES", Const, 0, ""},
+		{"MAP_32BIT", Const, 0, ""},
+		{"MAP_ALIGNED_SUPER", Const, 3, ""},
+		{"MAP_ALIGNMENT_16MB", Const, 3, ""},
+		{"MAP_ALIGNMENT_1TB", Const, 3, ""},
+		{"MAP_ALIGNMENT_256TB", Const, 3, ""},
+		{"MAP_ALIGNMENT_4GB", Const, 3, ""},
+		{"MAP_ALIGNMENT_64KB", Const, 3, ""},
+		{"MAP_ALIGNMENT_64PB", Const, 3, ""},
+		{"MAP_ALIGNMENT_MASK", Const, 3, ""},
+		{"MAP_ALIGNMENT_SHIFT", Const, 3, ""},
+		{"MAP_ANON", Const, 0, ""},
+		{"MAP_ANONYMOUS", Const, 0, ""},
+		{"MAP_COPY", Const, 0, ""},
+		{"MAP_DENYWRITE", Const, 0, ""},
+		{"MAP_EXECUTABLE", Const, 0, ""},
+		{"MAP_FILE", Const, 0, ""},
+		{"MAP_FIXED", Const, 0, ""},
+		{"MAP_FLAGMASK", Const, 3, ""},
+		{"MAP_GROWSDOWN", Const, 0, ""},
+		{"MAP_HASSEMAPHORE", Const, 0, ""},
+		{"MAP_HUGETLB", Const, 0, ""},
+		{"MAP_INHERIT", Const, 3, ""},
+		{"MAP_INHERIT_COPY", Const, 3, ""},
+		{"MAP_INHERIT_DEFAULT", Const, 3, ""},
+		{"MAP_INHERIT_DONATE_COPY", Const, 3, ""},
+		{"MAP_INHERIT_NONE", Const, 3, ""},
+		{"MAP_INHERIT_SHARE", Const, 3, ""},
+		{"MAP_JIT", Const, 0, ""},
+		{"MAP_LOCKED", Const, 0, ""},
+		{"MAP_NOCACHE", Const, 0, ""},
+		{"MAP_NOCORE", Const, 1, ""},
+		{"MAP_NOEXTEND", Const, 0, ""},
+		{"MAP_NONBLOCK", Const, 0, ""},
+		{"MAP_NORESERVE", Const, 0, ""},
+		{"MAP_NOSYNC", Const, 1, ""},
+		{"MAP_POPULATE", Const, 0, ""},
+		{"MAP_PREFAULT_READ", Const, 1, ""},
+		{"MAP_PRIVATE", Const, 0, ""},
+		{"MAP_RENAME", Const, 0, ""},
+		{"MAP_RESERVED0080", Const, 0, ""},
+		{"MAP_RESERVED0100", Const, 1, ""},
+		{"MAP_SHARED", Const, 0, ""},
+		{"MAP_STACK", Const, 0, ""},
+		{"MAP_TRYFIXED", Const, 3, ""},
+		{"MAP_TYPE", Const, 0, ""},
+		{"MAP_WIRED", Const, 3, ""},
+		{"MAXIMUM_REPARSE_DATA_BUFFER_SIZE", Const, 4, ""},
+		{"MAXLEN_IFDESCR", Const, 0, ""},
+		{"MAXLEN_PHYSADDR", Const, 0, ""},
+		{"MAX_ADAPTER_ADDRESS_LENGTH", Const, 0, ""},
+		{"MAX_ADAPTER_DESCRIPTION_LENGTH", Const, 0, ""},
+		{"MAX_ADAPTER_NAME_LENGTH", Const, 0, ""},
+		{"MAX_COMPUTERNAME_LENGTH", Const, 0, ""},
+		{"MAX_INTERFACE_NAME_LEN", Const, 0, ""},
+		{"MAX_LONG_PATH", Const, 0, ""},
+		{"MAX_PATH", Const, 0, ""},
+		{"MAX_PROTOCOL_CHAIN", Const, 2, ""},
+		{"MCL_CURRENT", Const, 0, ""},
+		{"MCL_FUTURE", Const, 0, ""},
+		{"MNT_DETACH", Const, 0, ""},
+		{"MNT_EXPIRE", Const, 0, ""},
+		{"MNT_FORCE", Const, 0, ""},
+		{"MSG_BCAST", Const, 1, ""},
+		{"MSG_CMSG_CLOEXEC", Const, 0, ""},
+		{"MSG_COMPAT", Const, 0, ""},
+		{"MSG_CONFIRM", Const, 0, ""},
+		{"MSG_CONTROLMBUF", Const, 1, ""},
+		{"MSG_CTRUNC", Const, 0, ""},
+		{"MSG_DONTROUTE", Const, 0, ""},
+		{"MSG_DONTWAIT", Const, 0, ""},
+		{"MSG_EOF", Const, 0, ""},
+		{"MSG_EOR", Const, 0, ""},
+		{"MSG_ERRQUEUE", Const, 0, ""},
+		{"MSG_FASTOPEN", Const, 1, ""},
+		{"MSG_FIN", Const, 0, ""},
+		{"MSG_FLUSH", Const, 0, ""},
+		{"MSG_HAVEMORE", Const, 0, ""},
+		{"MSG_HOLD", Const, 0, ""},
+		{"MSG_IOVUSRSPACE", Const, 1, ""},
+		{"MSG_LENUSRSPACE", Const, 1, ""},
+		{"MSG_MCAST", Const, 1, ""},
+		{"MSG_MORE", Const, 0, ""},
+		{"MSG_NAMEMBUF", Const, 1, ""},
+		{"MSG_NBIO", Const, 0, ""},
+		{"MSG_NEEDSA", Const, 0, ""},
+		{"MSG_NOSIGNAL", Const, 0, ""},
+		{"MSG_NOTIFICATION", Const, 0, ""},
+		{"MSG_OOB", Const, 0, ""},
+		{"MSG_PEEK", Const, 0, ""},
+		{"MSG_PROXY", Const, 0, ""},
+		{"MSG_RCVMORE", Const, 0, ""},
+		{"MSG_RST", Const, 0, ""},
+		{"MSG_SEND", Const, 0, ""},
+		{"MSG_SYN", Const, 0, ""},
+		{"MSG_TRUNC", Const, 0, ""},
+		{"MSG_TRYHARD", Const, 0, ""},
+		{"MSG_USERFLAGS", Const, 1, ""},
+		{"MSG_WAITALL", Const, 0, ""},
+		{"MSG_WAITFORONE", Const, 0, ""},
+		{"MSG_WAITSTREAM", Const, 0, ""},
+		{"MS_ACTIVE", Const, 0, ""},
+		{"MS_ASYNC", Const, 0, ""},
+		{"MS_BIND", Const, 0, ""},
+		{"MS_DEACTIVATE", Const, 0, ""},
+		{"MS_DIRSYNC", Const, 0, ""},
+		{"MS_INVALIDATE", Const, 0, ""},
+		{"MS_I_VERSION", Const, 0, ""},
+		{"MS_KERNMOUNT", Const, 0, ""},
+		{"MS_KILLPAGES", Const, 0, ""},
+		{"MS_MANDLOCK", Const, 0, ""},
+		{"MS_MGC_MSK", Const, 0, ""},
+		{"MS_MGC_VAL", Const, 0, ""},
+		{"MS_MOVE", Const, 0, ""},
+		{"MS_NOATIME", Const, 0, ""},
+		{"MS_NODEV", Const, 0, ""},
+		{"MS_NODIRATIME", Const, 0, ""},
+		{"MS_NOEXEC", Const, 0, ""},
+		{"MS_NOSUID", Const, 0, ""},
+		{"MS_NOUSER", Const, 0, ""},
+		{"MS_POSIXACL", Const, 0, ""},
+		{"MS_PRIVATE", Const, 0, ""},
+		{"MS_RDONLY", Const, 0, ""},
+		{"MS_REC", Const, 0, ""},
+		{"MS_RELATIME", Const, 0, ""},
+		{"MS_REMOUNT", Const, 0, ""},
+		{"MS_RMT_MASK", Const, 0, ""},
+		{"MS_SHARED", Const, 0, ""},
+		{"MS_SILENT", Const, 0, ""},
+		{"MS_SLAVE", Const, 0, ""},
+		{"MS_STRICTATIME", Const, 0, ""},
+		{"MS_SYNC", Const, 0, ""},
+		{"MS_SYNCHRONOUS", Const, 0, ""},
+		{"MS_UNBINDABLE", Const, 0, ""},
+		{"Madvise", Func, 0, "func(b []byte, advice int) (err error)"},
+		{"MapViewOfFile", Func, 0, ""},
+		{"MaxTokenInfoClass", Const, 0, ""},
+		{"Mclpool", Type, 2, ""},
+		{"Mclpool.Alive", Field, 2, ""},
+		{"Mclpool.Cwm", Field, 2, ""},
+		{"Mclpool.Grown", Field, 2, ""},
+		{"Mclpool.Hwm", Field, 2, ""},
+		{"Mclpool.Lwm", Field, 2, ""},
+		{"MibIfRow", Type, 0, ""},
+		{"MibIfRow.AdminStatus", Field, 0, ""},
+		{"MibIfRow.Descr", Field, 0, ""},
+		{"MibIfRow.DescrLen", Field, 0, ""},
+		{"MibIfRow.InDiscards", Field, 0, ""},
+		{"MibIfRow.InErrors", Field, 0, ""},
+		{"MibIfRow.InNUcastPkts", Field, 0, ""},
+		{"MibIfRow.InOctets", Field, 0, ""},
+		{"MibIfRow.InUcastPkts", Field, 0, ""},
+		{"MibIfRow.InUnknownProtos", Field, 0, ""},
+		{"MibIfRow.Index", Field, 0, ""},
+		{"MibIfRow.LastChange", Field, 0, ""},
+		{"MibIfRow.Mtu", Field, 0, ""},
+		{"MibIfRow.Name", Field, 0, ""},
+		{"MibIfRow.OperStatus", Field, 0, ""},
+		{"MibIfRow.OutDiscards", Field, 0, ""},
+		{"MibIfRow.OutErrors", Field, 0, ""},
+		{"MibIfRow.OutNUcastPkts", Field, 0, ""},
+		{"MibIfRow.OutOctets", Field, 0, ""},
+		{"MibIfRow.OutQLen", Field, 0, ""},
+		{"MibIfRow.OutUcastPkts", Field, 0, ""},
+		{"MibIfRow.PhysAddr", Field, 0, ""},
+		{"MibIfRow.PhysAddrLen", Field, 0, ""},
+		{"MibIfRow.Speed", Field, 0, ""},
+		{"MibIfRow.Type", Field, 0, ""},
+		{"Mkdir", Func, 0, "func(path string, mode uint32) (err error)"},
+		{"Mkdirat", Func, 0, "func(dirfd int, path string, mode uint32) (err error)"},
+		{"Mkfifo", Func, 0, "func(path string, mode uint32) (err error)"},
+		{"Mknod", Func, 0, "func(path string, mode uint32, dev int) (err error)"},
+		{"Mknodat", Func, 0, "func(dirfd int, path string, mode uint32, dev int) (err error)"},
+		{"Mlock", Func, 0, "func(b []byte) (err error)"},
+		{"Mlockall", Func, 0, "func(flags int) (err error)"},
+		{"Mmap", Func, 0, "func(fd int, offset int64, length int, prot int, flags int) (data []byte, err error)"},
+		{"Mount", Func, 0, "func(source string, target string, fstype string, flags uintptr, data string) (err error)"},
+		{"MoveFile", Func, 0, ""},
+		{"Mprotect", Func, 0, "func(b []byte, prot int) (err error)"},
+		{"Msghdr", Type, 0, ""},
+		{"Msghdr.Control", Field, 0, ""},
+		{"Msghdr.Controllen", Field, 0, ""},
+		{"Msghdr.Flags", Field, 0, ""},
+		{"Msghdr.Iov", Field, 0, ""},
+		{"Msghdr.Iovlen", Field, 0, ""},
+		{"Msghdr.Name", Field, 0, ""},
+		{"Msghdr.Namelen", Field, 0, ""},
+		{"Msghdr.Pad_cgo_0", Field, 0, ""},
+		{"Msghdr.Pad_cgo_1", Field, 0, ""},
+		{"Munlock", Func, 0, "func(b []byte) (err error)"},
+		{"Munlockall", Func, 0, "func() (err error)"},
+		{"Munmap", Func, 0, "func(b []byte) (err error)"},
+		{"MustLoadDLL", Func, 0, ""},
+		{"NAME_MAX", Const, 0, ""},
+		{"NETLINK_ADD_MEMBERSHIP", Const, 0, ""},
+		{"NETLINK_AUDIT", Const, 0, ""},
+		{"NETLINK_BROADCAST_ERROR", Const, 0, ""},
+		{"NETLINK_CONNECTOR", Const, 0, ""},
+		{"NETLINK_DNRTMSG", Const, 0, ""},
+		{"NETLINK_DROP_MEMBERSHIP", Const, 0, ""},
+		{"NETLINK_ECRYPTFS", Const, 0, ""},
+		{"NETLINK_FIB_LOOKUP", Const, 0, ""},
+		{"NETLINK_FIREWALL", Const, 0, ""},
+		{"NETLINK_GENERIC", Const, 0, ""},
+		{"NETLINK_INET_DIAG", Const, 0, ""},
+		{"NETLINK_IP6_FW", Const, 0, ""},
+		{"NETLINK_ISCSI", Const, 0, ""},
+		{"NETLINK_KOBJECT_UEVENT", Const, 0, ""},
+		{"NETLINK_NETFILTER", Const, 0, ""},
+		{"NETLINK_NFLOG", Const, 0, ""},
+		{"NETLINK_NO_ENOBUFS", Const, 0, ""},
+		{"NETLINK_PKTINFO", Const, 0, ""},
+		{"NETLINK_RDMA", Const, 0, ""},
+		{"NETLINK_ROUTE", Const, 0, ""},
+		{"NETLINK_SCSITRANSPORT", Const, 0, ""},
+		{"NETLINK_SELINUX", Const, 0, ""},
+		{"NETLINK_UNUSED", Const, 0, ""},
+		{"NETLINK_USERSOCK", Const, 0, ""},
+		{"NETLINK_XFRM", Const, 0, ""},
+		{"NET_RT_DUMP", Const, 0, ""},
+		{"NET_RT_DUMP2", Const, 0, ""},
+		{"NET_RT_FLAGS", Const, 0, ""},
+		{"NET_RT_IFLIST", Const, 0, ""},
+		{"NET_RT_IFLIST2", Const, 0, ""},
+		{"NET_RT_IFLISTL", Const, 1, ""},
+		{"NET_RT_IFMALIST", Const, 0, ""},
+		{"NET_RT_MAXID", Const, 0, ""},
+		{"NET_RT_OIFLIST", Const, 1, ""},
+		{"NET_RT_OOIFLIST", Const, 1, ""},
+		{"NET_RT_STAT", Const, 0, ""},
+		{"NET_RT_STATS", Const, 1, ""},
+		{"NET_RT_TABLE", Const, 1, ""},
+		{"NET_RT_TRASH", Const, 0, ""},
+		{"NLA_ALIGNTO", Const, 0, ""},
+		{"NLA_F_NESTED", Const, 0, ""},
+		{"NLA_F_NET_BYTEORDER", Const, 0, ""},
+		{"NLA_HDRLEN", Const, 0, ""},
+		{"NLMSG_ALIGNTO", Const, 0, ""},
+		{"NLMSG_DONE", Const, 0, ""},
+		{"NLMSG_ERROR", Const, 0, ""},
+		{"NLMSG_HDRLEN", Const, 0, ""},
+		{"NLMSG_MIN_TYPE", Const, 0, ""},
+		{"NLMSG_NOOP", Const, 0, ""},
+		{"NLMSG_OVERRUN", Const, 0, ""},
+		{"NLM_F_ACK", Const, 0, ""},
+		{"NLM_F_APPEND", Const, 0, ""},
+		{"NLM_F_ATOMIC", Const, 0, ""},
+		{"NLM_F_CREATE", Const, 0, ""},
+		{"NLM_F_DUMP", Const, 0, ""},
+		{"NLM_F_ECHO", Const, 0, ""},
+		{"NLM_F_EXCL", Const, 0, ""},
+		{"NLM_F_MATCH", Const, 0, ""},
+		{"NLM_F_MULTI", Const, 0, ""},
+		{"NLM_F_REPLACE", Const, 0, ""},
+		{"NLM_F_REQUEST", Const, 0, ""},
+		{"NLM_F_ROOT", Const, 0, ""},
+		{"NOFLSH", Const, 0, ""},
+		{"NOTE_ABSOLUTE", Const, 0, ""},
+		{"NOTE_ATTRIB", Const, 0, ""},
+		{"NOTE_BACKGROUND", Const, 16, ""},
+		{"NOTE_CHILD", Const, 0, ""},
+		{"NOTE_CRITICAL", Const, 16, ""},
+		{"NOTE_DELETE", Const, 0, ""},
+		{"NOTE_EOF", Const, 1, ""},
+		{"NOTE_EXEC", Const, 0, ""},
+		{"NOTE_EXIT", Const, 0, ""},
+		{"NOTE_EXITSTATUS", Const, 0, ""},
+		{"NOTE_EXIT_CSERROR", Const, 16, ""},
+		{"NOTE_EXIT_DECRYPTFAIL", Const, 16, ""},
+		{"NOTE_EXIT_DETAIL", Const, 16, ""},
+		{"NOTE_EXIT_DETAIL_MASK", Const, 16, ""},
+		{"NOTE_EXIT_MEMORY", Const, 16, ""},
+		{"NOTE_EXIT_REPARENTED", Const, 16, ""},
+		{"NOTE_EXTEND", Const, 0, ""},
+		{"NOTE_FFAND", Const, 0, ""},
+		{"NOTE_FFCOPY", Const, 0, ""},
+		{"NOTE_FFCTRLMASK", Const, 0, ""},
+		{"NOTE_FFLAGSMASK", Const, 0, ""},
+		{"NOTE_FFNOP", Const, 0, ""},
+		{"NOTE_FFOR", Const, 0, ""},
+		{"NOTE_FORK", Const, 0, ""},
+		{"NOTE_LEEWAY", Const, 16, ""},
+		{"NOTE_LINK", Const, 0, ""},
+		{"NOTE_LOWAT", Const, 0, ""},
+		{"NOTE_NONE", Const, 0, ""},
+		{"NOTE_NSECONDS", Const, 0, ""},
+		{"NOTE_PCTRLMASK", Const, 0, ""},
+		{"NOTE_PDATAMASK", Const, 0, ""},
+		{"NOTE_REAP", Const, 0, ""},
+		{"NOTE_RENAME", Const, 0, ""},
+		{"NOTE_RESOURCEEND", Const, 0, ""},
+		{"NOTE_REVOKE", Const, 0, ""},
+		{"NOTE_SECONDS", Const, 0, ""},
+		{"NOTE_SIGNAL", Const, 0, ""},
+		{"NOTE_TRACK", Const, 0, ""},
+		{"NOTE_TRACKERR", Const, 0, ""},
+		{"NOTE_TRIGGER", Const, 0, ""},
+		{"NOTE_TRUNCATE", Const, 1, ""},
+		{"NOTE_USECONDS", Const, 0, ""},
+		{"NOTE_VM_ERROR", Const, 0, ""},
+		{"NOTE_VM_PRESSURE", Const, 0, ""},
+		{"NOTE_VM_PRESSURE_SUDDEN_TERMINATE", Const, 0, ""},
+		{"NOTE_VM_PRESSURE_TERMINATE", Const, 0, ""},
+		{"NOTE_WRITE", Const, 0, ""},
+		{"NameCanonical", Const, 0, ""},
+		{"NameCanonicalEx", Const, 0, ""},
+		{"NameDisplay", Const, 0, ""},
+		{"NameDnsDomain", Const, 0, ""},
+		{"NameFullyQualifiedDN", Const, 0, ""},
+		{"NameSamCompatible", Const, 0, ""},
+		{"NameServicePrincipal", Const, 0, ""},
+		{"NameUniqueId", Const, 0, ""},
+		{"NameUnknown", Const, 0, ""},
+		{"NameUserPrincipal", Const, 0, ""},
+		{"Nanosleep", Func, 0, "func(time *Timespec, leftover *Timespec) (err error)"},
+		{"NetApiBufferFree", Func, 0, ""},
+		{"NetGetJoinInformation", Func, 2, ""},
+		{"NetSetupDomainName", Const, 2, ""},
+		{"NetSetupUnjoined", Const, 2, ""},
+		{"NetSetupUnknownStatus", Const, 2, ""},
+		{"NetSetupWorkgroupName", Const, 2, ""},
+		{"NetUserGetInfo", Func, 0, ""},
+		{"NetlinkMessage", Type, 0, ""},
+		{"NetlinkMessage.Data", Field, 0, ""},
+		{"NetlinkMessage.Header", Field, 0, ""},
+		{"NetlinkRIB", Func, 0, "func(proto int, family int) ([]byte, error)"},
+		{"NetlinkRouteAttr", Type, 0, ""},
+		{"NetlinkRouteAttr.Attr", Field, 0, ""},
+		{"NetlinkRouteAttr.Value", Field, 0, ""},
+		{"NetlinkRouteRequest", Type, 0, ""},
+		{"NetlinkRouteRequest.Data", Field, 0, ""},
+		{"NetlinkRouteRequest.Header", Field, 0, ""},
+		{"NewCallback", Func, 0, ""},
+		{"NewCallbackCDecl", Func, 3, ""},
+		{"NewLazyDLL", Func, 0, ""},
+		{"NlAttr", Type, 0, ""},
+		{"NlAttr.Len", Field, 0, ""},
+		{"NlAttr.Type", Field, 0, ""},
+		{"NlMsgerr", Type, 0, ""},
+		{"NlMsgerr.Error", Field, 0, ""},
+		{"NlMsgerr.Msg", Field, 0, ""},
+		{"NlMsghdr", Type, 0, ""},
+		{"NlMsghdr.Flags", Field, 0, ""},
+		{"NlMsghdr.Len", Field, 0, ""},
+		{"NlMsghdr.Pid", Field, 0, ""},
+		{"NlMsghdr.Seq", Field, 0, ""},
+		{"NlMsghdr.Type", Field, 0, ""},
+		{"NsecToFiletime", Func, 0, ""},
+		{"NsecToTimespec", Func, 0, "func(nsec int64) Timespec"},
+		{"NsecToTimeval", Func, 0, "func(nsec int64) Timeval"},
+		{"Ntohs", Func, 0, ""},
+		{"OCRNL", Const, 0, ""},
+		{"OFDEL", Const, 0, ""},
+		{"OFILL", Const, 0, ""},
+		{"OFIOGETBMAP", Const, 1, ""},
+		{"OID_PKIX_KP_SERVER_AUTH", Var, 0, ""},
+		{"OID_SERVER_GATED_CRYPTO", Var, 0, ""},
+		{"OID_SGC_NETSCAPE", Var, 0, ""},
+		{"OLCUC", Const, 0, ""},
+		{"ONLCR", Const, 0, ""},
+		{"ONLRET", Const, 0, ""},
+		{"ONOCR", Const, 0, ""},
+		{"ONOEOT", Const, 1, ""},
+		{"OPEN_ALWAYS", Const, 0, ""},
+		{"OPEN_EXISTING", Const, 0, ""},
+		{"OPOST", Const, 0, ""},
+		{"O_ACCMODE", Const, 0, ""},
+		{"O_ALERT", Const, 0, ""},
+		{"O_ALT_IO", Const, 1, ""},
+		{"O_APPEND", Const, 0, ""},
+		{"O_ASYNC", Const, 0, ""},
+		{"O_CLOEXEC", Const, 0, ""},
+		{"O_CREAT", Const, 0, ""},
+		{"O_DIRECT", Const, 0, ""},
+		{"O_DIRECTORY", Const, 0, ""},
+		{"O_DP_GETRAWENCRYPTED", Const, 16, ""},
+		{"O_DSYNC", Const, 0, ""},
+		{"O_EVTONLY", Const, 0, ""},
+		{"O_EXCL", Const, 0, ""},
+		{"O_EXEC", Const, 0, ""},
+		{"O_EXLOCK", Const, 0, ""},
+		{"O_FSYNC", Const, 0, ""},
+		{"O_LARGEFILE", Const, 0, ""},
+		{"O_NDELAY", Const, 0, ""},
+		{"O_NOATIME", Const, 0, ""},
+		{"O_NOCTTY", Const, 0, ""},
+		{"O_NOFOLLOW", Const, 0, ""},
+		{"O_NONBLOCK", Const, 0, ""},
+		{"O_NOSIGPIPE", Const, 1, ""},
+		{"O_POPUP", Const, 0, ""},
+		{"O_RDONLY", Const, 0, ""},
+		{"O_RDWR", Const, 0, ""},
+		{"O_RSYNC", Const, 0, ""},
+		{"O_SHLOCK", Const, 0, ""},
+		{"O_SYMLINK", Const, 0, ""},
+		{"O_SYNC", Const, 0, ""},
+		{"O_TRUNC", Const, 0, ""},
+		{"O_TTY_INIT", Const, 0, ""},
+		{"O_WRONLY", Const, 0, ""},
+		{"Open", Func, 0, "func(path string, mode int, perm uint32) (fd int, err error)"},
+		{"OpenCurrentProcessToken", Func, 0, ""},
+		{"OpenProcess", Func, 0, ""},
+		{"OpenProcessToken", Func, 0, ""},
+		{"Openat", Func, 0, "func(dirfd int, path string, flags int, mode uint32) (fd int, err error)"},
+		{"Overlapped", Type, 0, ""},
+		{"Overlapped.HEvent", Field, 0, ""},
+		{"Overlapped.Internal", Field, 0, ""},
+		{"Overlapped.InternalHigh", Field, 0, ""},
+		{"Overlapped.Offset", Field, 0, ""},
+		{"Overlapped.OffsetHigh", Field, 0, ""},
+		{"PACKET_ADD_MEMBERSHIP", Const, 0, ""},
+		{"PACKET_BROADCAST", Const, 0, ""},
+		{"PACKET_DROP_MEMBERSHIP", Const, 0, ""},
+		{"PACKET_FASTROUTE", Const, 0, ""},
+		{"PACKET_HOST", Const, 0, ""},
+		{"PACKET_LOOPBACK", Const, 0, ""},
+		{"PACKET_MR_ALLMULTI", Const, 0, ""},
+		{"PACKET_MR_MULTICAST", Const, 0, ""},
+		{"PACKET_MR_PROMISC", Const, 0, ""},
+		{"PACKET_MULTICAST", Const, 0, ""},
+		{"PACKET_OTHERHOST", Const, 0, ""},
+		{"PACKET_OUTGOING", Const, 0, ""},
+		{"PACKET_RECV_OUTPUT", Const, 0, ""},
+		{"PACKET_RX_RING", Const, 0, ""},
+		{"PACKET_STATISTICS", Const, 0, ""},
+		{"PAGE_EXECUTE_READ", Const, 0, ""},
+		{"PAGE_EXECUTE_READWRITE", Const, 0, ""},
+		{"PAGE_EXECUTE_WRITECOPY", Const, 0, ""},
+		{"PAGE_READONLY", Const, 0, ""},
+		{"PAGE_READWRITE", Const, 0, ""},
+		{"PAGE_WRITECOPY", Const, 0, ""},
+		{"PARENB", Const, 0, ""},
+		{"PARMRK", Const, 0, ""},
+		{"PARODD", Const, 0, ""},
+		{"PENDIN", Const, 0, ""},
+		{"PFL_HIDDEN", Const, 2, ""},
+		{"PFL_MATCHES_PROTOCOL_ZERO", Const, 2, ""},
+		{"PFL_MULTIPLE_PROTO_ENTRIES", Const, 2, ""},
+		{"PFL_NETWORKDIRECT_PROVIDER", Const, 2, ""},
+		{"PFL_RECOMMENDED_PROTO_ENTRY", Const, 2, ""},
+		{"PF_FLUSH", Const, 1, ""},
+		{"PKCS_7_ASN_ENCODING", Const, 0, ""},
+		{"PMC5_PIPELINE_FLUSH", Const, 1, ""},
+		{"PRIO_PGRP", Const, 2, ""},
+		{"PRIO_PROCESS", Const, 2, ""},
+		{"PRIO_USER", Const, 2, ""},
+		{"PRI_IOFLUSH", Const, 1, ""},
+		{"PROCESS_QUERY_INFORMATION", Const, 0, ""},
+		{"PROCESS_TERMINATE", Const, 2, ""},
+		{"PROT_EXEC", Const, 0, ""},
+		{"PROT_GROWSDOWN", Const, 0, ""},
+		{"PROT_GROWSUP", Const, 0, ""},
+		{"PROT_NONE", Const, 0, ""},
+		{"PROT_READ", Const, 0, ""},
+		{"PROT_WRITE", Const, 0, ""},
+		{"PROV_DH_SCHANNEL", Const, 0, ""},
+		{"PROV_DSS", Const, 0, ""},
+		{"PROV_DSS_DH", Const, 0, ""},
+		{"PROV_EC_ECDSA_FULL", Const, 0, ""},
+		{"PROV_EC_ECDSA_SIG", Const, 0, ""},
+		{"PROV_EC_ECNRA_FULL", Const, 0, ""},
+		{"PROV_EC_ECNRA_SIG", Const, 0, ""},
+		{"PROV_FORTEZZA", Const, 0, ""},
+		{"PROV_INTEL_SEC", Const, 0, ""},
+		{"PROV_MS_EXCHANGE", Const, 0, ""},
+		{"PROV_REPLACE_OWF", Const, 0, ""},
+		{"PROV_RNG", Const, 0, ""},
+		{"PROV_RSA_AES", Const, 0, ""},
+		{"PROV_RSA_FULL", Const, 0, ""},
+		{"PROV_RSA_SCHANNEL", Const, 0, ""},
+		{"PROV_RSA_SIG", Const, 0, ""},
+		{"PROV_SPYRUS_LYNKS", Const, 0, ""},
+		{"PROV_SSL", Const, 0, ""},
+		{"PR_CAPBSET_DROP", Const, 0, ""},
+		{"PR_CAPBSET_READ", Const, 0, ""},
+		{"PR_CLEAR_SECCOMP_FILTER", Const, 0, ""},
+		{"PR_ENDIAN_BIG", Const, 0, ""},
+		{"PR_ENDIAN_LITTLE", Const, 0, ""},
+		{"PR_ENDIAN_PPC_LITTLE", Const, 0, ""},
+		{"PR_FPEMU_NOPRINT", Const, 0, ""},
+		{"PR_FPEMU_SIGFPE", Const, 0, ""},
+		{"PR_FP_EXC_ASYNC", Const, 0, ""},
+		{"PR_FP_EXC_DISABLED", Const, 0, ""},
+		{"PR_FP_EXC_DIV", Const, 0, ""},
+		{"PR_FP_EXC_INV", Const, 0, ""},
+		{"PR_FP_EXC_NONRECOV", Const, 0, ""},
+		{"PR_FP_EXC_OVF", Const, 0, ""},
+		{"PR_FP_EXC_PRECISE", Const, 0, ""},
+		{"PR_FP_EXC_RES", Const, 0, ""},
+		{"PR_FP_EXC_SW_ENABLE", Const, 0, ""},
+		{"PR_FP_EXC_UND", Const, 0, ""},
+		{"PR_GET_DUMPABLE", Const, 0, ""},
+		{"PR_GET_ENDIAN", Const, 0, ""},
+		{"PR_GET_FPEMU", Const, 0, ""},
+		{"PR_GET_FPEXC", Const, 0, ""},
+		{"PR_GET_KEEPCAPS", Const, 0, ""},
+		{"PR_GET_NAME", Const, 0, ""},
+		{"PR_GET_PDEATHSIG", Const, 0, ""},
+		{"PR_GET_SECCOMP", Const, 0, ""},
+		{"PR_GET_SECCOMP_FILTER", Const, 0, ""},
+		{"PR_GET_SECUREBITS", Const, 0, ""},
+		{"PR_GET_TIMERSLACK", Const, 0, ""},
+		{"PR_GET_TIMING", Const, 0, ""},
+		{"PR_GET_TSC", Const, 0, ""},
+		{"PR_GET_UNALIGN", Const, 0, ""},
+		{"PR_MCE_KILL", Const, 0, ""},
+		{"PR_MCE_KILL_CLEAR", Const, 0, ""},
+		{"PR_MCE_KILL_DEFAULT", Const, 0, ""},
+		{"PR_MCE_KILL_EARLY", Const, 0, ""},
+		{"PR_MCE_KILL_GET", Const, 0, ""},
+		{"PR_MCE_KILL_LATE", Const, 0, ""},
+		{"PR_MCE_KILL_SET", Const, 0, ""},
+		{"PR_SECCOMP_FILTER_EVENT", Const, 0, ""},
+		{"PR_SECCOMP_FILTER_SYSCALL", Const, 0, ""},
+		{"PR_SET_DUMPABLE", Const, 0, ""},
+		{"PR_SET_ENDIAN", Const, 0, ""},
+		{"PR_SET_FPEMU", Const, 0, ""},
+		{"PR_SET_FPEXC", Const, 0, ""},
+		{"PR_SET_KEEPCAPS", Const, 0, ""},
+		{"PR_SET_NAME", Const, 0, ""},
+		{"PR_SET_PDEATHSIG", Const, 0, ""},
+		{"PR_SET_PTRACER", Const, 0, ""},
+		{"PR_SET_SECCOMP", Const, 0, ""},
+		{"PR_SET_SECCOMP_FILTER", Const, 0, ""},
+		{"PR_SET_SECUREBITS", Const, 0, ""},
+		{"PR_SET_TIMERSLACK", Const, 0, ""},
+		{"PR_SET_TIMING", Const, 0, ""},
+		{"PR_SET_TSC", Const, 0, ""},
+		{"PR_SET_UNALIGN", Const, 0, ""},
+		{"PR_TASK_PERF_EVENTS_DISABLE", Const, 0, ""},
+		{"PR_TASK_PERF_EVENTS_ENABLE", Const, 0, ""},
+		{"PR_TIMING_STATISTICAL", Const, 0, ""},
+		{"PR_TIMING_TIMESTAMP", Const, 0, ""},
+		{"PR_TSC_ENABLE", Const, 0, ""},
+		{"PR_TSC_SIGSEGV", Const, 0, ""},
+		{"PR_UNALIGN_NOPRINT", Const, 0, ""},
+		{"PR_UNALIGN_SIGBUS", Const, 0, ""},
+		{"PTRACE_ARCH_PRCTL", Const, 0, ""},
+		{"PTRACE_ATTACH", Const, 0, ""},
+		{"PTRACE_CONT", Const, 0, ""},
+		{"PTRACE_DETACH", Const, 0, ""},
+		{"PTRACE_EVENT_CLONE", Const, 0, ""},
+		{"PTRACE_EVENT_EXEC", Const, 0, ""},
+		{"PTRACE_EVENT_EXIT", Const, 0, ""},
+		{"PTRACE_EVENT_FORK", Const, 0, ""},
+		{"PTRACE_EVENT_VFORK", Const, 0, ""},
+		{"PTRACE_EVENT_VFORK_DONE", Const, 0, ""},
+		{"PTRACE_GETCRUNCHREGS", Const, 0, ""},
+		{"PTRACE_GETEVENTMSG", Const, 0, ""},
+		{"PTRACE_GETFPREGS", Const, 0, ""},
+		{"PTRACE_GETFPXREGS", Const, 0, ""},
+		{"PTRACE_GETHBPREGS", Const, 0, ""},
+		{"PTRACE_GETREGS", Const, 0, ""},
+		{"PTRACE_GETREGSET", Const, 0, ""},
+		{"PTRACE_GETSIGINFO", Const, 0, ""},
+		{"PTRACE_GETVFPREGS", Const, 0, ""},
+		{"PTRACE_GETWMMXREGS", Const, 0, ""},
+		{"PTRACE_GET_THREAD_AREA", Const, 0, ""},
+		{"PTRACE_KILL", Const, 0, ""},
+		{"PTRACE_OLDSETOPTIONS", Const, 0, ""},
+		{"PTRACE_O_MASK", Const, 0, ""},
+		{"PTRACE_O_TRACECLONE", Const, 0, ""},
+		{"PTRACE_O_TRACEEXEC", Const, 0, ""},
+		{"PTRACE_O_TRACEEXIT", Const, 0, ""},
+		{"PTRACE_O_TRACEFORK", Const, 0, ""},
+		{"PTRACE_O_TRACESYSGOOD", Const, 0, ""},
+		{"PTRACE_O_TRACEVFORK", Const, 0, ""},
+		{"PTRACE_O_TRACEVFORKDONE", Const, 0, ""},
+		{"PTRACE_PEEKDATA", Const, 0, ""},
+		{"PTRACE_PEEKTEXT", Const, 0, ""},
+		{"PTRACE_PEEKUSR", Const, 0, ""},
+		{"PTRACE_POKEDATA", Const, 0, ""},
+		{"PTRACE_POKETEXT", Const, 0, ""},
+		{"PTRACE_POKEUSR", Const, 0, ""},
+		{"PTRACE_SETCRUNCHREGS", Const, 0, ""},
+		{"PTRACE_SETFPREGS", Const, 0, ""},
+		{"PTRACE_SETFPXREGS", Const, 0, ""},
+		{"PTRACE_SETHBPREGS", Const, 0, ""},
+		{"PTRACE_SETOPTIONS", Const, 0, ""},
+		{"PTRACE_SETREGS", Const, 0, ""},
+		{"PTRACE_SETREGSET", Const, 0, ""},
+		{"PTRACE_SETSIGINFO", Const, 0, ""},
+		{"PTRACE_SETVFPREGS", Const, 0, ""},
+		{"PTRACE_SETWMMXREGS", Const, 0, ""},
+		{"PTRACE_SET_SYSCALL", Const, 0, ""},
+		{"PTRACE_SET_THREAD_AREA", Const, 0, ""},
+		{"PTRACE_SINGLEBLOCK", Const, 0, ""},
+		{"PTRACE_SINGLESTEP", Const, 0, ""},
+		{"PTRACE_SYSCALL", Const, 0, ""},
+		{"PTRACE_SYSEMU", Const, 0, ""},
+		{"PTRACE_SYSEMU_SINGLESTEP", Const, 0, ""},
+		{"PTRACE_TRACEME", Const, 0, ""},
+		{"PT_ATTACH", Const, 0, ""},
+		{"PT_ATTACHEXC", Const, 0, ""},
+		{"PT_CONTINUE", Const, 0, ""},
+		{"PT_DATA_ADDR", Const, 0, ""},
+		{"PT_DENY_ATTACH", Const, 0, ""},
+		{"PT_DETACH", Const, 0, ""},
+		{"PT_FIRSTMACH", Const, 0, ""},
+		{"PT_FORCEQUOTA", Const, 0, ""},
+		{"PT_KILL", Const, 0, ""},
+		{"PT_MASK", Const, 1, ""},
+		{"PT_READ_D", Const, 0, ""},
+		{"PT_READ_I", Const, 0, ""},
+		{"PT_READ_U", Const, 0, ""},
+		{"PT_SIGEXC", Const, 0, ""},
+		{"PT_STEP", Const, 0, ""},
+		{"PT_TEXT_ADDR", Const, 0, ""},
+		{"PT_TEXT_END_ADDR", Const, 0, ""},
+		{"PT_THUPDATE", Const, 0, ""},
+		{"PT_TRACE_ME", Const, 0, ""},
+		{"PT_WRITE_D", Const, 0, ""},
+		{"PT_WRITE_I", Const, 0, ""},
+		{"PT_WRITE_U", Const, 0, ""},
+		{"ParseDirent", Func, 0, "func(buf []byte, max int, names []string) (consumed int, count int, newnames []string)"},
+		{"ParseNetlinkMessage", Func, 0, "func(b []byte) ([]NetlinkMessage, error)"},
+		{"ParseNetlinkRouteAttr", Func, 0, "func(m *NetlinkMessage) ([]NetlinkRouteAttr, error)"},
+		{"ParseRoutingMessage", Func, 0, ""},
+		{"ParseRoutingSockaddr", Func, 0, ""},
+		{"ParseSocketControlMessage", Func, 0, "func(b []byte) ([]SocketControlMessage, error)"},
+		{"ParseUnixCredentials", Func, 0, "func(m *SocketControlMessage) (*Ucred, error)"},
+		{"ParseUnixRights", Func, 0, "func(m *SocketControlMessage) ([]int, error)"},
+		{"PathMax", Const, 0, ""},
+		{"Pathconf", Func, 0, ""},
+		{"Pause", Func, 0, "func() (err error)"},
+		{"Pipe", Func, 0, "func(p []int) error"},
+		{"Pipe2", Func, 1, "func(p []int, flags int) error"},
+		{"PivotRoot", Func, 0, "func(newroot string, putold string) (err error)"},
+		{"Pointer", Type, 11, ""},
+		{"PostQueuedCompletionStatus", Func, 0, ""},
+		{"Pread", Func, 0, "func(fd int, p []byte, offset int64) (n int, err error)"},
+		{"Proc", Type, 0, ""},
+		{"Proc.Dll", Field, 0, ""},
+		{"Proc.Name", Field, 0, ""},
+		{"ProcAttr", Type, 0, ""},
+		{"ProcAttr.Dir", Field, 0, ""},
+		{"ProcAttr.Env", Field, 0, ""},
+		{"ProcAttr.Files", Field, 0, ""},
+		{"ProcAttr.Sys", Field, 0, ""},
+		{"Process32First", Func, 4, ""},
+		{"Process32Next", Func, 4, ""},
+		{"ProcessEntry32", Type, 4, ""},
+		{"ProcessEntry32.DefaultHeapID", Field, 4, ""},
+		{"ProcessEntry32.ExeFile", Field, 4, ""},
+		{"ProcessEntry32.Flags", Field, 4, ""},
+		{"ProcessEntry32.ModuleID", Field, 4, ""},
+		{"ProcessEntry32.ParentProcessID", Field, 4, ""},
+		{"ProcessEntry32.PriClassBase", Field, 4, ""},
+		{"ProcessEntry32.ProcessID", Field, 4, ""},
+		{"ProcessEntry32.Size", Field, 4, ""},
+		{"ProcessEntry32.Threads", Field, 4, ""},
+		{"ProcessEntry32.Usage", Field, 4, ""},
+		{"ProcessInformation", Type, 0, ""},
+		{"ProcessInformation.Process", Field, 0, ""},
+		{"ProcessInformation.ProcessId", Field, 0, ""},
+		{"ProcessInformation.Thread", Field, 0, ""},
+		{"ProcessInformation.ThreadId", Field, 0, ""},
+		{"Protoent", Type, 0, ""},
+		{"Protoent.Aliases", Field, 0, ""},
+		{"Protoent.Name", Field, 0, ""},
+		{"Protoent.Proto", Field, 0, ""},
+		{"PtraceAttach", Func, 0, "func(pid int) (err error)"},
+		{"PtraceCont", Func, 0, "func(pid int, signal int) (err error)"},
+		{"PtraceDetach", Func, 0, "func(pid int) (err error)"},
+		{"PtraceGetEventMsg", Func, 0, "func(pid int) (msg uint, err error)"},
+		{"PtraceGetRegs", Func, 0, "func(pid int, regsout *PtraceRegs) (err error)"},
+		{"PtracePeekData", Func, 0, "func(pid int, addr uintptr, out []byte) (count int, err error)"},
+		{"PtracePeekText", Func, 0, "func(pid int, addr uintptr, out []byte) (count int, err error)"},
+		{"PtracePokeData", Func, 0, "func(pid int, addr uintptr, data []byte) (count int, err error)"},
+		{"PtracePokeText", Func, 0, "func(pid int, addr uintptr, data []byte) (count int, err error)"},
+		{"PtraceRegs", Type, 0, ""},
+		{"PtraceRegs.Cs", Field, 0, ""},
+		{"PtraceRegs.Ds", Field, 0, ""},
+		{"PtraceRegs.Eax", Field, 0, ""},
+		{"PtraceRegs.Ebp", Field, 0, ""},
+		{"PtraceRegs.Ebx", Field, 0, ""},
+		{"PtraceRegs.Ecx", Field, 0, ""},
+		{"PtraceRegs.Edi", Field, 0, ""},
+		{"PtraceRegs.Edx", Field, 0, ""},
+		{"PtraceRegs.Eflags", Field, 0, ""},
+		{"PtraceRegs.Eip", Field, 0, ""},
+		{"PtraceRegs.Es", Field, 0, ""},
+		{"PtraceRegs.Esi", Field, 0, ""},
+		{"PtraceRegs.Esp", Field, 0, ""},
+		{"PtraceRegs.Fs", Field, 0, ""},
+		{"PtraceRegs.Fs_base", Field, 0, ""},
+		{"PtraceRegs.Gs", Field, 0, ""},
+		{"PtraceRegs.Gs_base", Field, 0, ""},
+		{"PtraceRegs.Orig_eax", Field, 0, ""},
+		{"PtraceRegs.Orig_rax", Field, 0, ""},
+		{"PtraceRegs.R10", Field, 0, ""},
+		{"PtraceRegs.R11", Field, 0, ""},
+		{"PtraceRegs.R12", Field, 0, ""},
+		{"PtraceRegs.R13", Field, 0, ""},
+		{"PtraceRegs.R14", Field, 0, ""},
+		{"PtraceRegs.R15", Field, 0, ""},
+		{"PtraceRegs.R8", Field, 0, ""},
+		{"PtraceRegs.R9", Field, 0, ""},
+		{"PtraceRegs.Rax", Field, 0, ""},
+		{"PtraceRegs.Rbp", Field, 0, ""},
+		{"PtraceRegs.Rbx", Field, 0, ""},
+		{"PtraceRegs.Rcx", Field, 0, ""},
+		{"PtraceRegs.Rdi", Field, 0, ""},
+		{"PtraceRegs.Rdx", Field, 0, ""},
+		{"PtraceRegs.Rip", Field, 0, ""},
+		{"PtraceRegs.Rsi", Field, 0, ""},
+		{"PtraceRegs.Rsp", Field, 0, ""},
+		{"PtraceRegs.Ss", Field, 0, ""},
+		{"PtraceRegs.Uregs", Field, 0, ""},
+		{"PtraceRegs.Xcs", Field, 0, ""},
+		{"PtraceRegs.Xds", Field, 0, ""},
+		{"PtraceRegs.Xes", Field, 0, ""},
+		{"PtraceRegs.Xfs", Field, 0, ""},
+		{"PtraceRegs.Xgs", Field, 0, ""},
+		{"PtraceRegs.Xss", Field, 0, ""},
+		{"PtraceSetOptions", Func, 0, "func(pid int, options int) (err error)"},
+		{"PtraceSetRegs", Func, 0, "func(pid int, regs *PtraceRegs) (err error)"},
+		{"PtraceSingleStep", Func, 0, "func(pid int) (err error)"},
+		{"PtraceSyscall", Func, 1, "func(pid int, signal int) (err error)"},
+		{"Pwrite", Func, 0, "func(fd int, p []byte, offset int64) (n int, err error)"},
+		{"REG_BINARY", Const, 0, ""},
+		{"REG_DWORD", Const, 0, ""},
+		{"REG_DWORD_BIG_ENDIAN", Const, 0, ""},
+		{"REG_DWORD_LITTLE_ENDIAN", Const, 0, ""},
+		{"REG_EXPAND_SZ", Const, 0, ""},
+		{"REG_FULL_RESOURCE_DESCRIPTOR", Const, 0, ""},
+		{"REG_LINK", Const, 0, ""},
+		{"REG_MULTI_SZ", Const, 0, ""},
+		{"REG_NONE", Const, 0, ""},
+		{"REG_QWORD", Const, 0, ""},
+		{"REG_QWORD_LITTLE_ENDIAN", Const, 0, ""},
+		{"REG_RESOURCE_LIST", Const, 0, ""},
+		{"REG_RESOURCE_REQUIREMENTS_LIST", Const, 0, ""},
+		{"REG_SZ", Const, 0, ""},
+		{"RLIMIT_AS", Const, 0, ""},
+		{"RLIMIT_CORE", Const, 0, ""},
+		{"RLIMIT_CPU", Const, 0, ""},
+		{"RLIMIT_CPU_USAGE_MONITOR", Const, 16, ""},
+		{"RLIMIT_DATA", Const, 0, ""},
+		{"RLIMIT_FSIZE", Const, 0, ""},
+		{"RLIMIT_NOFILE", Const, 0, ""},
+		{"RLIMIT_STACK", Const, 0, ""},
+		{"RLIM_INFINITY", Const, 0, ""},
+		{"RTAX_ADVMSS", Const, 0, ""},
+		{"RTAX_AUTHOR", Const, 0, ""},
+		{"RTAX_BRD", Const, 0, ""},
+		{"RTAX_CWND", Const, 0, ""},
+		{"RTAX_DST", Const, 0, ""},
+		{"RTAX_FEATURES", Const, 0, ""},
+		{"RTAX_FEATURE_ALLFRAG", Const, 0, ""},
+		{"RTAX_FEATURE_ECN", Const, 0, ""},
+		{"RTAX_FEATURE_SACK", Const, 0, ""},
+		{"RTAX_FEATURE_TIMESTAMP", Const, 0, ""},
+		{"RTAX_GATEWAY", Const, 0, ""},
+		{"RTAX_GENMASK", Const, 0, ""},
+		{"RTAX_HOPLIMIT", Const, 0, ""},
+		{"RTAX_IFA", Const, 0, ""},
+		{"RTAX_IFP", Const, 0, ""},
+		{"RTAX_INITCWND", Const, 0, ""},
+		{"RTAX_INITRWND", Const, 0, ""},
+		{"RTAX_LABEL", Const, 1, ""},
+		{"RTAX_LOCK", Const, 0, ""},
+		{"RTAX_MAX", Const, 0, ""},
+		{"RTAX_MTU", Const, 0, ""},
+		{"RTAX_NETMASK", Const, 0, ""},
+		{"RTAX_REORDERING", Const, 0, ""},
+		{"RTAX_RTO_MIN", Const, 0, ""},
+		{"RTAX_RTT", Const, 0, ""},
+		{"RTAX_RTTVAR", Const, 0, ""},
+		{"RTAX_SRC", Const, 1, ""},
+		{"RTAX_SRCMASK", Const, 1, ""},
+		{"RTAX_SSTHRESH", Const, 0, ""},
+		{"RTAX_TAG", Const, 1, ""},
+		{"RTAX_UNSPEC", Const, 0, ""},
+		{"RTAX_WINDOW", Const, 0, ""},
+		{"RTA_ALIGNTO", Const, 0, ""},
+		{"RTA_AUTHOR", Const, 0, ""},
+		{"RTA_BRD", Const, 0, ""},
+		{"RTA_CACHEINFO", Const, 0, ""},
+		{"RTA_DST", Const, 0, ""},
+		{"RTA_FLOW", Const, 0, ""},
+		{"RTA_GATEWAY", Const, 0, ""},
+		{"RTA_GENMASK", Const, 0, ""},
+		{"RTA_IFA", Const, 0, ""},
+		{"RTA_IFP", Const, 0, ""},
+		{"RTA_IIF", Const, 0, ""},
+		{"RTA_LABEL", Const, 1, ""},
+		{"RTA_MAX", Const, 0, ""},
+		{"RTA_METRICS", Const, 0, ""},
+		{"RTA_MULTIPATH", Const, 0, ""},
+		{"RTA_NETMASK", Const, 0, ""},
+		{"RTA_OIF", Const, 0, ""},
+		{"RTA_PREFSRC", Const, 0, ""},
+		{"RTA_PRIORITY", Const, 0, ""},
+		{"RTA_SRC", Const, 0, ""},
+		{"RTA_SRCMASK", Const, 1, ""},
+		{"RTA_TABLE", Const, 0, ""},
+		{"RTA_TAG", Const, 1, ""},
+		{"RTA_UNSPEC", Const, 0, ""},
+		{"RTCF_DIRECTSRC", Const, 0, ""},
+		{"RTCF_DOREDIRECT", Const, 0, ""},
+		{"RTCF_LOG", Const, 0, ""},
+		{"RTCF_MASQ", Const, 0, ""},
+		{"RTCF_NAT", Const, 0, ""},
+		{"RTCF_VALVE", Const, 0, ""},
+		{"RTF_ADDRCLASSMASK", Const, 0, ""},
+		{"RTF_ADDRCONF", Const, 0, ""},
+		{"RTF_ALLONLINK", Const, 0, ""},
+		{"RTF_ANNOUNCE", Const, 1, ""},
+		{"RTF_BLACKHOLE", Const, 0, ""},
+		{"RTF_BROADCAST", Const, 0, ""},
+		{"RTF_CACHE", Const, 0, ""},
+		{"RTF_CLONED", Const, 1, ""},
+		{"RTF_CLONING", Const, 0, ""},
+		{"RTF_CONDEMNED", Const, 0, ""},
+		{"RTF_DEFAULT", Const, 0, ""},
+		{"RTF_DELCLONE", Const, 0, ""},
+		{"RTF_DONE", Const, 0, ""},
+		{"RTF_DYNAMIC", Const, 0, ""},
+		{"RTF_FLOW", Const, 0, ""},
+		{"RTF_FMASK", Const, 0, ""},
+		{"RTF_GATEWAY", Const, 0, ""},
+		{"RTF_GWFLAG_COMPAT", Const, 3, ""},
+		{"RTF_HOST", Const, 0, ""},
+		{"RTF_IFREF", Const, 0, ""},
+		{"RTF_IFSCOPE", Const, 0, ""},
+		{"RTF_INTERFACE", Const, 0, ""},
+		{"RTF_IRTT", Const, 0, ""},
+		{"RTF_LINKRT", Const, 0, ""},
+		{"RTF_LLDATA", Const, 0, ""},
+		{"RTF_LLINFO", Const, 0, ""},
+		{"RTF_LOCAL", Const, 0, ""},
+		{"RTF_MASK", Const, 1, ""},
+		{"RTF_MODIFIED", Const, 0, ""},
+		{"RTF_MPATH", Const, 1, ""},
+		{"RTF_MPLS", Const, 1, ""},
+		{"RTF_MSS", Const, 0, ""},
+		{"RTF_MTU", Const, 0, ""},
+		{"RTF_MULTICAST", Const, 0, ""},
+		{"RTF_NAT", Const, 0, ""},
+		{"RTF_NOFORWARD", Const, 0, ""},
+		{"RTF_NONEXTHOP", Const, 0, ""},
+		{"RTF_NOPMTUDISC", Const, 0, ""},
+		{"RTF_PERMANENT_ARP", Const, 1, ""},
+		{"RTF_PINNED", Const, 0, ""},
+		{"RTF_POLICY", Const, 0, ""},
+		{"RTF_PRCLONING", Const, 0, ""},
+		{"RTF_PROTO1", Const, 0, ""},
+		{"RTF_PROTO2", Const, 0, ""},
+		{"RTF_PROTO3", Const, 0, ""},
+		{"RTF_PROXY", Const, 16, ""},
+		{"RTF_REINSTATE", Const, 0, ""},
+		{"RTF_REJECT", Const, 0, ""},
+		{"RTF_RNH_LOCKED", Const, 0, ""},
+		{"RTF_ROUTER", Const, 16, ""},
+		{"RTF_SOURCE", Const, 1, ""},
+		{"RTF_SRC", Const, 1, ""},
+		{"RTF_STATIC", Const, 0, ""},
+		{"RTF_STICKY", Const, 0, ""},
+		{"RTF_THROW", Const, 0, ""},
+		{"RTF_TUNNEL", Const, 1, ""},
+		{"RTF_UP", Const, 0, ""},
+		{"RTF_USETRAILERS", Const, 1, ""},
+		{"RTF_WASCLONED", Const, 0, ""},
+		{"RTF_WINDOW", Const, 0, ""},
+		{"RTF_XRESOLVE", Const, 0, ""},
+		{"RTM_ADD", Const, 0, ""},
+		{"RTM_BASE", Const, 0, ""},
+		{"RTM_CHANGE", Const, 0, ""},
+		{"RTM_CHGADDR", Const, 1, ""},
+		{"RTM_DELACTION", Const, 0, ""},
+		{"RTM_DELADDR", Const, 0, ""},
+		{"RTM_DELADDRLABEL", Const, 0, ""},
+		{"RTM_DELETE", Const, 0, ""},
+		{"RTM_DELLINK", Const, 0, ""},
+		{"RTM_DELMADDR", Const, 0, ""},
+		{"RTM_DELNEIGH", Const, 0, ""},
+		{"RTM_DELQDISC", Const, 0, ""},
+		{"RTM_DELROUTE", Const, 0, ""},
+		{"RTM_DELRULE", Const, 0, ""},
+		{"RTM_DELTCLASS", Const, 0, ""},
+		{"RTM_DELTFILTER", Const, 0, ""},
+		{"RTM_DESYNC", Const, 1, ""},
+		{"RTM_F_CLONED", Const, 0, ""},
+		{"RTM_F_EQUALIZE", Const, 0, ""},
+		{"RTM_F_NOTIFY", Const, 0, ""},
+		{"RTM_F_PREFIX", Const, 0, ""},
+		{"RTM_GET", Const, 0, ""},
+		{"RTM_GET2", Const, 0, ""},
+		{"RTM_GETACTION", Const, 0, ""},
+		{"RTM_GETADDR", Const, 0, ""},
+		{"RTM_GETADDRLABEL", Const, 0, ""},
+		{"RTM_GETANYCAST", Const, 0, ""},
+		{"RTM_GETDCB", Const, 0, ""},
+		{"RTM_GETLINK", Const, 0, ""},
+		{"RTM_GETMULTICAST", Const, 0, ""},
+		{"RTM_GETNEIGH", Const, 0, ""},
+		{"RTM_GETNEIGHTBL", Const, 0, ""},
+		{"RTM_GETQDISC", Const, 0, ""},
+		{"RTM_GETROUTE", Const, 0, ""},
+		{"RTM_GETRULE", Const, 0, ""},
+		{"RTM_GETTCLASS", Const, 0, ""},
+		{"RTM_GETTFILTER", Const, 0, ""},
+		{"RTM_IEEE80211", Const, 0, ""},
+		{"RTM_IFANNOUNCE", Const, 0, ""},
+		{"RTM_IFINFO", Const, 0, ""},
+		{"RTM_IFINFO2", Const, 0, ""},
+		{"RTM_LLINFO_UPD", Const, 1, ""},
+		{"RTM_LOCK", Const, 0, ""},
+		{"RTM_LOSING", Const, 0, ""},
+		{"RTM_MAX", Const, 0, ""},
+		{"RTM_MAXSIZE", Const, 1, ""},
+		{"RTM_MISS", Const, 0, ""},
+		{"RTM_NEWACTION", Const, 0, ""},
+		{"RTM_NEWADDR", Const, 0, ""},
+		{"RTM_NEWADDRLABEL", Const, 0, ""},
+		{"RTM_NEWLINK", Const, 0, ""},
+		{"RTM_NEWMADDR", Const, 0, ""},
+		{"RTM_NEWMADDR2", Const, 0, ""},
+		{"RTM_NEWNDUSEROPT", Const, 0, ""},
+		{"RTM_NEWNEIGH", Const, 0, ""},
+		{"RTM_NEWNEIGHTBL", Const, 0, ""},
+		{"RTM_NEWPREFIX", Const, 0, ""},
+		{"RTM_NEWQDISC", Const, 0, ""},
+		{"RTM_NEWROUTE", Const, 0, ""},
+		{"RTM_NEWRULE", Const, 0, ""},
+		{"RTM_NEWTCLASS", Const, 0, ""},
+		{"RTM_NEWTFILTER", Const, 0, ""},
+		{"RTM_NR_FAMILIES", Const, 0, ""},
+		{"RTM_NR_MSGTYPES", Const, 0, ""},
+		{"RTM_OIFINFO", Const, 1, ""},
+		{"RTM_OLDADD", Const, 0, ""},
+		{"RTM_OLDDEL", Const, 0, ""},
+		{"RTM_OOIFINFO", Const, 1, ""},
+		{"RTM_REDIRECT", Const, 0, ""},
+		{"RTM_RESOLVE", Const, 0, ""},
+		{"RTM_RTTUNIT", Const, 0, ""},
+		{"RTM_SETDCB", Const, 0, ""},
+		{"RTM_SETGATE", Const, 1, ""},
+		{"RTM_SETLINK", Const, 0, ""},
+		{"RTM_SETNEIGHTBL", Const, 0, ""},
+		{"RTM_VERSION", Const, 0, ""},
+		{"RTNH_ALIGNTO", Const, 0, ""},
+		{"RTNH_F_DEAD", Const, 0, ""},
+		{"RTNH_F_ONLINK", Const, 0, ""},
+		{"RTNH_F_PERVASIVE", Const, 0, ""},
+		{"RTNLGRP_IPV4_IFADDR", Const, 1, ""},
+		{"RTNLGRP_IPV4_MROUTE", Const, 1, ""},
+		{"RTNLGRP_IPV4_ROUTE", Const, 1, ""},
+		{"RTNLGRP_IPV4_RULE", Const, 1, ""},
+		{"RTNLGRP_IPV6_IFADDR", Const, 1, ""},
+		{"RTNLGRP_IPV6_IFINFO", Const, 1, ""},
+		{"RTNLGRP_IPV6_MROUTE", Const, 1, ""},
+		{"RTNLGRP_IPV6_PREFIX", Const, 1, ""},
+		{"RTNLGRP_IPV6_ROUTE", Const, 1, ""},
+		{"RTNLGRP_IPV6_RULE", Const, 1, ""},
+		{"RTNLGRP_LINK", Const, 1, ""},
+		{"RTNLGRP_ND_USEROPT", Const, 1, ""},
+		{"RTNLGRP_NEIGH", Const, 1, ""},
+		{"RTNLGRP_NONE", Const, 1, ""},
+		{"RTNLGRP_NOTIFY", Const, 1, ""},
+		{"RTNLGRP_TC", Const, 1, ""},
+		{"RTN_ANYCAST", Const, 0, ""},
+		{"RTN_BLACKHOLE", Const, 0, ""},
+		{"RTN_BROADCAST", Const, 0, ""},
+		{"RTN_LOCAL", Const, 0, ""},
+		{"RTN_MAX", Const, 0, ""},
+		{"RTN_MULTICAST", Const, 0, ""},
+		{"RTN_NAT", Const, 0, ""},
+		{"RTN_PROHIBIT", Const, 0, ""},
+		{"RTN_THROW", Const, 0, ""},
+		{"RTN_UNICAST", Const, 0, ""},
+		{"RTN_UNREACHABLE", Const, 0, ""},
+		{"RTN_UNSPEC", Const, 0, ""},
+		{"RTN_XRESOLVE", Const, 0, ""},
+		{"RTPROT_BIRD", Const, 0, ""},
+		{"RTPROT_BOOT", Const, 0, ""},
+		{"RTPROT_DHCP", Const, 0, ""},
+		{"RTPROT_DNROUTED", Const, 0, ""},
+		{"RTPROT_GATED", Const, 0, ""},
+		{"RTPROT_KERNEL", Const, 0, ""},
+		{"RTPROT_MRT", Const, 0, ""},
+		{"RTPROT_NTK", Const, 0, ""},
+		{"RTPROT_RA", Const, 0, ""},
+		{"RTPROT_REDIRECT", Const, 0, ""},
+		{"RTPROT_STATIC", Const, 0, ""},
+		{"RTPROT_UNSPEC", Const, 0, ""},
+		{"RTPROT_XORP", Const, 0, ""},
+		{"RTPROT_ZEBRA", Const, 0, ""},
+		{"RTV_EXPIRE", Const, 0, ""},
+		{"RTV_HOPCOUNT", Const, 0, ""},
+		{"RTV_MTU", Const, 0, ""},
+		{"RTV_RPIPE", Const, 0, ""},
+		{"RTV_RTT", Const, 0, ""},
+		{"RTV_RTTVAR", Const, 0, ""},
+		{"RTV_SPIPE", Const, 0, ""},
+		{"RTV_SSTHRESH", Const, 0, ""},
+		{"RTV_WEIGHT", Const, 0, ""},
+		{"RT_CACHING_CONTEXT", Const, 1, ""},
+		{"RT_CLASS_DEFAULT", Const, 0, ""},
+		{"RT_CLASS_LOCAL", Const, 0, ""},
+		{"RT_CLASS_MAIN", Const, 0, ""},
+		{"RT_CLASS_MAX", Const, 0, ""},
+		{"RT_CLASS_UNSPEC", Const, 0, ""},
+		{"RT_DEFAULT_FIB", Const, 1, ""},
+		{"RT_NORTREF", Const, 1, ""},
+		{"RT_SCOPE_HOST", Const, 0, ""},
+		{"RT_SCOPE_LINK", Const, 0, ""},
+		{"RT_SCOPE_NOWHERE", Const, 0, ""},
+		{"RT_SCOPE_SITE", Const, 0, ""},
+		{"RT_SCOPE_UNIVERSE", Const, 0, ""},
+		{"RT_TABLEID_MAX", Const, 1, ""},
+		{"RT_TABLE_COMPAT", Const, 0, ""},
+		{"RT_TABLE_DEFAULT", Const, 0, ""},
+		{"RT_TABLE_LOCAL", Const, 0, ""},
+		{"RT_TABLE_MAIN", Const, 0, ""},
+		{"RT_TABLE_MAX", Const, 0, ""},
+		{"RT_TABLE_UNSPEC", Const, 0, ""},
+		{"RUSAGE_CHILDREN", Const, 0, ""},
+		{"RUSAGE_SELF", Const, 0, ""},
+		{"RUSAGE_THREAD", Const, 0, ""},
+		{"Radvisory_t", Type, 0, ""},
+		{"Radvisory_t.Count", Field, 0, ""},
+		{"Radvisory_t.Offset", Field, 0, ""},
+		{"Radvisory_t.Pad_cgo_0", Field, 0, ""},
+		{"RawConn", Type, 9, ""},
+		{"RawSockaddr", Type, 0, ""},
+		{"RawSockaddr.Data", Field, 0, ""},
+		{"RawSockaddr.Family", Field, 0, ""},
+		{"RawSockaddr.Len", Field, 0, ""},
+		{"RawSockaddrAny", Type, 0, ""},
+		{"RawSockaddrAny.Addr", Field, 0, ""},
+		{"RawSockaddrAny.Pad", Field, 0, ""},
+		{"RawSockaddrDatalink", Type, 0, ""},
+		{"RawSockaddrDatalink.Alen", Field, 0, ""},
+		{"RawSockaddrDatalink.Data", Field, 0, ""},
+		{"RawSockaddrDatalink.Family", Field, 0, ""},
+		{"RawSockaddrDatalink.Index", Field, 0, ""},
+		{"RawSockaddrDatalink.Len", Field, 0, ""},
+		{"RawSockaddrDatalink.Nlen", Field, 0, ""},
+		{"RawSockaddrDatalink.Pad_cgo_0", Field, 2, ""},
+		{"RawSockaddrDatalink.Slen", Field, 0, ""},
+		{"RawSockaddrDatalink.Type", Field, 0, ""},
+		{"RawSockaddrInet4", Type, 0, ""},
+		{"RawSockaddrInet4.Addr", Field, 0, ""},
+		{"RawSockaddrInet4.Family", Field, 0, ""},
+		{"RawSockaddrInet4.Len", Field, 0, ""},
+		{"RawSockaddrInet4.Port", Field, 0, ""},
+		{"RawSockaddrInet4.Zero", Field, 0, ""},
+		{"RawSockaddrInet6", Type, 0, ""},
+		{"RawSockaddrInet6.Addr", Field, 0, ""},
+		{"RawSockaddrInet6.Family", Field, 0, ""},
+		{"RawSockaddrInet6.Flowinfo", Field, 0, ""},
+		{"RawSockaddrInet6.Len", Field, 0, ""},
+		{"RawSockaddrInet6.Port", Field, 0, ""},
+		{"RawSockaddrInet6.Scope_id", Field, 0, ""},
+		{"RawSockaddrLinklayer", Type, 0, ""},
+		{"RawSockaddrLinklayer.Addr", Field, 0, ""},
+		{"RawSockaddrLinklayer.Family", Field, 0, ""},
+		{"RawSockaddrLinklayer.Halen", Field, 0, ""},
+		{"RawSockaddrLinklayer.Hatype", Field, 0, ""},
+		{"RawSockaddrLinklayer.Ifindex", Field, 0, ""},
+		{"RawSockaddrLinklayer.Pkttype", Field, 0, ""},
+		{"RawSockaddrLinklayer.Protocol", Field, 0, ""},
+		{"RawSockaddrNetlink", Type, 0, ""},
+		{"RawSockaddrNetlink.Family", Field, 0, ""},
+		{"RawSockaddrNetlink.Groups", Field, 0, ""},
+		{"RawSockaddrNetlink.Pad", Field, 0, ""},
+		{"RawSockaddrNetlink.Pid", Field, 0, ""},
+		{"RawSockaddrUnix", Type, 0, ""},
+		{"RawSockaddrUnix.Family", Field, 0, ""},
+		{"RawSockaddrUnix.Len", Field, 0, ""},
+		{"RawSockaddrUnix.Pad_cgo_0", Field, 2, ""},
+		{"RawSockaddrUnix.Path", Field, 0, ""},
+		{"RawSyscall", Func, 0, "func(trap uintptr, a1 uintptr, a2 uintptr, a3 uintptr) (r1 uintptr, r2 uintptr, err Errno)"},
+		{"RawSyscall6", Func, 0, "func(trap uintptr, a1 uintptr, a2 uintptr, a3 uintptr, a4 uintptr, a5 uintptr, a6 uintptr) (r1 uintptr, r2 uintptr, err Errno)"},
+		{"Read", Func, 0, "func(fd int, p []byte) (n int, err error)"},
+		{"ReadConsole", Func, 1, ""},
+		{"ReadDirectoryChanges", Func, 0, ""},
+		{"ReadDirent", Func, 0, "func(fd int, buf []byte) (n int, err error)"},
+		{"ReadFile", Func, 0, ""},
+		{"Readlink", Func, 0, "func(path string, buf []byte) (n int, err error)"},
+		{"Reboot", Func, 0, "func(cmd int) (err error)"},
+		{"Recvfrom", Func, 0, "func(fd int, p []byte, flags int) (n int, from Sockaddr, err error)"},
+		{"Recvmsg", Func, 0, "func(fd int, p []byte, oob []byte, flags int) (n int, oobn int, recvflags int, from Sockaddr, err error)"},
+		{"RegCloseKey", Func, 0, ""},
+		{"RegEnumKeyEx", Func, 0, ""},
+		{"RegOpenKeyEx", Func, 0, ""},
+		{"RegQueryInfoKey", Func, 0, ""},
+		{"RegQueryValueEx", Func, 0, ""},
+		{"RemoveDirectory", Func, 0, ""},
+		{"Removexattr", Func, 1, "func(path string, attr string) (err error)"},
+		{"Rename", Func, 0, "func(oldpath string, newpath string) (err error)"},
+		{"Renameat", Func, 0, "func(olddirfd int, oldpath string, newdirfd int, newpath string) (err error)"},
+		{"Revoke", Func, 0, ""},
+		{"Rlimit", Type, 0, ""},
+		{"Rlimit.Cur", Field, 0, ""},
+		{"Rlimit.Max", Field, 0, ""},
+		{"Rmdir", Func, 0, "func(path string) error"},
+		{"RouteMessage", Type, 0, ""},
+		{"RouteMessage.Data", Field, 0, ""},
+		{"RouteMessage.Header", Field, 0, ""},
+		{"RouteRIB", Func, 0, ""},
+		{"RoutingMessage", Type, 14, ""},
+		{"RtAttr", Type, 0, ""},
+		{"RtAttr.Len", Field, 0, ""},
+		{"RtAttr.Type", Field, 0, ""},
+		{"RtGenmsg", Type, 0, ""},
+		{"RtGenmsg.Family", Field, 0, ""},
+		{"RtMetrics", Type, 0, ""},
+		{"RtMetrics.Expire", Field, 0, ""},
+		{"RtMetrics.Filler", Field, 0, ""},
+		{"RtMetrics.Hopcount", Field, 0, ""},
+		{"RtMetrics.Locks", Field, 0, ""},
+		{"RtMetrics.Mtu", Field, 0, ""},
+		{"RtMetrics.Pad", Field, 3, ""},
+		{"RtMetrics.Pksent", Field, 0, ""},
+		{"RtMetrics.Recvpipe", Field, 0, ""},
+		{"RtMetrics.Refcnt", Field, 2, ""},
+		{"RtMetrics.Rtt", Field, 0, ""},
+		{"RtMetrics.Rttvar", Field, 0, ""},
+		{"RtMetrics.Sendpipe", Field, 0, ""},
+		{"RtMetrics.Ssthresh", Field, 0, ""},
+		{"RtMetrics.Weight", Field, 0, ""},
+		{"RtMsg", Type, 0, ""},
+		{"RtMsg.Dst_len", Field, 0, ""},
+		{"RtMsg.Family", Field, 0, ""},
+		{"RtMsg.Flags", Field, 0, ""},
+		{"RtMsg.Protocol", Field, 0, ""},
+		{"RtMsg.Scope", Field, 0, ""},
+		{"RtMsg.Src_len", Field, 0, ""},
+		{"RtMsg.Table", Field, 0, ""},
+		{"RtMsg.Tos", Field, 0, ""},
+		{"RtMsg.Type", Field, 0, ""},
+		{"RtMsghdr", Type, 0, ""},
+		{"RtMsghdr.Addrs", Field, 0, ""},
+		{"RtMsghdr.Errno", Field, 0, ""},
+		{"RtMsghdr.Flags", Field, 0, ""},
+		{"RtMsghdr.Fmask", Field, 0, ""},
+		{"RtMsghdr.Hdrlen", Field, 2, ""},
+		{"RtMsghdr.Index", Field, 0, ""},
+		{"RtMsghdr.Inits", Field, 0, ""},
+		{"RtMsghdr.Mpls", Field, 2, ""},
+		{"RtMsghdr.Msglen", Field, 0, ""},
+		{"RtMsghdr.Pad_cgo_0", Field, 0, ""},
+		{"RtMsghdr.Pad_cgo_1", Field, 2, ""},
+		{"RtMsghdr.Pid", Field, 0, ""},
+		{"RtMsghdr.Priority", Field, 2, ""},
+		{"RtMsghdr.Rmx", Field, 0, ""},
+		{"RtMsghdr.Seq", Field, 0, ""},
+		{"RtMsghdr.Tableid", Field, 2, ""},
+		{"RtMsghdr.Type", Field, 0, ""},
+		{"RtMsghdr.Use", Field, 0, ""},
+		{"RtMsghdr.Version", Field, 0, ""},
+		{"RtNexthop", Type, 0, ""},
+		{"RtNexthop.Flags", Field, 0, ""},
+		{"RtNexthop.Hops", Field, 0, ""},
+		{"RtNexthop.Ifindex", Field, 0, ""},
+		{"RtNexthop.Len", Field, 0, ""},
+		{"Rusage", Type, 0, ""},
+		{"Rusage.CreationTime", Field, 0, ""},
+		{"Rusage.ExitTime", Field, 0, ""},
+		{"Rusage.Idrss", Field, 0, ""},
+		{"Rusage.Inblock", Field, 0, ""},
+		{"Rusage.Isrss", Field, 0, ""},
+		{"Rusage.Ixrss", Field, 0, ""},
+		{"Rusage.KernelTime", Field, 0, ""},
+		{"Rusage.Majflt", Field, 0, ""},
+		{"Rusage.Maxrss", Field, 0, ""},
+		{"Rusage.Minflt", Field, 0, ""},
+		{"Rusage.Msgrcv", Field, 0, ""},
+		{"Rusage.Msgsnd", Field, 0, ""},
+		{"Rusage.Nivcsw", Field, 0, ""},
+		{"Rusage.Nsignals", Field, 0, ""},
+		{"Rusage.Nswap", Field, 0, ""},
+		{"Rusage.Nvcsw", Field, 0, ""},
+		{"Rusage.Oublock", Field, 0, ""},
+		{"Rusage.Stime", Field, 0, ""},
+		{"Rusage.UserTime", Field, 0, ""},
+		{"Rusage.Utime", Field, 0, ""},
+		{"SCM_BINTIME", Const, 0, ""},
+		{"SCM_CREDENTIALS", Const, 0, ""},
+		{"SCM_CREDS", Const, 0, ""},
+		{"SCM_RIGHTS", Const, 0, ""},
+		{"SCM_TIMESTAMP", Const, 0, ""},
+		{"SCM_TIMESTAMPING", Const, 0, ""},
+		{"SCM_TIMESTAMPNS", Const, 0, ""},
+		{"SCM_TIMESTAMP_MONOTONIC", Const, 0, ""},
+		{"SHUT_RD", Const, 0, ""},
+		{"SHUT_RDWR", Const, 0, ""},
+		{"SHUT_WR", Const, 0, ""},
+		{"SID", Type, 0, ""},
+		{"SIDAndAttributes", Type, 0, ""},
+		{"SIDAndAttributes.Attributes", Field, 0, ""},
+		{"SIDAndAttributes.Sid", Field, 0, ""},
+		{"SIGABRT", Const, 0, ""},
+		{"SIGALRM", Const, 0, ""},
+		{"SIGBUS", Const, 0, ""},
+		{"SIGCHLD", Const, 0, ""},
+		{"SIGCLD", Const, 0, ""},
+		{"SIGCONT", Const, 0, ""},
+		{"SIGEMT", Const, 0, ""},
+		{"SIGFPE", Const, 0, ""},
+		{"SIGHUP", Const, 0, ""},
+		{"SIGILL", Const, 0, ""},
+		{"SIGINFO", Const, 0, ""},
+		{"SIGINT", Const, 0, ""},
+		{"SIGIO", Const, 0, ""},
+		{"SIGIOT", Const, 0, ""},
+		{"SIGKILL", Const, 0, ""},
+		{"SIGLIBRT", Const, 1, ""},
+		{"SIGLWP", Const, 0, ""},
+		{"SIGPIPE", Const, 0, ""},
+		{"SIGPOLL", Const, 0, ""},
+		{"SIGPROF", Const, 0, ""},
+		{"SIGPWR", Const, 0, ""},
+		{"SIGQUIT", Const, 0, ""},
+		{"SIGSEGV", Const, 0, ""},
+		{"SIGSTKFLT", Const, 0, ""},
+		{"SIGSTOP", Const, 0, ""},
+		{"SIGSYS", Const, 0, ""},
+		{"SIGTERM", Const, 0, ""},
+		{"SIGTHR", Const, 0, ""},
+		{"SIGTRAP", Const, 0, ""},
+		{"SIGTSTP", Const, 0, ""},
+		{"SIGTTIN", Const, 0, ""},
+		{"SIGTTOU", Const, 0, ""},
+		{"SIGUNUSED", Const, 0, ""},
+		{"SIGURG", Const, 0, ""},
+		{"SIGUSR1", Const, 0, ""},
+		{"SIGUSR2", Const, 0, ""},
+		{"SIGVTALRM", Const, 0, ""},
+		{"SIGWINCH", Const, 0, ""},
+		{"SIGXCPU", Const, 0, ""},
+		{"SIGXFSZ", Const, 0, ""},
+		{"SIOCADDDLCI", Const, 0, ""},
+		{"SIOCADDMULTI", Const, 0, ""},
+		{"SIOCADDRT", Const, 0, ""},
+		{"SIOCAIFADDR", Const, 0, ""},
+		{"SIOCAIFGROUP", Const, 0, ""},
+		{"SIOCALIFADDR", Const, 0, ""},
+		{"SIOCARPIPLL", Const, 0, ""},
+		{"SIOCATMARK", Const, 0, ""},
+		{"SIOCAUTOADDR", Const, 0, ""},
+		{"SIOCAUTONETMASK", Const, 0, ""},
+		{"SIOCBRDGADD", Const, 1, ""},
+		{"SIOCBRDGADDS", Const, 1, ""},
+		{"SIOCBRDGARL", Const, 1, ""},
+		{"SIOCBRDGDADDR", Const, 1, ""},
+		{"SIOCBRDGDEL", Const, 1, ""},
+		{"SIOCBRDGDELS", Const, 1, ""},
+		{"SIOCBRDGFLUSH", Const, 1, ""},
+		{"SIOCBRDGFRL", Const, 1, ""},
+		{"SIOCBRDGGCACHE", Const, 1, ""},
+		{"SIOCBRDGGFD", Const, 1, ""},
+		{"SIOCBRDGGHT", Const, 1, ""},
+		{"SIOCBRDGGIFFLGS", Const, 1, ""},
+		{"SIOCBRDGGMA", Const, 1, ""},
+		{"SIOCBRDGGPARAM", Const, 1, ""},
+		{"SIOCBRDGGPRI", Const, 1, ""},
+		{"SIOCBRDGGRL", Const, 1, ""},
+		{"SIOCBRDGGSIFS", Const, 1, ""},
+		{"SIOCBRDGGTO", Const, 1, ""},
+		{"SIOCBRDGIFS", Const, 1, ""},
+		{"SIOCBRDGRTS", Const, 1, ""},
+		{"SIOCBRDGSADDR", Const, 1, ""},
+		{"SIOCBRDGSCACHE", Const, 1, ""},
+		{"SIOCBRDGSFD", Const, 1, ""},
+		{"SIOCBRDGSHT", Const, 1, ""},
+		{"SIOCBRDGSIFCOST", Const, 1, ""},
+		{"SIOCBRDGSIFFLGS", Const, 1, ""},
+		{"SIOCBRDGSIFPRIO", Const, 1, ""},
+		{"SIOCBRDGSMA", Const, 1, ""},
+		{"SIOCBRDGSPRI", Const, 1, ""},
+		{"SIOCBRDGSPROTO", Const, 1, ""},
+		{"SIOCBRDGSTO", Const, 1, ""},
+		{"SIOCBRDGSTXHC", Const, 1, ""},
+		{"SIOCDARP", Const, 0, ""},
+		{"SIOCDELDLCI", Const, 0, ""},
+		{"SIOCDELMULTI", Const, 0, ""},
+		{"SIOCDELRT", Const, 0, ""},
+		{"SIOCDEVPRIVATE", Const, 0, ""},
+		{"SIOCDIFADDR", Const, 0, ""},
+		{"SIOCDIFGROUP", Const, 0, ""},
+		{"SIOCDIFPHYADDR", Const, 0, ""},
+		{"SIOCDLIFADDR", Const, 0, ""},
+		{"SIOCDRARP", Const, 0, ""},
+		{"SIOCGARP", Const, 0, ""},
+		{"SIOCGDRVSPEC", Const, 0, ""},
+		{"SIOCGETKALIVE", Const, 1, ""},
+		{"SIOCGETLABEL", Const, 1, ""},
+		{"SIOCGETPFLOW", Const, 1, ""},
+		{"SIOCGETPFSYNC", Const, 1, ""},
+		{"SIOCGETSGCNT", Const, 0, ""},
+		{"SIOCGETVIFCNT", Const, 0, ""},
+		{"SIOCGETVLAN", Const, 0, ""},
+		{"SIOCGHIWAT", Const, 0, ""},
+		{"SIOCGIFADDR", Const, 0, ""},
+		{"SIOCGIFADDRPREF", Const, 1, ""},
+		{"SIOCGIFALIAS", Const, 1, ""},
+		{"SIOCGIFALTMTU", Const, 0, ""},
+		{"SIOCGIFASYNCMAP", Const, 0, ""},
+		{"SIOCGIFBOND", Const, 0, ""},
+		{"SIOCGIFBR", Const, 0, ""},
+		{"SIOCGIFBRDADDR", Const, 0, ""},
+		{"SIOCGIFCAP", Const, 0, ""},
+		{"SIOCGIFCONF", Const, 0, ""},
+		{"SIOCGIFCOUNT", Const, 0, ""},
+		{"SIOCGIFDATA", Const, 1, ""},
+		{"SIOCGIFDESCR", Const, 0, ""},
+		{"SIOCGIFDEVMTU", Const, 0, ""},
+		{"SIOCGIFDLT", Const, 1, ""},
+		{"SIOCGIFDSTADDR", Const, 0, ""},
+		{"SIOCGIFENCAP", Const, 0, ""},
+		{"SIOCGIFFIB", Const, 1, ""},
+		{"SIOCGIFFLAGS", Const, 0, ""},
+		{"SIOCGIFGATTR", Const, 1, ""},
+		{"SIOCGIFGENERIC", Const, 0, ""},
+		{"SIOCGIFGMEMB", Const, 0, ""},
+		{"SIOCGIFGROUP", Const, 0, ""},
+		{"SIOCGIFHARDMTU", Const, 3, ""},
+		{"SIOCGIFHWADDR", Const, 0, ""},
+		{"SIOCGIFINDEX", Const, 0, ""},
+		{"SIOCGIFKPI", Const, 0, ""},
+		{"SIOCGIFMAC", Const, 0, ""},
+		{"SIOCGIFMAP", Const, 0, ""},
+		{"SIOCGIFMEDIA", Const, 0, ""},
+		{"SIOCGIFMEM", Const, 0, ""},
+		{"SIOCGIFMETRIC", Const, 0, ""},
+		{"SIOCGIFMTU", Const, 0, ""},
+		{"SIOCGIFNAME", Const, 0, ""},
+		{"SIOCGIFNETMASK", Const, 0, ""},
+		{"SIOCGIFPDSTADDR", Const, 0, ""},
+		{"SIOCGIFPFLAGS", Const, 0, ""},
+		{"SIOCGIFPHYS", Const, 0, ""},
+		{"SIOCGIFPRIORITY", Const, 1, ""},
+		{"SIOCGIFPSRCADDR", Const, 0, ""},
+		{"SIOCGIFRDOMAIN", Const, 1, ""},
+		{"SIOCGIFRTLABEL", Const, 1, ""},
+		{"SIOCGIFSLAVE", Const, 0, ""},
+		{"SIOCGIFSTATUS", Const, 0, ""},
+		{"SIOCGIFTIMESLOT", Const, 1, ""},
+		{"SIOCGIFTXQLEN", Const, 0, ""},
+		{"SIOCGIFVLAN", Const, 0, ""},
+		{"SIOCGIFWAKEFLAGS", Const, 0, ""},
+		{"SIOCGIFXFLAGS", Const, 1, ""},
+		{"SIOCGLIFADDR", Const, 0, ""},
+		{"SIOCGLIFPHYADDR", Const, 0, ""},
+		{"SIOCGLIFPHYRTABLE", Const, 1, ""},
+		{"SIOCGLIFPHYTTL", Const, 3, ""},
+		{"SIOCGLINKSTR", Const, 1, ""},
+		{"SIOCGLOWAT", Const, 0, ""},
+		{"SIOCGPGRP", Const, 0, ""},
+		{"SIOCGPRIVATE_0", Const, 0, ""},
+		{"SIOCGPRIVATE_1", Const, 0, ""},
+		{"SIOCGRARP", Const, 0, ""},
+		{"SIOCGSPPPPARAMS", Const, 3, ""},
+		{"SIOCGSTAMP", Const, 0, ""},
+		{"SIOCGSTAMPNS", Const, 0, ""},
+		{"SIOCGVH", Const, 1, ""},
+		{"SIOCGVNETID", Const, 3, ""},
+		{"SIOCIFCREATE", Const, 0, ""},
+		{"SIOCIFCREATE2", Const, 0, ""},
+		{"SIOCIFDESTROY", Const, 0, ""},
+		{"SIOCIFGCLONERS", Const, 0, ""},
+		{"SIOCINITIFADDR", Const, 1, ""},
+		{"SIOCPROTOPRIVATE", Const, 0, ""},
+		{"SIOCRSLVMULTI", Const, 0, ""},
+		{"SIOCRTMSG", Const, 0, ""},
+		{"SIOCSARP", Const, 0, ""},
+		{"SIOCSDRVSPEC", Const, 0, ""},
+		{"SIOCSETKALIVE", Const, 1, ""},
+		{"SIOCSETLABEL", Const, 1, ""},
+		{"SIOCSETPFLOW", Const, 1, ""},
+		{"SIOCSETPFSYNC", Const, 1, ""},
+		{"SIOCSETVLAN", Const, 0, ""},
+		{"SIOCSHIWAT", Const, 0, ""},
+		{"SIOCSIFADDR", Const, 0, ""},
+		{"SIOCSIFADDRPREF", Const, 1, ""},
+		{"SIOCSIFALTMTU", Const, 0, ""},
+		{"SIOCSIFASYNCMAP", Const, 0, ""},
+		{"SIOCSIFBOND", Const, 0, ""},
+		{"SIOCSIFBR", Const, 0, ""},
+		{"SIOCSIFBRDADDR", Const, 0, ""},
+		{"SIOCSIFCAP", Const, 0, ""},
+		{"SIOCSIFDESCR", Const, 0, ""},
+		{"SIOCSIFDSTADDR", Const, 0, ""},
+		{"SIOCSIFENCAP", Const, 0, ""},
+		{"SIOCSIFFIB", Const, 1, ""},
+		{"SIOCSIFFLAGS", Const, 0, ""},
+		{"SIOCSIFGATTR", Const, 1, ""},
+		{"SIOCSIFGENERIC", Const, 0, ""},
+		{"SIOCSIFHWADDR", Const, 0, ""},
+		{"SIOCSIFHWBROADCAST", Const, 0, ""},
+		{"SIOCSIFKPI", Const, 0, ""},
+		{"SIOCSIFLINK", Const, 0, ""},
+		{"SIOCSIFLLADDR", Const, 0, ""},
+		{"SIOCSIFMAC", Const, 0, ""},
+		{"SIOCSIFMAP", Const, 0, ""},
+		{"SIOCSIFMEDIA", Const, 0, ""},
+		{"SIOCSIFMEM", Const, 0, ""},
+		{"SIOCSIFMETRIC", Const, 0, ""},
+		{"SIOCSIFMTU", Const, 0, ""},
+		{"SIOCSIFNAME", Const, 0, ""},
+		{"SIOCSIFNETMASK", Const, 0, ""},
+		{"SIOCSIFPFLAGS", Const, 0, ""},
+		{"SIOCSIFPHYADDR", Const, 0, ""},
+		{"SIOCSIFPHYS", Const, 0, ""},
+		{"SIOCSIFPRIORITY", Const, 1, ""},
+		{"SIOCSIFRDOMAIN", Const, 1, ""},
+		{"SIOCSIFRTLABEL", Const, 1, ""},
+		{"SIOCSIFRVNET", Const, 0, ""},
+		{"SIOCSIFSLAVE", Const, 0, ""},
+		{"SIOCSIFTIMESLOT", Const, 1, ""},
+		{"SIOCSIFTXQLEN", Const, 0, ""},
+		{"SIOCSIFVLAN", Const, 0, ""},
+		{"SIOCSIFVNET", Const, 0, ""},
+		{"SIOCSIFXFLAGS", Const, 1, ""},
+		{"SIOCSLIFPHYADDR", Const, 0, ""},
+		{"SIOCSLIFPHYRTABLE", Const, 1, ""},
+		{"SIOCSLIFPHYTTL", Const, 3, ""},
+		{"SIOCSLINKSTR", Const, 1, ""},
+		{"SIOCSLOWAT", Const, 0, ""},
+		{"SIOCSPGRP", Const, 0, ""},
+		{"SIOCSRARP", Const, 0, ""},
+		{"SIOCSSPPPPARAMS", Const, 3, ""},
+		{"SIOCSVH", Const, 1, ""},
+		{"SIOCSVNETID", Const, 3, ""},
+		{"SIOCZIFDATA", Const, 1, ""},
+		{"SIO_GET_EXTENSION_FUNCTION_POINTER", Const, 1, ""},
+		{"SIO_GET_INTERFACE_LIST", Const, 0, ""},
+		{"SIO_KEEPALIVE_VALS", Const, 3, ""},
+		{"SIO_UDP_CONNRESET", Const, 4, ""},
+		{"SOCK_CLOEXEC", Const, 0, ""},
+		{"SOCK_DCCP", Const, 0, ""},
+		{"SOCK_DGRAM", Const, 0, ""},
+		{"SOCK_FLAGS_MASK", Const, 1, ""},
+		{"SOCK_MAXADDRLEN", Const, 0, ""},
+		{"SOCK_NONBLOCK", Const, 0, ""},
+		{"SOCK_NOSIGPIPE", Const, 1, ""},
+		{"SOCK_PACKET", Const, 0, ""},
+		{"SOCK_RAW", Const, 0, ""},
+		{"SOCK_RDM", Const, 0, ""},
+		{"SOCK_SEQPACKET", Const, 0, ""},
+		{"SOCK_STREAM", Const, 0, ""},
+		{"SOL_AAL", Const, 0, ""},
+		{"SOL_ATM", Const, 0, ""},
+		{"SOL_DECNET", Const, 0, ""},
+		{"SOL_ICMPV6", Const, 0, ""},
+		{"SOL_IP", Const, 0, ""},
+		{"SOL_IPV6", Const, 0, ""},
+		{"SOL_IRDA", Const, 0, ""},
+		{"SOL_PACKET", Const, 0, ""},
+		{"SOL_RAW", Const, 0, ""},
+		{"SOL_SOCKET", Const, 0, ""},
+		{"SOL_TCP", Const, 0, ""},
+		{"SOL_X25", Const, 0, ""},
+		{"SOMAXCONN", Const, 0, ""},
+		{"SO_ACCEPTCONN", Const, 0, ""},
+		{"SO_ACCEPTFILTER", Const, 0, ""},
+		{"SO_ATTACH_FILTER", Const, 0, ""},
+		{"SO_BINDANY", Const, 1, ""},
+		{"SO_BINDTODEVICE", Const, 0, ""},
+		{"SO_BINTIME", Const, 0, ""},
+		{"SO_BROADCAST", Const, 0, ""},
+		{"SO_BSDCOMPAT", Const, 0, ""},
+		{"SO_DEBUG", Const, 0, ""},
+		{"SO_DETACH_FILTER", Const, 0, ""},
+		{"SO_DOMAIN", Const, 0, ""},
+		{"SO_DONTROUTE", Const, 0, ""},
+		{"SO_DONTTRUNC", Const, 0, ""},
+		{"SO_ERROR", Const, 0, ""},
+		{"SO_KEEPALIVE", Const, 0, ""},
+		{"SO_LABEL", Const, 0, ""},
+		{"SO_LINGER", Const, 0, ""},
+		{"SO_LINGER_SEC", Const, 0, ""},
+		{"SO_LISTENINCQLEN", Const, 0, ""},
+		{"SO_LISTENQLEN", Const, 0, ""},
+		{"SO_LISTENQLIMIT", Const, 0, ""},
+		{"SO_MARK", Const, 0, ""},
+		{"SO_NETPROC", Const, 1, ""},
+		{"SO_NKE", Const, 0, ""},
+		{"SO_NOADDRERR", Const, 0, ""},
+		{"SO_NOHEADER", Const, 1, ""},
+		{"SO_NOSIGPIPE", Const, 0, ""},
+		{"SO_NOTIFYCONFLICT", Const, 0, ""},
+		{"SO_NO_CHECK", Const, 0, ""},
+		{"SO_NO_DDP", Const, 0, ""},
+		{"SO_NO_OFFLOAD", Const, 0, ""},
+		{"SO_NP_EXTENSIONS", Const, 0, ""},
+		{"SO_NREAD", Const, 0, ""},
+		{"SO_NUMRCVPKT", Const, 16, ""},
+		{"SO_NWRITE", Const, 0, ""},
+		{"SO_OOBINLINE", Const, 0, ""},
+		{"SO_OVERFLOWED", Const, 1, ""},
+		{"SO_PASSCRED", Const, 0, ""},
+		{"SO_PASSSEC", Const, 0, ""},
+		{"SO_PEERCRED", Const, 0, ""},
+		{"SO_PEERLABEL", Const, 0, ""},
+		{"SO_PEERNAME", Const, 0, ""},
+		{"SO_PEERSEC", Const, 0, ""},
+		{"SO_PRIORITY", Const, 0, ""},
+		{"SO_PROTOCOL", Const, 0, ""},
+		{"SO_PROTOTYPE", Const, 1, ""},
+		{"SO_RANDOMPORT", Const, 0, ""},
+		{"SO_RCVBUF", Const, 0, ""},
+		{"SO_RCVBUFFORCE", Const, 0, ""},
+		{"SO_RCVLOWAT", Const, 0, ""},
+		{"SO_RCVTIMEO", Const, 0, ""},
+		{"SO_RESTRICTIONS", Const, 0, ""},
+		{"SO_RESTRICT_DENYIN", Const, 0, ""},
+		{"SO_RESTRICT_DENYOUT", Const, 0, ""},
+		{"SO_RESTRICT_DENYSET", Const, 0, ""},
+		{"SO_REUSEADDR", Const, 0, ""},
+		{"SO_REUSEPORT", Const, 0, ""},
+		{"SO_REUSESHAREUID", Const, 0, ""},
+		{"SO_RTABLE", Const, 1, ""},
+		{"SO_RXQ_OVFL", Const, 0, ""},
+		{"SO_SECURITY_AUTHENTICATION", Const, 0, ""},
+		{"SO_SECURITY_ENCRYPTION_NETWORK", Const, 0, ""},
+		{"SO_SECURITY_ENCRYPTION_TRANSPORT", Const, 0, ""},
+		{"SO_SETFIB", Const, 0, ""},
+		{"SO_SNDBUF", Const, 0, ""},
+		{"SO_SNDBUFFORCE", Const, 0, ""},
+		{"SO_SNDLOWAT", Const, 0, ""},
+		{"SO_SNDTIMEO", Const, 0, ""},
+		{"SO_SPLICE", Const, 1, ""},
+		{"SO_TIMESTAMP", Const, 0, ""},
+		{"SO_TIMESTAMPING", Const, 0, ""},
+		{"SO_TIMESTAMPNS", Const, 0, ""},
+		{"SO_TIMESTAMP_MONOTONIC", Const, 0, ""},
+		{"SO_TYPE", Const, 0, ""},
+		{"SO_UPCALLCLOSEWAIT", Const, 0, ""},
+		{"SO_UPDATE_ACCEPT_CONTEXT", Const, 0, ""},
+		{"SO_UPDATE_CONNECT_CONTEXT", Const, 1, ""},
+		{"SO_USELOOPBACK", Const, 0, ""},
+		{"SO_USER_COOKIE", Const, 1, ""},
+		{"SO_VENDOR", Const, 3, ""},
+		{"SO_WANTMORE", Const, 0, ""},
+		{"SO_WANTOOBFLAG", Const, 0, ""},
+		{"SSLExtraCertChainPolicyPara", Type, 0, ""},
+		{"SSLExtraCertChainPolicyPara.AuthType", Field, 0, ""},
+		{"SSLExtraCertChainPolicyPara.Checks", Field, 0, ""},
+		{"SSLExtraCertChainPolicyPara.ServerName", Field, 0, ""},
+		{"SSLExtraCertChainPolicyPara.Size", Field, 0, ""},
+		{"STANDARD_RIGHTS_ALL", Const, 0, ""},
+		{"STANDARD_RIGHTS_EXECUTE", Const, 0, ""},
+		{"STANDARD_RIGHTS_READ", Const, 0, ""},
+		{"STANDARD_RIGHTS_REQUIRED", Const, 0, ""},
+		{"STANDARD_RIGHTS_WRITE", Const, 0, ""},
+		{"STARTF_USESHOWWINDOW", Const, 0, ""},
+		{"STARTF_USESTDHANDLES", Const, 0, ""},
+		{"STD_ERROR_HANDLE", Const, 0, ""},
+		{"STD_INPUT_HANDLE", Const, 0, ""},
+		{"STD_OUTPUT_HANDLE", Const, 0, ""},
+		{"SUBLANG_ENGLISH_US", Const, 0, ""},
+		{"SW_FORCEMINIMIZE", Const, 0, ""},
+		{"SW_HIDE", Const, 0, ""},
+		{"SW_MAXIMIZE", Const, 0, ""},
+		{"SW_MINIMIZE", Const, 0, ""},
+		{"SW_NORMAL", Const, 0, ""},
+		{"SW_RESTORE", Const, 0, ""},
+		{"SW_SHOW", Const, 0, ""},
+		{"SW_SHOWDEFAULT", Const, 0, ""},
+		{"SW_SHOWMAXIMIZED", Const, 0, ""},
+		{"SW_SHOWMINIMIZED", Const, 0, ""},
+		{"SW_SHOWMINNOACTIVE", Const, 0, ""},
+		{"SW_SHOWNA", Const, 0, ""},
+		{"SW_SHOWNOACTIVATE", Const, 0, ""},
+		{"SW_SHOWNORMAL", Const, 0, ""},
+		{"SYMBOLIC_LINK_FLAG_DIRECTORY", Const, 4, ""},
+		{"SYNCHRONIZE", Const, 0, ""},
+		{"SYSCTL_VERSION", Const, 1, ""},
+		{"SYSCTL_VERS_0", Const, 1, ""},
+		{"SYSCTL_VERS_1", Const, 1, ""},
+		{"SYSCTL_VERS_MASK", Const, 1, ""},
+		{"SYS_ABORT2", Const, 0, ""},
+		{"SYS_ACCEPT", Const, 0, ""},
+		{"SYS_ACCEPT4", Const, 0, ""},
+		{"SYS_ACCEPT_NOCANCEL", Const, 0, ""},
+		{"SYS_ACCESS", Const, 0, ""},
+		{"SYS_ACCESS_EXTENDED", Const, 0, ""},
+		{"SYS_ACCT", Const, 0, ""},
+		{"SYS_ADD_KEY", Const, 0, ""},
+		{"SYS_ADD_PROFIL", Const, 0, ""},
+		{"SYS_ADJFREQ", Const, 1, ""},
+		{"SYS_ADJTIME", Const, 0, ""},
+		{"SYS_ADJTIMEX", Const, 0, ""},
+		{"SYS_AFS_SYSCALL", Const, 0, ""},
+		{"SYS_AIO_CANCEL", Const, 0, ""},
+		{"SYS_AIO_ERROR", Const, 0, ""},
+		{"SYS_AIO_FSYNC", Const, 0, ""},
+		{"SYS_AIO_MLOCK", Const, 14, ""},
+		{"SYS_AIO_READ", Const, 0, ""},
+		{"SYS_AIO_RETURN", Const, 0, ""},
+		{"SYS_AIO_SUSPEND", Const, 0, ""},
+		{"SYS_AIO_SUSPEND_NOCANCEL", Const, 0, ""},
+		{"SYS_AIO_WAITCOMPLETE", Const, 14, ""},
+		{"SYS_AIO_WRITE", Const, 0, ""},
+		{"SYS_ALARM", Const, 0, ""},
+		{"SYS_ARCH_PRCTL", Const, 0, ""},
+		{"SYS_ARM_FADVISE64_64", Const, 0, ""},
+		{"SYS_ARM_SYNC_FILE_RANGE", Const, 0, ""},
+		{"SYS_ATGETMSG", Const, 0, ""},
+		{"SYS_ATPGETREQ", Const, 0, ""},
+		{"SYS_ATPGETRSP", Const, 0, ""},
+		{"SYS_ATPSNDREQ", Const, 0, ""},
+		{"SYS_ATPSNDRSP", Const, 0, ""},
+		{"SYS_ATPUTMSG", Const, 0, ""},
+		{"SYS_ATSOCKET", Const, 0, ""},
+		{"SYS_AUDIT", Const, 0, ""},
+		{"SYS_AUDITCTL", Const, 0, ""},
+		{"SYS_AUDITON", Const, 0, ""},
+		{"SYS_AUDIT_SESSION_JOIN", Const, 0, ""},
+		{"SYS_AUDIT_SESSION_PORT", Const, 0, ""},
+		{"SYS_AUDIT_SESSION_SELF", Const, 0, ""},
+		{"SYS_BDFLUSH", Const, 0, ""},
+		{"SYS_BIND", Const, 0, ""},
+		{"SYS_BINDAT", Const, 3, ""},
+		{"SYS_BREAK", Const, 0, ""},
+		{"SYS_BRK", Const, 0, ""},
+		{"SYS_BSDTHREAD_CREATE", Const, 0, ""},
+		{"SYS_BSDTHREAD_REGISTER", Const, 0, ""},
+		{"SYS_BSDTHREAD_TERMINATE", Const, 0, ""},
+		{"SYS_CAPGET", Const, 0, ""},
+		{"SYS_CAPSET", Const, 0, ""},
+		{"SYS_CAP_ENTER", Const, 0, ""},
+		{"SYS_CAP_FCNTLS_GET", Const, 1, ""},
+		{"SYS_CAP_FCNTLS_LIMIT", Const, 1, ""},
+		{"SYS_CAP_GETMODE", Const, 0, ""},
+		{"SYS_CAP_GETRIGHTS", Const, 0, ""},
+		{"SYS_CAP_IOCTLS_GET", Const, 1, ""},
+		{"SYS_CAP_IOCTLS_LIMIT", Const, 1, ""},
+		{"SYS_CAP_NEW", Const, 0, ""},
+		{"SYS_CAP_RIGHTS_GET", Const, 1, ""},
+		{"SYS_CAP_RIGHTS_LIMIT", Const, 1, ""},
+		{"SYS_CHDIR", Const, 0, ""},
+		{"SYS_CHFLAGS", Const, 0, ""},
+		{"SYS_CHFLAGSAT", Const, 3, ""},
+		{"SYS_CHMOD", Const, 0, ""},
+		{"SYS_CHMOD_EXTENDED", Const, 0, ""},
+		{"SYS_CHOWN", Const, 0, ""},
+		{"SYS_CHOWN32", Const, 0, ""},
+		{"SYS_CHROOT", Const, 0, ""},
+		{"SYS_CHUD", Const, 0, ""},
+		{"SYS_CLOCK_ADJTIME", Const, 0, ""},
+		{"SYS_CLOCK_GETCPUCLOCKID2", Const, 1, ""},
+		{"SYS_CLOCK_GETRES", Const, 0, ""},
+		{"SYS_CLOCK_GETTIME", Const, 0, ""},
+		{"SYS_CLOCK_NANOSLEEP", Const, 0, ""},
+		{"SYS_CLOCK_SETTIME", Const, 0, ""},
+		{"SYS_CLONE", Const, 0, ""},
+		{"SYS_CLOSE", Const, 0, ""},
+		{"SYS_CLOSEFROM", Const, 0, ""},
+		{"SYS_CLOSE_NOCANCEL", Const, 0, ""},
+		{"SYS_CONNECT", Const, 0, ""},
+		{"SYS_CONNECTAT", Const, 3, ""},
+		{"SYS_CONNECT_NOCANCEL", Const, 0, ""},
+		{"SYS_COPYFILE", Const, 0, ""},
+		{"SYS_CPUSET", Const, 0, ""},
+		{"SYS_CPUSET_GETAFFINITY", Const, 0, ""},
+		{"SYS_CPUSET_GETID", Const, 0, ""},
+		{"SYS_CPUSET_SETAFFINITY", Const, 0, ""},
+		{"SYS_CPUSET_SETID", Const, 0, ""},
+		{"SYS_CREAT", Const, 0, ""},
+		{"SYS_CREATE_MODULE", Const, 0, ""},
+		{"SYS_CSOPS", Const, 0, ""},
+		{"SYS_CSOPS_AUDITTOKEN", Const, 16, ""},
+		{"SYS_DELETE", Const, 0, ""},
+		{"SYS_DELETE_MODULE", Const, 0, ""},
+		{"SYS_DUP", Const, 0, ""},
+		{"SYS_DUP2", Const, 0, ""},
+		{"SYS_DUP3", Const, 0, ""},
+		{"SYS_EACCESS", Const, 0, ""},
+		{"SYS_EPOLL_CREATE", Const, 0, ""},
+		{"SYS_EPOLL_CREATE1", Const, 0, ""},
+		{"SYS_EPOLL_CTL", Const, 0, ""},
+		{"SYS_EPOLL_CTL_OLD", Const, 0, ""},
+		{"SYS_EPOLL_PWAIT", Const, 0, ""},
+		{"SYS_EPOLL_WAIT", Const, 0, ""},
+		{"SYS_EPOLL_WAIT_OLD", Const, 0, ""},
+		{"SYS_EVENTFD", Const, 0, ""},
+		{"SYS_EVENTFD2", Const, 0, ""},
+		{"SYS_EXCHANGEDATA", Const, 0, ""},
+		{"SYS_EXECVE", Const, 0, ""},
+		{"SYS_EXIT", Const, 0, ""},
+		{"SYS_EXIT_GROUP", Const, 0, ""},
+		{"SYS_EXTATTRCTL", Const, 0, ""},
+		{"SYS_EXTATTR_DELETE_FD", Const, 0, ""},
+		{"SYS_EXTATTR_DELETE_FILE", Const, 0, ""},
+		{"SYS_EXTATTR_DELETE_LINK", Const, 0, ""},
+		{"SYS_EXTATTR_GET_FD", Const, 0, ""},
+		{"SYS_EXTATTR_GET_FILE", Const, 0, ""},
+		{"SYS_EXTATTR_GET_LINK", Const, 0, ""},
+		{"SYS_EXTATTR_LIST_FD", Const, 0, ""},
+		{"SYS_EXTATTR_LIST_FILE", Const, 0, ""},
+		{"SYS_EXTATTR_LIST_LINK", Const, 0, ""},
+		{"SYS_EXTATTR_SET_FD", Const, 0, ""},
+		{"SYS_EXTATTR_SET_FILE", Const, 0, ""},
+		{"SYS_EXTATTR_SET_LINK", Const, 0, ""},
+		{"SYS_FACCESSAT", Const, 0, ""},
+		{"SYS_FADVISE64", Const, 0, ""},
+		{"SYS_FADVISE64_64", Const, 0, ""},
+		{"SYS_FALLOCATE", Const, 0, ""},
+		{"SYS_FANOTIFY_INIT", Const, 0, ""},
+		{"SYS_FANOTIFY_MARK", Const, 0, ""},
+		{"SYS_FCHDIR", Const, 0, ""},
+		{"SYS_FCHFLAGS", Const, 0, ""},
+		{"SYS_FCHMOD", Const, 0, ""},
+		{"SYS_FCHMODAT", Const, 0, ""},
+		{"SYS_FCHMOD_EXTENDED", Const, 0, ""},
+		{"SYS_FCHOWN", Const, 0, ""},
+		{"SYS_FCHOWN32", Const, 0, ""},
+		{"SYS_FCHOWNAT", Const, 0, ""},
+		{"SYS_FCHROOT", Const, 1, ""},
+		{"SYS_FCNTL", Const, 0, ""},
+		{"SYS_FCNTL64", Const, 0, ""},
+		{"SYS_FCNTL_NOCANCEL", Const, 0, ""},
+		{"SYS_FDATASYNC", Const, 0, ""},
+		{"SYS_FEXECVE", Const, 0, ""},
+		{"SYS_FFCLOCK_GETCOUNTER", Const, 0, ""},
+		{"SYS_FFCLOCK_GETESTIMATE", Const, 0, ""},
+		{"SYS_FFCLOCK_SETESTIMATE", Const, 0, ""},
+		{"SYS_FFSCTL", Const, 0, ""},
+		{"SYS_FGETATTRLIST", Const, 0, ""},
+		{"SYS_FGETXATTR", Const, 0, ""},
+		{"SYS_FHOPEN", Const, 0, ""},
+		{"SYS_FHSTAT", Const, 0, ""},
+		{"SYS_FHSTATFS", Const, 0, ""},
+		{"SYS_FILEPORT_MAKEFD", Const, 0, ""},
+		{"SYS_FILEPORT_MAKEPORT", Const, 0, ""},
+		{"SYS_FKTRACE", Const, 1, ""},
+		{"SYS_FLISTXATTR", Const, 0, ""},
+		{"SYS_FLOCK", Const, 0, ""},
+		{"SYS_FORK", Const, 0, ""},
+		{"SYS_FPATHCONF", Const, 0, ""},
+		{"SYS_FREEBSD6_FTRUNCATE", Const, 0, ""},
+		{"SYS_FREEBSD6_LSEEK", Const, 0, ""},
+		{"SYS_FREEBSD6_MMAP", Const, 0, ""},
+		{"SYS_FREEBSD6_PREAD", Const, 0, ""},
+		{"SYS_FREEBSD6_PWRITE", Const, 0, ""},
+		{"SYS_FREEBSD6_TRUNCATE", Const, 0, ""},
+		{"SYS_FREMOVEXATTR", Const, 0, ""},
+		{"SYS_FSCTL", Const, 0, ""},
+		{"SYS_FSETATTRLIST", Const, 0, ""},
+		{"SYS_FSETXATTR", Const, 0, ""},
+		{"SYS_FSGETPATH", Const, 0, ""},
+		{"SYS_FSTAT", Const, 0, ""},
+		{"SYS_FSTAT64", Const, 0, ""},
+		{"SYS_FSTAT64_EXTENDED", Const, 0, ""},
+		{"SYS_FSTATAT", Const, 0, ""},
+		{"SYS_FSTATAT64", Const, 0, ""},
+		{"SYS_FSTATFS", Const, 0, ""},
+		{"SYS_FSTATFS64", Const, 0, ""},
+		{"SYS_FSTATV", Const, 0, ""},
+		{"SYS_FSTATVFS1", Const, 1, ""},
+		{"SYS_FSTAT_EXTENDED", Const, 0, ""},
+		{"SYS_FSYNC", Const, 0, ""},
+		{"SYS_FSYNC_NOCANCEL", Const, 0, ""},
+		{"SYS_FSYNC_RANGE", Const, 1, ""},
+		{"SYS_FTIME", Const, 0, ""},
+		{"SYS_FTRUNCATE", Const, 0, ""},
+		{"SYS_FTRUNCATE64", Const, 0, ""},
+		{"SYS_FUTEX", Const, 0, ""},
+		{"SYS_FUTIMENS", Const, 1, ""},
+		{"SYS_FUTIMES", Const, 0, ""},
+		{"SYS_FUTIMESAT", Const, 0, ""},
+		{"SYS_GETATTRLIST", Const, 0, ""},
+		{"SYS_GETAUDIT", Const, 0, ""},
+		{"SYS_GETAUDIT_ADDR", Const, 0, ""},
+		{"SYS_GETAUID", Const, 0, ""},
+		{"SYS_GETCONTEXT", Const, 0, ""},
+		{"SYS_GETCPU", Const, 0, ""},
+		{"SYS_GETCWD", Const, 0, ""},
+		{"SYS_GETDENTS", Const, 0, ""},
+		{"SYS_GETDENTS64", Const, 0, ""},
+		{"SYS_GETDIRENTRIES", Const, 0, ""},
+		{"SYS_GETDIRENTRIES64", Const, 0, ""},
+		{"SYS_GETDIRENTRIESATTR", Const, 0, ""},
+		{"SYS_GETDTABLECOUNT", Const, 1, ""},
+		{"SYS_GETDTABLESIZE", Const, 0, ""},
+		{"SYS_GETEGID", Const, 0, ""},
+		{"SYS_GETEGID32", Const, 0, ""},
+		{"SYS_GETEUID", Const, 0, ""},
+		{"SYS_GETEUID32", Const, 0, ""},
+		{"SYS_GETFH", Const, 0, ""},
+		{"SYS_GETFSSTAT", Const, 0, ""},
+		{"SYS_GETFSSTAT64", Const, 0, ""},
+		{"SYS_GETGID", Const, 0, ""},
+		{"SYS_GETGID32", Const, 0, ""},
+		{"SYS_GETGROUPS", Const, 0, ""},
+		{"SYS_GETGROUPS32", Const, 0, ""},
+		{"SYS_GETHOSTUUID", Const, 0, ""},
+		{"SYS_GETITIMER", Const, 0, ""},
+		{"SYS_GETLCID", Const, 0, ""},
+		{"SYS_GETLOGIN", Const, 0, ""},
+		{"SYS_GETLOGINCLASS", Const, 0, ""},
+		{"SYS_GETPEERNAME", Const, 0, ""},
+		{"SYS_GETPGID", Const, 0, ""},
+		{"SYS_GETPGRP", Const, 0, ""},
+		{"SYS_GETPID", Const, 0, ""},
+		{"SYS_GETPMSG", Const, 0, ""},
+		{"SYS_GETPPID", Const, 0, ""},
+		{"SYS_GETPRIORITY", Const, 0, ""},
+		{"SYS_GETRESGID", Const, 0, ""},
+		{"SYS_GETRESGID32", Const, 0, ""},
+		{"SYS_GETRESUID", Const, 0, ""},
+		{"SYS_GETRESUID32", Const, 0, ""},
+		{"SYS_GETRLIMIT", Const, 0, ""},
+		{"SYS_GETRTABLE", Const, 1, ""},
+		{"SYS_GETRUSAGE", Const, 0, ""},
+		{"SYS_GETSGROUPS", Const, 0, ""},
+		{"SYS_GETSID", Const, 0, ""},
+		{"SYS_GETSOCKNAME", Const, 0, ""},
+		{"SYS_GETSOCKOPT", Const, 0, ""},
+		{"SYS_GETTHRID", Const, 1, ""},
+		{"SYS_GETTID", Const, 0, ""},
+		{"SYS_GETTIMEOFDAY", Const, 0, ""},
+		{"SYS_GETUID", Const, 0, ""},
+		{"SYS_GETUID32", Const, 0, ""},
+		{"SYS_GETVFSSTAT", Const, 1, ""},
+		{"SYS_GETWGROUPS", Const, 0, ""},
+		{"SYS_GETXATTR", Const, 0, ""},
+		{"SYS_GET_KERNEL_SYMS", Const, 0, ""},
+		{"SYS_GET_MEMPOLICY", Const, 0, ""},
+		{"SYS_GET_ROBUST_LIST", Const, 0, ""},
+		{"SYS_GET_THREAD_AREA", Const, 0, ""},
+		{"SYS_GSSD_SYSCALL", Const, 14, ""},
+		{"SYS_GTTY", Const, 0, ""},
+		{"SYS_IDENTITYSVC", Const, 0, ""},
+		{"SYS_IDLE", Const, 0, ""},
+		{"SYS_INITGROUPS", Const, 0, ""},
+		{"SYS_INIT_MODULE", Const, 0, ""},
+		{"SYS_INOTIFY_ADD_WATCH", Const, 0, ""},
+		{"SYS_INOTIFY_INIT", Const, 0, ""},
+		{"SYS_INOTIFY_INIT1", Const, 0, ""},
+		{"SYS_INOTIFY_RM_WATCH", Const, 0, ""},
+		{"SYS_IOCTL", Const, 0, ""},
+		{"SYS_IOPERM", Const, 0, ""},
+		{"SYS_IOPL", Const, 0, ""},
+		{"SYS_IOPOLICYSYS", Const, 0, ""},
+		{"SYS_IOPRIO_GET", Const, 0, ""},
+		{"SYS_IOPRIO_SET", Const, 0, ""},
+		{"SYS_IO_CANCEL", Const, 0, ""},
+		{"SYS_IO_DESTROY", Const, 0, ""},
+		{"SYS_IO_GETEVENTS", Const, 0, ""},
+		{"SYS_IO_SETUP", Const, 0, ""},
+		{"SYS_IO_SUBMIT", Const, 0, ""},
+		{"SYS_IPC", Const, 0, ""},
+		{"SYS_ISSETUGID", Const, 0, ""},
+		{"SYS_JAIL", Const, 0, ""},
+		{"SYS_JAIL_ATTACH", Const, 0, ""},
+		{"SYS_JAIL_GET", Const, 0, ""},
+		{"SYS_JAIL_REMOVE", Const, 0, ""},
+		{"SYS_JAIL_SET", Const, 0, ""},
+		{"SYS_KAS_INFO", Const, 16, ""},
+		{"SYS_KDEBUG_TRACE", Const, 0, ""},
+		{"SYS_KENV", Const, 0, ""},
+		{"SYS_KEVENT", Const, 0, ""},
+		{"SYS_KEVENT64", Const, 0, ""},
+		{"SYS_KEXEC_LOAD", Const, 0, ""},
+		{"SYS_KEYCTL", Const, 0, ""},
+		{"SYS_KILL", Const, 0, ""},
+		{"SYS_KLDFIND", Const, 0, ""},
+		{"SYS_KLDFIRSTMOD", Const, 0, ""},
+		{"SYS_KLDLOAD", Const, 0, ""},
+		{"SYS_KLDNEXT", Const, 0, ""},
+		{"SYS_KLDSTAT", Const, 0, ""},
+		{"SYS_KLDSYM", Const, 0, ""},
+		{"SYS_KLDUNLOAD", Const, 0, ""},
+		{"SYS_KLDUNLOADF", Const, 0, ""},
+		{"SYS_KMQ_NOTIFY", Const, 14, ""},
+		{"SYS_KMQ_OPEN", Const, 14, ""},
+		{"SYS_KMQ_SETATTR", Const, 14, ""},
+		{"SYS_KMQ_TIMEDRECEIVE", Const, 14, ""},
+		{"SYS_KMQ_TIMEDSEND", Const, 14, ""},
+		{"SYS_KMQ_UNLINK", Const, 14, ""},
+		{"SYS_KQUEUE", Const, 0, ""},
+		{"SYS_KQUEUE1", Const, 1, ""},
+		{"SYS_KSEM_CLOSE", Const, 14, ""},
+		{"SYS_KSEM_DESTROY", Const, 14, ""},
+		{"SYS_KSEM_GETVALUE", Const, 14, ""},
+		{"SYS_KSEM_INIT", Const, 14, ""},
+		{"SYS_KSEM_OPEN", Const, 14, ""},
+		{"SYS_KSEM_POST", Const, 14, ""},
+		{"SYS_KSEM_TIMEDWAIT", Const, 14, ""},
+		{"SYS_KSEM_TRYWAIT", Const, 14, ""},
+		{"SYS_KSEM_UNLINK", Const, 14, ""},
+		{"SYS_KSEM_WAIT", Const, 14, ""},
+		{"SYS_KTIMER_CREATE", Const, 0, ""},
+		{"SYS_KTIMER_DELETE", Const, 0, ""},
+		{"SYS_KTIMER_GETOVERRUN", Const, 0, ""},
+		{"SYS_KTIMER_GETTIME", Const, 0, ""},
+		{"SYS_KTIMER_SETTIME", Const, 0, ""},
+		{"SYS_KTRACE", Const, 0, ""},
+		{"SYS_LCHFLAGS", Const, 0, ""},
+		{"SYS_LCHMOD", Const, 0, ""},
+		{"SYS_LCHOWN", Const, 0, ""},
+		{"SYS_LCHOWN32", Const, 0, ""},
+		{"SYS_LEDGER", Const, 16, ""},
+		{"SYS_LGETFH", Const, 0, ""},
+		{"SYS_LGETXATTR", Const, 0, ""},
+		{"SYS_LINK", Const, 0, ""},
+		{"SYS_LINKAT", Const, 0, ""},
+		{"SYS_LIO_LISTIO", Const, 0, ""},
+		{"SYS_LISTEN", Const, 0, ""},
+		{"SYS_LISTXATTR", Const, 0, ""},
+		{"SYS_LLISTXATTR", Const, 0, ""},
+		{"SYS_LOCK", Const, 0, ""},
+		{"SYS_LOOKUP_DCOOKIE", Const, 0, ""},
+		{"SYS_LPATHCONF", Const, 0, ""},
+		{"SYS_LREMOVEXATTR", Const, 0, ""},
+		{"SYS_LSEEK", Const, 0, ""},
+		{"SYS_LSETXATTR", Const, 0, ""},
+		{"SYS_LSTAT", Const, 0, ""},
+		{"SYS_LSTAT64", Const, 0, ""},
+		{"SYS_LSTAT64_EXTENDED", Const, 0, ""},
+		{"SYS_LSTATV", Const, 0, ""},
+		{"SYS_LSTAT_EXTENDED", Const, 0, ""},
+		{"SYS_LUTIMES", Const, 0, ""},
+		{"SYS_MAC_SYSCALL", Const, 0, ""},
+		{"SYS_MADVISE", Const, 0, ""},
+		{"SYS_MADVISE1", Const, 0, ""},
+		{"SYS_MAXSYSCALL", Const, 0, ""},
+		{"SYS_MBIND", Const, 0, ""},
+		{"SYS_MIGRATE_PAGES", Const, 0, ""},
+		{"SYS_MINCORE", Const, 0, ""},
+		{"SYS_MINHERIT", Const, 0, ""},
+		{"SYS_MKCOMPLEX", Const, 0, ""},
+		{"SYS_MKDIR", Const, 0, ""},
+		{"SYS_MKDIRAT", Const, 0, ""},
+		{"SYS_MKDIR_EXTENDED", Const, 0, ""},
+		{"SYS_MKFIFO", Const, 0, ""},
+		{"SYS_MKFIFOAT", Const, 0, ""},
+		{"SYS_MKFIFO_EXTENDED", Const, 0, ""},
+		{"SYS_MKNOD", Const, 0, ""},
+		{"SYS_MKNODAT", Const, 0, ""},
+		{"SYS_MLOCK", Const, 0, ""},
+		{"SYS_MLOCKALL", Const, 0, ""},
+		{"SYS_MMAP", Const, 0, ""},
+		{"SYS_MMAP2", Const, 0, ""},
+		{"SYS_MODCTL", Const, 1, ""},
+		{"SYS_MODFIND", Const, 0, ""},
+		{"SYS_MODFNEXT", Const, 0, ""},
+		{"SYS_MODIFY_LDT", Const, 0, ""},
+		{"SYS_MODNEXT", Const, 0, ""},
+		{"SYS_MODSTAT", Const, 0, ""},
+		{"SYS_MODWATCH", Const, 0, ""},
+		{"SYS_MOUNT", Const, 0, ""},
+		{"SYS_MOVE_PAGES", Const, 0, ""},
+		{"SYS_MPROTECT", Const, 0, ""},
+		{"SYS_MPX", Const, 0, ""},
+		{"SYS_MQUERY", Const, 1, ""},
+		{"SYS_MQ_GETSETATTR", Const, 0, ""},
+		{"SYS_MQ_NOTIFY", Const, 0, ""},
+		{"SYS_MQ_OPEN", Const, 0, ""},
+		{"SYS_MQ_TIMEDRECEIVE", Const, 0, ""},
+		{"SYS_MQ_TIMEDSEND", Const, 0, ""},
+		{"SYS_MQ_UNLINK", Const, 0, ""},
+		{"SYS_MREMAP", Const, 0, ""},
+		{"SYS_MSGCTL", Const, 0, ""},
+		{"SYS_MSGGET", Const, 0, ""},
+		{"SYS_MSGRCV", Const, 0, ""},
+		{"SYS_MSGRCV_NOCANCEL", Const, 0, ""},
+		{"SYS_MSGSND", Const, 0, ""},
+		{"SYS_MSGSND_NOCANCEL", Const, 0, ""},
+		{"SYS_MSGSYS", Const, 0, ""},
+		{"SYS_MSYNC", Const, 0, ""},
+		{"SYS_MSYNC_NOCANCEL", Const, 0, ""},
+		{"SYS_MUNLOCK", Const, 0, ""},
+		{"SYS_MUNLOCKALL", Const, 0, ""},
+		{"SYS_MUNMAP", Const, 0, ""},
+		{"SYS_NAME_TO_HANDLE_AT", Const, 0, ""},
+		{"SYS_NANOSLEEP", Const, 0, ""},
+		{"SYS_NEWFSTATAT", Const, 0, ""},
+		{"SYS_NFSCLNT", Const, 0, ""},
+		{"SYS_NFSSERVCTL", Const, 0, ""},
+		{"SYS_NFSSVC", Const, 0, ""},
+		{"SYS_NFSTAT", Const, 0, ""},
+		{"SYS_NICE", Const, 0, ""},
+		{"SYS_NLM_SYSCALL", Const, 14, ""},
+		{"SYS_NLSTAT", Const, 0, ""},
+		{"SYS_NMOUNT", Const, 0, ""},
+		{"SYS_NSTAT", Const, 0, ""},
+		{"SYS_NTP_ADJTIME", Const, 0, ""},
+		{"SYS_NTP_GETTIME", Const, 0, ""},
+		{"SYS_NUMA_GETAFFINITY", Const, 14, ""},
+		{"SYS_NUMA_SETAFFINITY", Const, 14, ""},
+		{"SYS_OABI_SYSCALL_BASE", Const, 0, ""},
+		{"SYS_OBREAK", Const, 0, ""},
+		{"SYS_OLDFSTAT", Const, 0, ""},
+		{"SYS_OLDLSTAT", Const, 0, ""},
+		{"SYS_OLDOLDUNAME", Const, 0, ""},
+		{"SYS_OLDSTAT", Const, 0, ""},
+		{"SYS_OLDUNAME", Const, 0, ""},
+		{"SYS_OPEN", Const, 0, ""},
+		{"SYS_OPENAT", Const, 0, ""},
+		{"SYS_OPENBSD_POLL", Const, 0, ""},
+		{"SYS_OPEN_BY_HANDLE_AT", Const, 0, ""},
+		{"SYS_OPEN_DPROTECTED_NP", Const, 16, ""},
+		{"SYS_OPEN_EXTENDED", Const, 0, ""},
+		{"SYS_OPEN_NOCANCEL", Const, 0, ""},
+		{"SYS_OVADVISE", Const, 0, ""},
+		{"SYS_PACCEPT", Const, 1, ""},
+		{"SYS_PATHCONF", Const, 0, ""},
+		{"SYS_PAUSE", Const, 0, ""},
+		{"SYS_PCICONFIG_IOBASE", Const, 0, ""},
+		{"SYS_PCICONFIG_READ", Const, 0, ""},
+		{"SYS_PCICONFIG_WRITE", Const, 0, ""},
+		{"SYS_PDFORK", Const, 0, ""},
+		{"SYS_PDGETPID", Const, 0, ""},
+		{"SYS_PDKILL", Const, 0, ""},
+		{"SYS_PERF_EVENT_OPEN", Const, 0, ""},
+		{"SYS_PERSONALITY", Const, 0, ""},
+		{"SYS_PID_HIBERNATE", Const, 0, ""},
+		{"SYS_PID_RESUME", Const, 0, ""},
+		{"SYS_PID_SHUTDOWN_SOCKETS", Const, 0, ""},
+		{"SYS_PID_SUSPEND", Const, 0, ""},
+		{"SYS_PIPE", Const, 0, ""},
+		{"SYS_PIPE2", Const, 0, ""},
+		{"SYS_PIVOT_ROOT", Const, 0, ""},
+		{"SYS_PMC_CONTROL", Const, 1, ""},
+		{"SYS_PMC_GET_INFO", Const, 1, ""},
+		{"SYS_POLL", Const, 0, ""},
+		{"SYS_POLLTS", Const, 1, ""},
+		{"SYS_POLL_NOCANCEL", Const, 0, ""},
+		{"SYS_POSIX_FADVISE", Const, 0, ""},
+		{"SYS_POSIX_FALLOCATE", Const, 0, ""},
+		{"SYS_POSIX_OPENPT", Const, 0, ""},
+		{"SYS_POSIX_SPAWN", Const, 0, ""},
+		{"SYS_PPOLL", Const, 0, ""},
+		{"SYS_PRCTL", Const, 0, ""},
+		{"SYS_PREAD", Const, 0, ""},
+		{"SYS_PREAD64", Const, 0, ""},
+		{"SYS_PREADV", Const, 0, ""},
+		{"SYS_PREAD_NOCANCEL", Const, 0, ""},
+		{"SYS_PRLIMIT64", Const, 0, ""},
+		{"SYS_PROCCTL", Const, 3, ""},
+		{"SYS_PROCESS_POLICY", Const, 0, ""},
+		{"SYS_PROCESS_VM_READV", Const, 0, ""},
+		{"SYS_PROCESS_VM_WRITEV", Const, 0, ""},
+		{"SYS_PROC_INFO", Const, 0, ""},
+		{"SYS_PROF", Const, 0, ""},
+		{"SYS_PROFIL", Const, 0, ""},
+		{"SYS_PSELECT", Const, 0, ""},
+		{"SYS_PSELECT6", Const, 0, ""},
+		{"SYS_PSET_ASSIGN", Const, 1, ""},
+		{"SYS_PSET_CREATE", Const, 1, ""},
+		{"SYS_PSET_DESTROY", Const, 1, ""},
+		{"SYS_PSYNCH_CVBROAD", Const, 0, ""},
+		{"SYS_PSYNCH_CVCLRPREPOST", Const, 0, ""},
+		{"SYS_PSYNCH_CVSIGNAL", Const, 0, ""},
+		{"SYS_PSYNCH_CVWAIT", Const, 0, ""},
+		{"SYS_PSYNCH_MUTEXDROP", Const, 0, ""},
+		{"SYS_PSYNCH_MUTEXWAIT", Const, 0, ""},
+		{"SYS_PSYNCH_RW_DOWNGRADE", Const, 0, ""},
+		{"SYS_PSYNCH_RW_LONGRDLOCK", Const, 0, ""},
+		{"SYS_PSYNCH_RW_RDLOCK", Const, 0, ""},
+		{"SYS_PSYNCH_RW_UNLOCK", Const, 0, ""},
+		{"SYS_PSYNCH_RW_UNLOCK2", Const, 0, ""},
+		{"SYS_PSYNCH_RW_UPGRADE", Const, 0, ""},
+		{"SYS_PSYNCH_RW_WRLOCK", Const, 0, ""},
+		{"SYS_PSYNCH_RW_YIELDWRLOCK", Const, 0, ""},
+		{"SYS_PTRACE", Const, 0, ""},
+		{"SYS_PUTPMSG", Const, 0, ""},
+		{"SYS_PWRITE", Const, 0, ""},
+		{"SYS_PWRITE64", Const, 0, ""},
+		{"SYS_PWRITEV", Const, 0, ""},
+		{"SYS_PWRITE_NOCANCEL", Const, 0, ""},
+		{"SYS_QUERY_MODULE", Const, 0, ""},
+		{"SYS_QUOTACTL", Const, 0, ""},
+		{"SYS_RASCTL", Const, 1, ""},
+		{"SYS_RCTL_ADD_RULE", Const, 0, ""},
+		{"SYS_RCTL_GET_LIMITS", Const, 0, ""},
+		{"SYS_RCTL_GET_RACCT", Const, 0, ""},
+		{"SYS_RCTL_GET_RULES", Const, 0, ""},
+		{"SYS_RCTL_REMOVE_RULE", Const, 0, ""},
+		{"SYS_READ", Const, 0, ""},
+		{"SYS_READAHEAD", Const, 0, ""},
+		{"SYS_READDIR", Const, 0, ""},
+		{"SYS_READLINK", Const, 0, ""},
+		{"SYS_READLINKAT", Const, 0, ""},
+		{"SYS_READV", Const, 0, ""},
+		{"SYS_READV_NOCANCEL", Const, 0, ""},
+		{"SYS_READ_NOCANCEL", Const, 0, ""},
+		{"SYS_REBOOT", Const, 0, ""},
+		{"SYS_RECV", Const, 0, ""},
+		{"SYS_RECVFROM", Const, 0, ""},
+		{"SYS_RECVFROM_NOCANCEL", Const, 0, ""},
+		{"SYS_RECVMMSG", Const, 0, ""},
+		{"SYS_RECVMSG", Const, 0, ""},
+		{"SYS_RECVMSG_NOCANCEL", Const, 0, ""},
+		{"SYS_REMAP_FILE_PAGES", Const, 0, ""},
+		{"SYS_REMOVEXATTR", Const, 0, ""},
+		{"SYS_RENAME", Const, 0, ""},
+		{"SYS_RENAMEAT", Const, 0, ""},
+		{"SYS_REQUEST_KEY", Const, 0, ""},
+		{"SYS_RESTART_SYSCALL", Const, 0, ""},
+		{"SYS_REVOKE", Const, 0, ""},
+		{"SYS_RFORK", Const, 0, ""},
+		{"SYS_RMDIR", Const, 0, ""},
+		{"SYS_RTPRIO", Const, 0, ""},
+		{"SYS_RTPRIO_THREAD", Const, 0, ""},
+		{"SYS_RT_SIGACTION", Const, 0, ""},
+		{"SYS_RT_SIGPENDING", Const, 0, ""},
+		{"SYS_RT_SIGPROCMASK", Const, 0, ""},
+		{"SYS_RT_SIGQUEUEINFO", Const, 0, ""},
+		{"SYS_RT_SIGRETURN", Const, 0, ""},
+		{"SYS_RT_SIGSUSPEND", Const, 0, ""},
+		{"SYS_RT_SIGTIMEDWAIT", Const, 0, ""},
+		{"SYS_RT_TGSIGQUEUEINFO", Const, 0, ""},
+		{"SYS_SBRK", Const, 0, ""},
+		{"SYS_SCHED_GETAFFINITY", Const, 0, ""},
+		{"SYS_SCHED_GETPARAM", Const, 0, ""},
+		{"SYS_SCHED_GETSCHEDULER", Const, 0, ""},
+		{"SYS_SCHED_GET_PRIORITY_MAX", Const, 0, ""},
+		{"SYS_SCHED_GET_PRIORITY_MIN", Const, 0, ""},
+		{"SYS_SCHED_RR_GET_INTERVAL", Const, 0, ""},
+		{"SYS_SCHED_SETAFFINITY", Const, 0, ""},
+		{"SYS_SCHED_SETPARAM", Const, 0, ""},
+		{"SYS_SCHED_SETSCHEDULER", Const, 0, ""},
+		{"SYS_SCHED_YIELD", Const, 0, ""},
+		{"SYS_SCTP_GENERIC_RECVMSG", Const, 0, ""},
+		{"SYS_SCTP_GENERIC_SENDMSG", Const, 0, ""},
+		{"SYS_SCTP_GENERIC_SENDMSG_IOV", Const, 0, ""},
+		{"SYS_SCTP_PEELOFF", Const, 0, ""},
+		{"SYS_SEARCHFS", Const, 0, ""},
+		{"SYS_SECURITY", Const, 0, ""},
+		{"SYS_SELECT", Const, 0, ""},
+		{"SYS_SELECT_NOCANCEL", Const, 0, ""},
+		{"SYS_SEMCONFIG", Const, 1, ""},
+		{"SYS_SEMCTL", Const, 0, ""},
+		{"SYS_SEMGET", Const, 0, ""},
+		{"SYS_SEMOP", Const, 0, ""},
+		{"SYS_SEMSYS", Const, 0, ""},
+		{"SYS_SEMTIMEDOP", Const, 0, ""},
+		{"SYS_SEM_CLOSE", Const, 0, ""},
+		{"SYS_SEM_DESTROY", Const, 0, ""},
+		{"SYS_SEM_GETVALUE", Const, 0, ""},
+		{"SYS_SEM_INIT", Const, 0, ""},
+		{"SYS_SEM_OPEN", Const, 0, ""},
+		{"SYS_SEM_POST", Const, 0, ""},
+		{"SYS_SEM_TRYWAIT", Const, 0, ""},
+		{"SYS_SEM_UNLINK", Const, 0, ""},
+		{"SYS_SEM_WAIT", Const, 0, ""},
+		{"SYS_SEM_WAIT_NOCANCEL", Const, 0, ""},
+		{"SYS_SEND", Const, 0, ""},
+		{"SYS_SENDFILE", Const, 0, ""},
+		{"SYS_SENDFILE64", Const, 0, ""},
+		{"SYS_SENDMMSG", Const, 0, ""},
+		{"SYS_SENDMSG", Const, 0, ""},
+		{"SYS_SENDMSG_NOCANCEL", Const, 0, ""},
+		{"SYS_SENDTO", Const, 0, ""},
+		{"SYS_SENDTO_NOCANCEL", Const, 0, ""},
+		{"SYS_SETATTRLIST", Const, 0, ""},
+		{"SYS_SETAUDIT", Const, 0, ""},
+		{"SYS_SETAUDIT_ADDR", Const, 0, ""},
+		{"SYS_SETAUID", Const, 0, ""},
+		{"SYS_SETCONTEXT", Const, 0, ""},
+		{"SYS_SETDOMAINNAME", Const, 0, ""},
+		{"SYS_SETEGID", Const, 0, ""},
+		{"SYS_SETEUID", Const, 0, ""},
+		{"SYS_SETFIB", Const, 0, ""},
+		{"SYS_SETFSGID", Const, 0, ""},
+		{"SYS_SETFSGID32", Const, 0, ""},
+		{"SYS_SETFSUID", Const, 0, ""},
+		{"SYS_SETFSUID32", Const, 0, ""},
+		{"SYS_SETGID", Const, 0, ""},
+		{"SYS_SETGID32", Const, 0, ""},
+		{"SYS_SETGROUPS", Const, 0, ""},
+		{"SYS_SETGROUPS32", Const, 0, ""},
+		{"SYS_SETHOSTNAME", Const, 0, ""},
+		{"SYS_SETITIMER", Const, 0, ""},
+		{"SYS_SETLCID", Const, 0, ""},
+		{"SYS_SETLOGIN", Const, 0, ""},
+		{"SYS_SETLOGINCLASS", Const, 0, ""},
+		{"SYS_SETNS", Const, 0, ""},
+		{"SYS_SETPGID", Const, 0, ""},
+		{"SYS_SETPRIORITY", Const, 0, ""},
+		{"SYS_SETPRIVEXEC", Const, 0, ""},
+		{"SYS_SETREGID", Const, 0, ""},
+		{"SYS_SETREGID32", Const, 0, ""},
+		{"SYS_SETRESGID", Const, 0, ""},
+		{"SYS_SETRESGID32", Const, 0, ""},
+		{"SYS_SETRESUID", Const, 0, ""},
+		{"SYS_SETRESUID32", Const, 0, ""},
+		{"SYS_SETREUID", Const, 0, ""},
+		{"SYS_SETREUID32", Const, 0, ""},
+		{"SYS_SETRLIMIT", Const, 0, ""},
+		{"SYS_SETRTABLE", Const, 1, ""},
+		{"SYS_SETSGROUPS", Const, 0, ""},
+		{"SYS_SETSID", Const, 0, ""},
+		{"SYS_SETSOCKOPT", Const, 0, ""},
+		{"SYS_SETTID", Const, 0, ""},
+		{"SYS_SETTID_WITH_PID", Const, 0, ""},
+		{"SYS_SETTIMEOFDAY", Const, 0, ""},
+		{"SYS_SETUID", Const, 0, ""},
+		{"SYS_SETUID32", Const, 0, ""},
+		{"SYS_SETWGROUPS", Const, 0, ""},
+		{"SYS_SETXATTR", Const, 0, ""},
+		{"SYS_SET_MEMPOLICY", Const, 0, ""},
+		{"SYS_SET_ROBUST_LIST", Const, 0, ""},
+		{"SYS_SET_THREAD_AREA", Const, 0, ""},
+		{"SYS_SET_TID_ADDRESS", Const, 0, ""},
+		{"SYS_SGETMASK", Const, 0, ""},
+		{"SYS_SHARED_REGION_CHECK_NP", Const, 0, ""},
+		{"SYS_SHARED_REGION_MAP_AND_SLIDE_NP", Const, 0, ""},
+		{"SYS_SHMAT", Const, 0, ""},
+		{"SYS_SHMCTL", Const, 0, ""},
+		{"SYS_SHMDT", Const, 0, ""},
+		{"SYS_SHMGET", Const, 0, ""},
+		{"SYS_SHMSYS", Const, 0, ""},
+		{"SYS_SHM_OPEN", Const, 0, ""},
+		{"SYS_SHM_UNLINK", Const, 0, ""},
+		{"SYS_SHUTDOWN", Const, 0, ""},
+		{"SYS_SIGACTION", Const, 0, ""},
+		{"SYS_SIGALTSTACK", Const, 0, ""},
+		{"SYS_SIGNAL", Const, 0, ""},
+		{"SYS_SIGNALFD", Const, 0, ""},
+		{"SYS_SIGNALFD4", Const, 0, ""},
+		{"SYS_SIGPENDING", Const, 0, ""},
+		{"SYS_SIGPROCMASK", Const, 0, ""},
+		{"SYS_SIGQUEUE", Const, 0, ""},
+		{"SYS_SIGQUEUEINFO", Const, 1, ""},
+		{"SYS_SIGRETURN", Const, 0, ""},
+		{"SYS_SIGSUSPEND", Const, 0, ""},
+		{"SYS_SIGSUSPEND_NOCANCEL", Const, 0, ""},
+		{"SYS_SIGTIMEDWAIT", Const, 0, ""},
+		{"SYS_SIGWAIT", Const, 0, ""},
+		{"SYS_SIGWAITINFO", Const, 0, ""},
+		{"SYS_SOCKET", Const, 0, ""},
+		{"SYS_SOCKETCALL", Const, 0, ""},
+		{"SYS_SOCKETPAIR", Const, 0, ""},
+		{"SYS_SPLICE", Const, 0, ""},
+		{"SYS_SSETMASK", Const, 0, ""},
+		{"SYS_SSTK", Const, 0, ""},
+		{"SYS_STACK_SNAPSHOT", Const, 0, ""},
+		{"SYS_STAT", Const, 0, ""},
+		{"SYS_STAT64", Const, 0, ""},
+		{"SYS_STAT64_EXTENDED", Const, 0, ""},
+		{"SYS_STATFS", Const, 0, ""},
+		{"SYS_STATFS64", Const, 0, ""},
+		{"SYS_STATV", Const, 0, ""},
+		{"SYS_STATVFS1", Const, 1, ""},
+		{"SYS_STAT_EXTENDED", Const, 0, ""},
+		{"SYS_STIME", Const, 0, ""},
+		{"SYS_STTY", Const, 0, ""},
+		{"SYS_SWAPCONTEXT", Const, 0, ""},
+		{"SYS_SWAPCTL", Const, 1, ""},
+		{"SYS_SWAPOFF", Const, 0, ""},
+		{"SYS_SWAPON", Const, 0, ""},
+		{"SYS_SYMLINK", Const, 0, ""},
+		{"SYS_SYMLINKAT", Const, 0, ""},
+		{"SYS_SYNC", Const, 0, ""},
+		{"SYS_SYNCFS", Const, 0, ""},
+		{"SYS_SYNC_FILE_RANGE", Const, 0, ""},
+		{"SYS_SYSARCH", Const, 0, ""},
+		{"SYS_SYSCALL", Const, 0, ""},
+		{"SYS_SYSCALL_BASE", Const, 0, ""},
+		{"SYS_SYSFS", Const, 0, ""},
+		{"SYS_SYSINFO", Const, 0, ""},
+		{"SYS_SYSLOG", Const, 0, ""},
+		{"SYS_TEE", Const, 0, ""},
+		{"SYS_TGKILL", Const, 0, ""},
+		{"SYS_THREAD_SELFID", Const, 0, ""},
+		{"SYS_THR_CREATE", Const, 0, ""},
+		{"SYS_THR_EXIT", Const, 0, ""},
+		{"SYS_THR_KILL", Const, 0, ""},
+		{"SYS_THR_KILL2", Const, 0, ""},
+		{"SYS_THR_NEW", Const, 0, ""},
+		{"SYS_THR_SELF", Const, 0, ""},
+		{"SYS_THR_SET_NAME", Const, 0, ""},
+		{"SYS_THR_SUSPEND", Const, 0, ""},
+		{"SYS_THR_WAKE", Const, 0, ""},
+		{"SYS_TIME", Const, 0, ""},
+		{"SYS_TIMERFD_CREATE", Const, 0, ""},
+		{"SYS_TIMERFD_GETTIME", Const, 0, ""},
+		{"SYS_TIMERFD_SETTIME", Const, 0, ""},
+		{"SYS_TIMER_CREATE", Const, 0, ""},
+		{"SYS_TIMER_DELETE", Const, 0, ""},
+		{"SYS_TIMER_GETOVERRUN", Const, 0, ""},
+		{"SYS_TIMER_GETTIME", Const, 0, ""},
+		{"SYS_TIMER_SETTIME", Const, 0, ""},
+		{"SYS_TIMES", Const, 0, ""},
+		{"SYS_TKILL", Const, 0, ""},
+		{"SYS_TRUNCATE", Const, 0, ""},
+		{"SYS_TRUNCATE64", Const, 0, ""},
+		{"SYS_TUXCALL", Const, 0, ""},
+		{"SYS_UGETRLIMIT", Const, 0, ""},
+		{"SYS_ULIMIT", Const, 0, ""},
+		{"SYS_UMASK", Const, 0, ""},
+		{"SYS_UMASK_EXTENDED", Const, 0, ""},
+		{"SYS_UMOUNT", Const, 0, ""},
+		{"SYS_UMOUNT2", Const, 0, ""},
+		{"SYS_UNAME", Const, 0, ""},
+		{"SYS_UNDELETE", Const, 0, ""},
+		{"SYS_UNLINK", Const, 0, ""},
+		{"SYS_UNLINKAT", Const, 0, ""},
+		{"SYS_UNMOUNT", Const, 0, ""},
+		{"SYS_UNSHARE", Const, 0, ""},
+		{"SYS_USELIB", Const, 0, ""},
+		{"SYS_USTAT", Const, 0, ""},
+		{"SYS_UTIME", Const, 0, ""},
+		{"SYS_UTIMENSAT", Const, 0, ""},
+		{"SYS_UTIMES", Const, 0, ""},
+		{"SYS_UTRACE", Const, 0, ""},
+		{"SYS_UUIDGEN", Const, 0, ""},
+		{"SYS_VADVISE", Const, 1, ""},
+		{"SYS_VFORK", Const, 0, ""},
+		{"SYS_VHANGUP", Const, 0, ""},
+		{"SYS_VM86", Const, 0, ""},
+		{"SYS_VM86OLD", Const, 0, ""},
+		{"SYS_VMSPLICE", Const, 0, ""},
+		{"SYS_VM_PRESSURE_MONITOR", Const, 0, ""},
+		{"SYS_VSERVER", Const, 0, ""},
+		{"SYS_WAIT4", Const, 0, ""},
+		{"SYS_WAIT4_NOCANCEL", Const, 0, ""},
+		{"SYS_WAIT6", Const, 1, ""},
+		{"SYS_WAITEVENT", Const, 0, ""},
+		{"SYS_WAITID", Const, 0, ""},
+		{"SYS_WAITID_NOCANCEL", Const, 0, ""},
+		{"SYS_WAITPID", Const, 0, ""},
+		{"SYS_WATCHEVENT", Const, 0, ""},
+		{"SYS_WORKQ_KERNRETURN", Const, 0, ""},
+		{"SYS_WORKQ_OPEN", Const, 0, ""},
+		{"SYS_WRITE", Const, 0, ""},
+		{"SYS_WRITEV", Const, 0, ""},
+		{"SYS_WRITEV_NOCANCEL", Const, 0, ""},
+		{"SYS_WRITE_NOCANCEL", Const, 0, ""},
+		{"SYS_YIELD", Const, 0, ""},
+		{"SYS__LLSEEK", Const, 0, ""},
+		{"SYS__LWP_CONTINUE", Const, 1, ""},
+		{"SYS__LWP_CREATE", Const, 1, ""},
+		{"SYS__LWP_CTL", Const, 1, ""},
+		{"SYS__LWP_DETACH", Const, 1, ""},
+		{"SYS__LWP_EXIT", Const, 1, ""},
+		{"SYS__LWP_GETNAME", Const, 1, ""},
+		{"SYS__LWP_GETPRIVATE", Const, 1, ""},
+		{"SYS__LWP_KILL", Const, 1, ""},
+		{"SYS__LWP_PARK", Const, 1, ""},
+		{"SYS__LWP_SELF", Const, 1, ""},
+		{"SYS__LWP_SETNAME", Const, 1, ""},
+		{"SYS__LWP_SETPRIVATE", Const, 1, ""},
+		{"SYS__LWP_SUSPEND", Const, 1, ""},
+		{"SYS__LWP_UNPARK", Const, 1, ""},
+		{"SYS__LWP_UNPARK_ALL", Const, 1, ""},
+		{"SYS__LWP_WAIT", Const, 1, ""},
+		{"SYS__LWP_WAKEUP", Const, 1, ""},
+		{"SYS__NEWSELECT", Const, 0, ""},
+		{"SYS__PSET_BIND", Const, 1, ""},
+		{"SYS__SCHED_GETAFFINITY", Const, 1, ""},
+		{"SYS__SCHED_GETPARAM", Const, 1, ""},
+		{"SYS__SCHED_SETAFFINITY", Const, 1, ""},
+		{"SYS__SCHED_SETPARAM", Const, 1, ""},
+		{"SYS__SYSCTL", Const, 0, ""},
+		{"SYS__UMTX_LOCK", Const, 0, ""},
+		{"SYS__UMTX_OP", Const, 0, ""},
+		{"SYS__UMTX_UNLOCK", Const, 0, ""},
+		{"SYS___ACL_ACLCHECK_FD", Const, 0, ""},
+		{"SYS___ACL_ACLCHECK_FILE", Const, 0, ""},
+		{"SYS___ACL_ACLCHECK_LINK", Const, 0, ""},
+		{"SYS___ACL_DELETE_FD", Const, 0, ""},
+		{"SYS___ACL_DELETE_FILE", Const, 0, ""},
+		{"SYS___ACL_DELETE_LINK", Const, 0, ""},
+		{"SYS___ACL_GET_FD", Const, 0, ""},
+		{"SYS___ACL_GET_FILE", Const, 0, ""},
+		{"SYS___ACL_GET_LINK", Const, 0, ""},
+		{"SYS___ACL_SET_FD", Const, 0, ""},
+		{"SYS___ACL_SET_FILE", Const, 0, ""},
+		{"SYS___ACL_SET_LINK", Const, 0, ""},
+		{"SYS___CAP_RIGHTS_GET", Const, 14, ""},
+		{"SYS___CLONE", Const, 1, ""},
+		{"SYS___DISABLE_THREADSIGNAL", Const, 0, ""},
+		{"SYS___GETCWD", Const, 0, ""},
+		{"SYS___GETLOGIN", Const, 1, ""},
+		{"SYS___GET_TCB", Const, 1, ""},
+		{"SYS___MAC_EXECVE", Const, 0, ""},
+		{"SYS___MAC_GETFSSTAT", Const, 0, ""},
+		{"SYS___MAC_GET_FD", Const, 0, ""},
+		{"SYS___MAC_GET_FILE", Const, 0, ""},
+		{"SYS___MAC_GET_LCID", Const, 0, ""},
+		{"SYS___MAC_GET_LCTX", Const, 0, ""},
+		{"SYS___MAC_GET_LINK", Const, 0, ""},
+		{"SYS___MAC_GET_MOUNT", Const, 0, ""},
+		{"SYS___MAC_GET_PID", Const, 0, ""},
+		{"SYS___MAC_GET_PROC", Const, 0, ""},
+		{"SYS___MAC_MOUNT", Const, 0, ""},
+		{"SYS___MAC_SET_FD", Const, 0, ""},
+		{"SYS___MAC_SET_FILE", Const, 0, ""},
+		{"SYS___MAC_SET_LCTX", Const, 0, ""},
+		{"SYS___MAC_SET_LINK", Const, 0, ""},
+		{"SYS___MAC_SET_PROC", Const, 0, ""},
+		{"SYS___MAC_SYSCALL", Const, 0, ""},
+		{"SYS___OLD_SEMWAIT_SIGNAL", Const, 0, ""},
+		{"SYS___OLD_SEMWAIT_SIGNAL_NOCANCEL", Const, 0, ""},
+		{"SYS___POSIX_CHOWN", Const, 1, ""},
+		{"SYS___POSIX_FCHOWN", Const, 1, ""},
+		{"SYS___POSIX_LCHOWN", Const, 1, ""},
+		{"SYS___POSIX_RENAME", Const, 1, ""},
+		{"SYS___PTHREAD_CANCELED", Const, 0, ""},
+		{"SYS___PTHREAD_CHDIR", Const, 0, ""},
+		{"SYS___PTHREAD_FCHDIR", Const, 0, ""},
+		{"SYS___PTHREAD_KILL", Const, 0, ""},
+		{"SYS___PTHREAD_MARKCANCEL", Const, 0, ""},
+		{"SYS___PTHREAD_SIGMASK", Const, 0, ""},
+		{"SYS___QUOTACTL", Const, 1, ""},
+		{"SYS___SEMCTL", Const, 1, ""},
+		{"SYS___SEMWAIT_SIGNAL", Const, 0, ""},
+		{"SYS___SEMWAIT_SIGNAL_NOCANCEL", Const, 0, ""},
+		{"SYS___SETLOGIN", Const, 1, ""},
+		{"SYS___SETUGID", Const, 0, ""},
+		{"SYS___SET_TCB", Const, 1, ""},
+		{"SYS___SIGACTION_SIGTRAMP", Const, 1, ""},
+		{"SYS___SIGTIMEDWAIT", Const, 1, ""},
+		{"SYS___SIGWAIT", Const, 0, ""},
+		{"SYS___SIGWAIT_NOCANCEL", Const, 0, ""},
+		{"SYS___SYSCTL", Const, 0, ""},
+		{"SYS___TFORK", Const, 1, ""},
+		{"SYS___THREXIT", Const, 1, ""},
+		{"SYS___THRSIGDIVERT", Const, 1, ""},
+		{"SYS___THRSLEEP", Const, 1, ""},
+		{"SYS___THRWAKEUP", Const, 1, ""},
+		{"S_ARCH1", Const, 1, ""},
+		{"S_ARCH2", Const, 1, ""},
+		{"S_BLKSIZE", Const, 0, ""},
+		{"S_IEXEC", Const, 0, ""},
+		{"S_IFBLK", Const, 0, ""},
+		{"S_IFCHR", Const, 0, ""},
+		{"S_IFDIR", Const, 0, ""},
+		{"S_IFIFO", Const, 0, ""},
+		{"S_IFLNK", Const, 0, ""},
+		{"S_IFMT", Const, 0, ""},
+		{"S_IFREG", Const, 0, ""},
+		{"S_IFSOCK", Const, 0, ""},
+		{"S_IFWHT", Const, 0, ""},
+		{"S_IREAD", Const, 0, ""},
+		{"S_IRGRP", Const, 0, ""},
+		{"S_IROTH", Const, 0, ""},
+		{"S_IRUSR", Const, 0, ""},
+		{"S_IRWXG", Const, 0, ""},
+		{"S_IRWXO", Const, 0, ""},
+		{"S_IRWXU", Const, 0, ""},
+		{"S_ISGID", Const, 0, ""},
+		{"S_ISTXT", Const, 0, ""},
+		{"S_ISUID", Const, 0, ""},
+		{"S_ISVTX", Const, 0, ""},
+		{"S_IWGRP", Const, 0, ""},
+		{"S_IWOTH", Const, 0, ""},
+		{"S_IWRITE", Const, 0, ""},
+		{"S_IWUSR", Const, 0, ""},
+		{"S_IXGRP", Const, 0, ""},
+		{"S_IXOTH", Const, 0, ""},
+		{"S_IXUSR", Const, 0, ""},
+		{"S_LOGIN_SET", Const, 1, ""},
+		{"SecurityAttributes", Type, 0, ""},
+		{"SecurityAttributes.InheritHandle", Field, 0, ""},
+		{"SecurityAttributes.Length", Field, 0, ""},
+		{"SecurityAttributes.SecurityDescriptor", Field, 0, ""},
+		{"Seek", Func, 0, "func(fd int, offset int64, whence int) (off int64, err error)"},
+		{"Select", Func, 0, "func(nfd int, r *FdSet, w *FdSet, e *FdSet, timeout *Timeval) (n int, err error)"},
+		{"Sendfile", Func, 0, "func(outfd int, infd int, offset *int64, count int) (written int, err error)"},
+		{"Sendmsg", Func, 0, "func(fd int, p []byte, oob []byte, to Sockaddr, flags int) (err error)"},
+		{"SendmsgN", Func, 3, "func(fd int, p []byte, oob []byte, to Sockaddr, flags int) (n int, err error)"},
+		{"Sendto", Func, 0, "func(fd int, p []byte, flags int, to Sockaddr) (err error)"},
+		{"Servent", Type, 0, ""},
+		{"Servent.Aliases", Field, 0, ""},
+		{"Servent.Name", Field, 0, ""},
+		{"Servent.Port", Field, 0, ""},
+		{"Servent.Proto", Field, 0, ""},
+		{"SetBpf", Func, 0, ""},
+		{"SetBpfBuflen", Func, 0, ""},
+		{"SetBpfDatalink", Func, 0, ""},
+		{"SetBpfHeadercmpl", Func, 0, ""},
+		{"SetBpfImmediate", Func, 0, ""},
+		{"SetBpfInterface", Func, 0, ""},
+		{"SetBpfPromisc", Func, 0, ""},
+		{"SetBpfTimeout", Func, 0, ""},
+		{"SetCurrentDirectory", Func, 0, ""},
+		{"SetEndOfFile", Func, 0, ""},
+		{"SetEnvironmentVariable", Func, 0, ""},
+		{"SetFileAttributes", Func, 0, ""},
+		{"SetFileCompletionNotificationModes", Func, 2, ""},
+		{"SetFilePointer", Func, 0, ""},
+		{"SetFileTime", Func, 0, ""},
+		{"SetHandleInformation", Func, 0, ""},
+		{"SetKevent", Func, 0, ""},
+		{"SetLsfPromisc", Func, 0, "func(name string, m bool) error"},
+		{"SetNonblock", Func, 0, "func(fd int, nonblocking bool) (err error)"},
+		{"Setdomainname", Func, 0, "func(p []byte) (err error)"},
+		{"Setegid", Func, 0, "func(egid int) (err error)"},
+		{"Setenv", Func, 0, "func(key string, value string) error"},
+		{"Seteuid", Func, 0, "func(euid int) (err error)"},
+		{"Setfsgid", Func, 0, "func(gid int) (err error)"},
+		{"Setfsuid", Func, 0, "func(uid int) (err error)"},
+		{"Setgid", Func, 0, "func(gid int) (err error)"},
+		{"Setgroups", Func, 0, "func(gids []int) (err error)"},
+		{"Sethostname", Func, 0, "func(p []byte) (err error)"},
+		{"Setlogin", Func, 0, ""},
+		{"Setpgid", Func, 0, "func(pid int, pgid int) (err error)"},
+		{"Setpriority", Func, 0, "func(which int, who int, prio int) (err error)"},
+		{"Setprivexec", Func, 0, ""},
+		{"Setregid", Func, 0, "func(rgid int, egid int) (err error)"},
+		{"Setresgid", Func, 0, "func(rgid int, egid int, sgid int) (err error)"},
+		{"Setresuid", Func, 0, "func(ruid int, euid int, suid int) (err error)"},
+		{"Setreuid", Func, 0, "func(ruid int, euid int) (err error)"},
+		{"Setrlimit", Func, 0, "func(resource int, rlim *Rlimit) error"},
+		{"Setsid", Func, 0, "func() (pid int, err error)"},
+		{"Setsockopt", Func, 0, ""},
+		{"SetsockoptByte", Func, 0, "func(fd int, level int, opt int, value byte) (err error)"},
+		{"SetsockoptICMPv6Filter", Func, 2, "func(fd int, level int, opt int, filter *ICMPv6Filter) error"},
+		{"SetsockoptIPMreq", Func, 0, "func(fd int, level int, opt int, mreq *IPMreq) (err error)"},
+		{"SetsockoptIPMreqn", Func, 0, "func(fd int, level int, opt int, mreq *IPMreqn) (err error)"},
+		{"SetsockoptIPv6Mreq", Func, 0, "func(fd int, level int, opt int, mreq *IPv6Mreq) (err error)"},
+		{"SetsockoptInet4Addr", Func, 0, "func(fd int, level int, opt int, value [4]byte) (err error)"},
+		{"SetsockoptInt", Func, 0, "func(fd int, level int, opt int, value int) (err error)"},
+		{"SetsockoptLinger", Func, 0, "func(fd int, level int, opt int, l *Linger) (err error)"},
+		{"SetsockoptString", Func, 0, "func(fd int, level int, opt int, s string) (err error)"},
+		{"SetsockoptTimeval", Func, 0, "func(fd int, level int, opt int, tv *Timeval) (err error)"},
+		{"Settimeofday", Func, 0, "func(tv *Timeval) (err error)"},
+		{"Setuid", Func, 0, "func(uid int) (err error)"},
+		{"Setxattr", Func, 1, "func(path string, attr string, data []byte, flags int) (err error)"},
+		{"Shutdown", Func, 0, "func(fd int, how int) (err error)"},
+		{"SidTypeAlias", Const, 0, ""},
+		{"SidTypeComputer", Const, 0, ""},
+		{"SidTypeDeletedAccount", Const, 0, ""},
+		{"SidTypeDomain", Const, 0, ""},
+		{"SidTypeGroup", Const, 0, ""},
+		{"SidTypeInvalid", Const, 0, ""},
+		{"SidTypeLabel", Const, 0, ""},
+		{"SidTypeUnknown", Const, 0, ""},
+		{"SidTypeUser", Const, 0, ""},
+		{"SidTypeWellKnownGroup", Const, 0, ""},
+		{"Signal", Type, 0, ""},
+		{"SizeofBpfHdr", Const, 0, ""},
+		{"SizeofBpfInsn", Const, 0, ""},
+		{"SizeofBpfProgram", Const, 0, ""},
+		{"SizeofBpfStat", Const, 0, ""},
+		{"SizeofBpfVersion", Const, 0, ""},
+		{"SizeofBpfZbuf", Const, 0, ""},
+		{"SizeofBpfZbufHeader", Const, 0, ""},
+		{"SizeofCmsghdr", Const, 0, ""},
+		{"SizeofICMPv6Filter", Const, 2, ""},
+		{"SizeofIPMreq", Const, 0, ""},
+		{"SizeofIPMreqn", Const, 0, ""},
+		{"SizeofIPv6MTUInfo", Const, 2, ""},
+		{"SizeofIPv6Mreq", Const, 0, ""},
+		{"SizeofIfAddrmsg", Const, 0, ""},
+		{"SizeofIfAnnounceMsghdr", Const, 1, ""},
+		{"SizeofIfData", Const, 0, ""},
+		{"SizeofIfInfomsg", Const, 0, ""},
+		{"SizeofIfMsghdr", Const, 0, ""},
+		{"SizeofIfaMsghdr", Const, 0, ""},
+		{"SizeofIfmaMsghdr", Const, 0, ""},
+		{"SizeofIfmaMsghdr2", Const, 0, ""},
+		{"SizeofInet4Pktinfo", Const, 0, ""},
+		{"SizeofInet6Pktinfo", Const, 0, ""},
+		{"SizeofInotifyEvent", Const, 0, ""},
+		{"SizeofLinger", Const, 0, ""},
+		{"SizeofMsghdr", Const, 0, ""},
+		{"SizeofNlAttr", Const, 0, ""},
+		{"SizeofNlMsgerr", Const, 0, ""},
+		{"SizeofNlMsghdr", Const, 0, ""},
+		{"SizeofRtAttr", Const, 0, ""},
+		{"SizeofRtGenmsg", Const, 0, ""},
+		{"SizeofRtMetrics", Const, 0, ""},
+		{"SizeofRtMsg", Const, 0, ""},
+		{"SizeofRtMsghdr", Const, 0, ""},
+		{"SizeofRtNexthop", Const, 0, ""},
+		{"SizeofSockFilter", Const, 0, ""},
+		{"SizeofSockFprog", Const, 0, ""},
+		{"SizeofSockaddrAny", Const, 0, ""},
+		{"SizeofSockaddrDatalink", Const, 0, ""},
+		{"SizeofSockaddrInet4", Const, 0, ""},
+		{"SizeofSockaddrInet6", Const, 0, ""},
+		{"SizeofSockaddrLinklayer", Const, 0, ""},
+		{"SizeofSockaddrNetlink", Const, 0, ""},
+		{"SizeofSockaddrUnix", Const, 0, ""},
+		{"SizeofTCPInfo", Const, 1, ""},
+		{"SizeofUcred", Const, 0, ""},
+		{"SlicePtrFromStrings", Func, 1, "func(ss []string) ([]*byte, error)"},
+		{"SockFilter", Type, 0, ""},
+		{"SockFilter.Code", Field, 0, ""},
+		{"SockFilter.Jf", Field, 0, ""},
+		{"SockFilter.Jt", Field, 0, ""},
+		{"SockFilter.K", Field, 0, ""},
+		{"SockFprog", Type, 0, ""},
+		{"SockFprog.Filter", Field, 0, ""},
+		{"SockFprog.Len", Field, 0, ""},
+		{"SockFprog.Pad_cgo_0", Field, 0, ""},
+		{"SockaddrDatalink", Type, 0, ""},
+		{"SockaddrDatalink.Alen", Field, 0, ""},
+		{"SockaddrDatalink.Data", Field, 0, ""},
+		{"SockaddrDatalink.Family", Field, 0, ""},
+		{"SockaddrDatalink.Index", Field, 0, ""},
+		{"SockaddrDatalink.Len", Field, 0, ""},
+		{"SockaddrDatalink.Nlen", Field, 0, ""},
+		{"SockaddrDatalink.Slen", Field, 0, ""},
+		{"SockaddrDatalink.Type", Field, 0, ""},
+		{"SockaddrGen", Type, 0, ""},
+		{"SockaddrInet4", Type, 0, ""},
+		{"SockaddrInet4.Addr", Field, 0, ""},
+		{"SockaddrInet4.Port", Field, 0, ""},
+		{"SockaddrInet6", Type, 0, ""},
+		{"SockaddrInet6.Addr", Field, 0, ""},
+		{"SockaddrInet6.Port", Field, 0, ""},
+		{"SockaddrInet6.ZoneId", Field, 0, ""},
+		{"SockaddrLinklayer", Type, 0, ""},
+		{"SockaddrLinklayer.Addr", Field, 0, ""},
+		{"SockaddrLinklayer.Halen", Field, 0, ""},
+		{"SockaddrLinklayer.Hatype", Field, 0, ""},
+		{"SockaddrLinklayer.Ifindex", Field, 0, ""},
+		{"SockaddrLinklayer.Pkttype", Field, 0, ""},
+		{"SockaddrLinklayer.Protocol", Field, 0, ""},
+		{"SockaddrNetlink", Type, 0, ""},
+		{"SockaddrNetlink.Family", Field, 0, ""},
+		{"SockaddrNetlink.Groups", Field, 0, ""},
+		{"SockaddrNetlink.Pad", Field, 0, ""},
+		{"SockaddrNetlink.Pid", Field, 0, ""},
+		{"SockaddrUnix", Type, 0, ""},
+		{"SockaddrUnix.Name", Field, 0, ""},
+		{"Socket", Func, 0, "func(domain int, typ int, proto int) (fd int, err error)"},
+		{"SocketControlMessage", Type, 0, ""},
+		{"SocketControlMessage.Data", Field, 0, ""},
+		{"SocketControlMessage.Header", Field, 0, ""},
+		{"SocketDisableIPv6", Var, 0, ""},
+		{"Socketpair", Func, 0, "func(domain int, typ int, proto int) (fd [2]int, err error)"},
+		{"Splice", Func, 0, "func(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int64, err error)"},
+		{"StartProcess", Func, 0, "func(argv0 string, argv []string, attr *ProcAttr) (pid int, handle uintptr, err error)"},
+		{"StartupInfo", Type, 0, ""},
+		{"StartupInfo.Cb", Field, 0, ""},
+		{"StartupInfo.Desktop", Field, 0, ""},
+		{"StartupInfo.FillAttribute", Field, 0, ""},
+		{"StartupInfo.Flags", Field, 0, ""},
+		{"StartupInfo.ShowWindow", Field, 0, ""},
+		{"StartupInfo.StdErr", Field, 0, ""},
+		{"StartupInfo.StdInput", Field, 0, ""},
+		{"StartupInfo.StdOutput", Field, 0, ""},
+		{"StartupInfo.Title", Field, 0, ""},
+		{"StartupInfo.X", Field, 0, ""},
+		{"StartupInfo.XCountChars", Field, 0, ""},
+		{"StartupInfo.XSize", Field, 0, ""},
+		{"StartupInfo.Y", Field, 0, ""},
+		{"StartupInfo.YCountChars", Field, 0, ""},
+		{"StartupInfo.YSize", Field, 0, ""},
+		{"Stat", Func, 0, "func(path string, stat *Stat_t) (err error)"},
+		{"Stat_t", Type, 0, ""},
+		{"Stat_t.Atim", Field, 0, ""},
+		{"Stat_t.Atim_ext", Field, 12, ""},
+		{"Stat_t.Atimespec", Field, 0, ""},
+		{"Stat_t.Birthtimespec", Field, 0, ""},
+		{"Stat_t.Blksize", Field, 0, ""},
+		{"Stat_t.Blocks", Field, 0, ""},
+		{"Stat_t.Btim_ext", Field, 12, ""},
+		{"Stat_t.Ctim", Field, 0, ""},
+		{"Stat_t.Ctim_ext", Field, 12, ""},
+		{"Stat_t.Ctimespec", Field, 0, ""},
+		{"Stat_t.Dev", Field, 0, ""},
+		{"Stat_t.Flags", Field, 0, ""},
+		{"Stat_t.Gen", Field, 0, ""},
+		{"Stat_t.Gid", Field, 0, ""},
+		{"Stat_t.Ino", Field, 0, ""},
+		{"Stat_t.Lspare", Field, 0, ""},
+		{"Stat_t.Lspare0", Field, 2, ""},
+		{"Stat_t.Lspare1", Field, 2, ""},
+		{"Stat_t.Mode", Field, 0, ""},
+		{"Stat_t.Mtim", Field, 0, ""},
+		{"Stat_t.Mtim_ext", Field, 12, ""},
+		{"Stat_t.Mtimespec", Field, 0, ""},
+		{"Stat_t.Nlink", Field, 0, ""},
+		{"Stat_t.Pad_cgo_0", Field, 0, ""},
+		{"Stat_t.Pad_cgo_1", Field, 0, ""},
+		{"Stat_t.Pad_cgo_2", Field, 0, ""},
+		{"Stat_t.Padding0", Field, 12, ""},
+		{"Stat_t.Padding1", Field, 12, ""},
+		{"Stat_t.Qspare", Field, 0, ""},
+		{"Stat_t.Rdev", Field, 0, ""},
+		{"Stat_t.Size", Field, 0, ""},
+		{"Stat_t.Spare", Field, 2, ""},
+		{"Stat_t.Uid", Field, 0, ""},
+		{"Stat_t.X__pad0", Field, 0, ""},
+		{"Stat_t.X__pad1", Field, 0, ""},
+		{"Stat_t.X__pad2", Field, 0, ""},
+		{"Stat_t.X__st_birthtim", Field, 2, ""},
+		{"Stat_t.X__st_ino", Field, 0, ""},
+		{"Stat_t.X__unused", Field, 0, ""},
+		{"Statfs", Func, 0, "func(path string, buf *Statfs_t) (err error)"},
+		{"Statfs_t", Type, 0, ""},
+		{"Statfs_t.Asyncreads", Field, 0, ""},
+		{"Statfs_t.Asyncwrites", Field, 0, ""},
+		{"Statfs_t.Bavail", Field, 0, ""},
+		{"Statfs_t.Bfree", Field, 0, ""},
+		{"Statfs_t.Blocks", Field, 0, ""},
+		{"Statfs_t.Bsize", Field, 0, ""},
+		{"Statfs_t.Charspare", Field, 0, ""},
+		{"Statfs_t.F_asyncreads", Field, 2, ""},
+		{"Statfs_t.F_asyncwrites", Field, 2, ""},
+		{"Statfs_t.F_bavail", Field, 2, ""},
+		{"Statfs_t.F_bfree", Field, 2, ""},
+		{"Statfs_t.F_blocks", Field, 2, ""},
+		{"Statfs_t.F_bsize", Field, 2, ""},
+		{"Statfs_t.F_ctime", Field, 2, ""},
+		{"Statfs_t.F_favail", Field, 2, ""},
+		{"Statfs_t.F_ffree", Field, 2, ""},
+		{"Statfs_t.F_files", Field, 2, ""},
+		{"Statfs_t.F_flags", Field, 2, ""},
+		{"Statfs_t.F_fsid", Field, 2, ""},
+		{"Statfs_t.F_fstypename", Field, 2, ""},
+		{"Statfs_t.F_iosize", Field, 2, ""},
+		{"Statfs_t.F_mntfromname", Field, 2, ""},
+		{"Statfs_t.F_mntfromspec", Field, 3, ""},
+		{"Statfs_t.F_mntonname", Field, 2, ""},
+		{"Statfs_t.F_namemax", Field, 2, ""},
+		{"Statfs_t.F_owner", Field, 2, ""},
+		{"Statfs_t.F_spare", Field, 2, ""},
+		{"Statfs_t.F_syncreads", Field, 2, ""},
+		{"Statfs_t.F_syncwrites", Field, 2, ""},
+		{"Statfs_t.Ffree", Field, 0, ""},
+		{"Statfs_t.Files", Field, 0, ""},
+		{"Statfs_t.Flags", Field, 0, ""},
+		{"Statfs_t.Frsize", Field, 0, ""},
+		{"Statfs_t.Fsid", Field, 0, ""},
+		{"Statfs_t.Fssubtype", Field, 0, ""},
+		{"Statfs_t.Fstypename", Field, 0, ""},
+		{"Statfs_t.Iosize", Field, 0, ""},
+		{"Statfs_t.Mntfromname", Field, 0, ""},
+		{"Statfs_t.Mntonname", Field, 0, ""},
+		{"Statfs_t.Mount_info", Field, 2, ""},
+		{"Statfs_t.Namelen", Field, 0, ""},
+		{"Statfs_t.Namemax", Field, 0, ""},
+		{"Statfs_t.Owner", Field, 0, ""},
+		{"Statfs_t.Pad_cgo_0", Field, 0, ""},
+		{"Statfs_t.Pad_cgo_1", Field, 2, ""},
+		{"Statfs_t.Reserved", Field, 0, ""},
+		{"Statfs_t.Spare", Field, 0, ""},
+		{"Statfs_t.Syncreads", Field, 0, ""},
+		{"Statfs_t.Syncwrites", Field, 0, ""},
+		{"Statfs_t.Type", Field, 0, ""},
+		{"Statfs_t.Version", Field, 0, ""},
+		{"Stderr", Var, 0, ""},
+		{"Stdin", Var, 0, ""},
+		{"Stdout", Var, 0, ""},
+		{"StringBytePtr", Func, 0, "func(s string) *byte"},
+		{"StringByteSlice", Func, 0, "func(s string) []byte"},
+		{"StringSlicePtr", Func, 0, "func(ss []string) []*byte"},
+		{"StringToSid", Func, 0, ""},
+		{"StringToUTF16", Func, 0, ""},
+		{"StringToUTF16Ptr", Func, 0, ""},
+		{"Symlink", Func, 0, "func(oldpath string, newpath string) (err error)"},
+		{"Sync", Func, 0, "func()"},
+		{"SyncFileRange", Func, 0, "func(fd int, off int64, n int64, flags int) (err error)"},
+		{"SysProcAttr", Type, 0, ""},
+		{"SysProcAttr.AdditionalInheritedHandles", Field, 17, ""},
+		{"SysProcAttr.AmbientCaps", Field, 9, ""},
+		{"SysProcAttr.CgroupFD", Field, 20, ""},
+		{"SysProcAttr.Chroot", Field, 0, ""},
+		{"SysProcAttr.Cloneflags", Field, 2, ""},
+		{"SysProcAttr.CmdLine", Field, 0, ""},
+		{"SysProcAttr.CreationFlags", Field, 1, ""},
+		{"SysProcAttr.Credential", Field, 0, ""},
+		{"SysProcAttr.Ctty", Field, 1, ""},
+		{"SysProcAttr.Foreground", Field, 5, ""},
+		{"SysProcAttr.GidMappings", Field, 4, ""},
+		{"SysProcAttr.GidMappingsEnableSetgroups", Field, 5, ""},
+		{"SysProcAttr.HideWindow", Field, 0, ""},
+		{"SysProcAttr.Jail", Field, 21, ""},
+		{"SysProcAttr.NoInheritHandles", Field, 16, ""},
+		{"SysProcAttr.Noctty", Field, 0, ""},
+		{"SysProcAttr.ParentProcess", Field, 17, ""},
+		{"SysProcAttr.Pdeathsig", Field, 0, ""},
+		{"SysProcAttr.Pgid", Field, 5, ""},
+		{"SysProcAttr.PidFD", Field, 22, ""},
+		{"SysProcAttr.ProcessAttributes", Field, 13, ""},
+		{"SysProcAttr.Ptrace", Field, 0, ""},
+		{"SysProcAttr.Setctty", Field, 0, ""},
+		{"SysProcAttr.Setpgid", Field, 0, ""},
+		{"SysProcAttr.Setsid", Field, 0, ""},
+		{"SysProcAttr.ThreadAttributes", Field, 13, ""},
+		{"SysProcAttr.Token", Field, 10, ""},
+		{"SysProcAttr.UidMappings", Field, 4, ""},
+		{"SysProcAttr.Unshareflags", Field, 7, ""},
+		{"SysProcAttr.UseCgroupFD", Field, 20, ""},
+		{"SysProcIDMap", Type, 4, ""},
+		{"SysProcIDMap.ContainerID", Field, 4, ""},
+		{"SysProcIDMap.HostID", Field, 4, ""},
+		{"SysProcIDMap.Size", Field, 4, ""},
+		{"Syscall", Func, 0, "func(trap uintptr, a1 uintptr, a2 uintptr, a3 uintptr) (r1 uintptr, r2 uintptr, err Errno)"},
+		{"Syscall12", Func, 0, ""},
+		{"Syscall15", Func, 0, ""},
+		{"Syscall18", Func, 12, ""},
+		{"Syscall6", Func, 0, "func(trap uintptr, a1 uintptr, a2 uintptr, a3 uintptr, a4 uintptr, a5 uintptr, a6 uintptr) (r1 uintptr, r2 uintptr, err Errno)"},
+		{"Syscall9", Func, 0, ""},
+		{"SyscallN", Func, 18, ""},
+		{"Sysctl", Func, 0, ""},
+		{"SysctlUint32", Func, 0, ""},
+		{"Sysctlnode", Type, 2, ""},
+		{"Sysctlnode.Flags", Field, 2, ""},
+		{"Sysctlnode.Name", Field, 2, ""},
+		{"Sysctlnode.Num", Field, 2, ""},
+		{"Sysctlnode.Un", Field, 2, ""},
+		{"Sysctlnode.Ver", Field, 2, ""},
+		{"Sysctlnode.X__rsvd", Field, 2, ""},
+		{"Sysctlnode.X_sysctl_desc", Field, 2, ""},
+		{"Sysctlnode.X_sysctl_func", Field, 2, ""},
+		{"Sysctlnode.X_sysctl_parent", Field, 2, ""},
+		{"Sysctlnode.X_sysctl_size", Field, 2, ""},
+		{"Sysinfo", Func, 0, "func(info *Sysinfo_t) (err error)"},
+		{"Sysinfo_t", Type, 0, ""},
+		{"Sysinfo_t.Bufferram", Field, 0, ""},
+		{"Sysinfo_t.Freehigh", Field, 0, ""},
+		{"Sysinfo_t.Freeram", Field, 0, ""},
+		{"Sysinfo_t.Freeswap", Field, 0, ""},
+		{"Sysinfo_t.Loads", Field, 0, ""},
+		{"Sysinfo_t.Pad", Field, 0, ""},
+		{"Sysinfo_t.Pad_cgo_0", Field, 0, ""},
+		{"Sysinfo_t.Pad_cgo_1", Field, 0, ""},
+		{"Sysinfo_t.Procs", Field, 0, ""},
+		{"Sysinfo_t.Sharedram", Field, 0, ""},
+		{"Sysinfo_t.Totalhigh", Field, 0, ""},
+		{"Sysinfo_t.Totalram", Field, 0, ""},
+		{"Sysinfo_t.Totalswap", Field, 0, ""},
+		{"Sysinfo_t.Unit", Field, 0, ""},
+		{"Sysinfo_t.Uptime", Field, 0, ""},
+		{"Sysinfo_t.X_f", Field, 0, ""},
+		{"Systemtime", Type, 0, ""},
+		{"Systemtime.Day", Field, 0, ""},
+		{"Systemtime.DayOfWeek", Field, 0, ""},
+		{"Systemtime.Hour", Field, 0, ""},
+		{"Systemtime.Milliseconds", Field, 0, ""},
+		{"Systemtime.Minute", Field, 0, ""},
+		{"Systemtime.Month", Field, 0, ""},
+		{"Systemtime.Second", Field, 0, ""},
+		{"Systemtime.Year", Field, 0, ""},
+		{"TCGETS", Const, 0, ""},
+		{"TCIFLUSH", Const, 1, ""},
+		{"TCIOFLUSH", Const, 1, ""},
+		{"TCOFLUSH", Const, 1, ""},
+		{"TCPInfo", Type, 1, ""},
+		{"TCPInfo.Advmss", Field, 1, ""},
+		{"TCPInfo.Ato", Field, 1, ""},
+		{"TCPInfo.Backoff", Field, 1, ""},
+		{"TCPInfo.Ca_state", Field, 1, ""},
+		{"TCPInfo.Fackets", Field, 1, ""},
+		{"TCPInfo.Last_ack_recv", Field, 1, ""},
+		{"TCPInfo.Last_ack_sent", Field, 1, ""},
+		{"TCPInfo.Last_data_recv", Field, 1, ""},
+		{"TCPInfo.Last_data_sent", Field, 1, ""},
+		{"TCPInfo.Lost", Field, 1, ""},
+		{"TCPInfo.Options", Field, 1, ""},
+		{"TCPInfo.Pad_cgo_0", Field, 1, ""},
+		{"TCPInfo.Pmtu", Field, 1, ""},
+		{"TCPInfo.Probes", Field, 1, ""},
+		{"TCPInfo.Rcv_mss", Field, 1, ""},
+		{"TCPInfo.Rcv_rtt", Field, 1, ""},
+		{"TCPInfo.Rcv_space", Field, 1, ""},
+		{"TCPInfo.Rcv_ssthresh", Field, 1, ""},
+		{"TCPInfo.Reordering", Field, 1, ""},
+		{"TCPInfo.Retrans", Field, 1, ""},
+		{"TCPInfo.Retransmits", Field, 1, ""},
+		{"TCPInfo.Rto", Field, 1, ""},
+		{"TCPInfo.Rtt", Field, 1, ""},
+		{"TCPInfo.Rttvar", Field, 1, ""},
+		{"TCPInfo.Sacked", Field, 1, ""},
+		{"TCPInfo.Snd_cwnd", Field, 1, ""},
+		{"TCPInfo.Snd_mss", Field, 1, ""},
+		{"TCPInfo.Snd_ssthresh", Field, 1, ""},
+		{"TCPInfo.State", Field, 1, ""},
+		{"TCPInfo.Total_retrans", Field, 1, ""},
+		{"TCPInfo.Unacked", Field, 1, ""},
+		{"TCPKeepalive", Type, 3, ""},
+		{"TCPKeepalive.Interval", Field, 3, ""},
+		{"TCPKeepalive.OnOff", Field, 3, ""},
+		{"TCPKeepalive.Time", Field, 3, ""},
+		{"TCP_CA_NAME_MAX", Const, 0, ""},
+		{"TCP_CONGCTL", Const, 1, ""},
+		{"TCP_CONGESTION", Const, 0, ""},
+		{"TCP_CONNECTIONTIMEOUT", Const, 0, ""},
+		{"TCP_CORK", Const, 0, ""},
+		{"TCP_DEFER_ACCEPT", Const, 0, ""},
+		{"TCP_ENABLE_ECN", Const, 16, ""},
+		{"TCP_INFO", Const, 0, ""},
+		{"TCP_KEEPALIVE", Const, 0, ""},
+		{"TCP_KEEPCNT", Const, 0, ""},
+		{"TCP_KEEPIDLE", Const, 0, ""},
+		{"TCP_KEEPINIT", Const, 1, ""},
+		{"TCP_KEEPINTVL", Const, 0, ""},
+		{"TCP_LINGER2", Const, 0, ""},
+		{"TCP_MAXBURST", Const, 0, ""},
+		{"TCP_MAXHLEN", Const, 0, ""},
+		{"TCP_MAXOLEN", Const, 0, ""},
+		{"TCP_MAXSEG", Const, 0, ""},
+		{"TCP_MAXWIN", Const, 0, ""},
+		{"TCP_MAX_SACK", Const, 0, ""},
+		{"TCP_MAX_WINSHIFT", Const, 0, ""},
+		{"TCP_MD5SIG", Const, 0, ""},
+		{"TCP_MD5SIG_MAXKEYLEN", Const, 0, ""},
+		{"TCP_MINMSS", Const, 0, ""},
+		{"TCP_MINMSSOVERLOAD", Const, 0, ""},
+		{"TCP_MSS", Const, 0, ""},
+		{"TCP_NODELAY", Const, 0, ""},
+		{"TCP_NOOPT", Const, 0, ""},
+		{"TCP_NOPUSH", Const, 0, ""},
+		{"TCP_NOTSENT_LOWAT", Const, 16, ""},
+		{"TCP_NSTATES", Const, 1, ""},
+		{"TCP_QUICKACK", Const, 0, ""},
+		{"TCP_RXT_CONNDROPTIME", Const, 0, ""},
+		{"TCP_RXT_FINDROP", Const, 0, ""},
+		{"TCP_SACK_ENABLE", Const, 1, ""},
+		{"TCP_SENDMOREACKS", Const, 16, ""},
+		{"TCP_SYNCNT", Const, 0, ""},
+		{"TCP_VENDOR", Const, 3, ""},
+		{"TCP_WINDOW_CLAMP", Const, 0, ""},
+		{"TCSAFLUSH", Const, 1, ""},
+		{"TCSETS", Const, 0, ""},
+		{"TF_DISCONNECT", Const, 0, ""},
+		{"TF_REUSE_SOCKET", Const, 0, ""},
+		{"TF_USE_DEFAULT_WORKER", Const, 0, ""},
+		{"TF_USE_KERNEL_APC", Const, 0, ""},
+		{"TF_USE_SYSTEM_THREAD", Const, 0, ""},
+		{"TF_WRITE_BEHIND", Const, 0, ""},
+		{"TH32CS_INHERIT", Const, 4, ""},
+		{"TH32CS_SNAPALL", Const, 4, ""},
+		{"TH32CS_SNAPHEAPLIST", Const, 4, ""},
+		{"TH32CS_SNAPMODULE", Const, 4, ""},
+		{"TH32CS_SNAPMODULE32", Const, 4, ""},
+		{"TH32CS_SNAPPROCESS", Const, 4, ""},
+		{"TH32CS_SNAPTHREAD", Const, 4, ""},
+		{"TIME_ZONE_ID_DAYLIGHT", Const, 0, ""},
+		{"TIME_ZONE_ID_STANDARD", Const, 0, ""},
+		{"TIME_ZONE_ID_UNKNOWN", Const, 0, ""},
+		{"TIOCCBRK", Const, 0, ""},
+		{"TIOCCDTR", Const, 0, ""},
+		{"TIOCCONS", Const, 0, ""},
+		{"TIOCDCDTIMESTAMP", Const, 0, ""},
+		{"TIOCDRAIN", Const, 0, ""},
+		{"TIOCDSIMICROCODE", Const, 0, ""},
+		{"TIOCEXCL", Const, 0, ""},
+		{"TIOCEXT", Const, 0, ""},
+		{"TIOCFLAG_CDTRCTS", Const, 1, ""},
+		{"TIOCFLAG_CLOCAL", Const, 1, ""},
+		{"TIOCFLAG_CRTSCTS", Const, 1, ""},
+		{"TIOCFLAG_MDMBUF", Const, 1, ""},
+		{"TIOCFLAG_PPS", Const, 1, ""},
+		{"TIOCFLAG_SOFTCAR", Const, 1, ""},
+		{"TIOCFLUSH", Const, 0, ""},
+		{"TIOCGDEV", Const, 0, ""},
+		{"TIOCGDRAINWAIT", Const, 0, ""},
+		{"TIOCGETA", Const, 0, ""},
+		{"TIOCGETD", Const, 0, ""},
+		{"TIOCGFLAGS", Const, 1, ""},
+		{"TIOCGICOUNT", Const, 0, ""},
+		{"TIOCGLCKTRMIOS", Const, 0, ""},
+		{"TIOCGLINED", Const, 1, ""},
+		{"TIOCGPGRP", Const, 0, ""},
+		{"TIOCGPTN", Const, 0, ""},
+		{"TIOCGQSIZE", Const, 1, ""},
+		{"TIOCGRANTPT", Const, 1, ""},
+		{"TIOCGRS485", Const, 0, ""},
+		{"TIOCGSERIAL", Const, 0, ""},
+		{"TIOCGSID", Const, 0, ""},
+		{"TIOCGSIZE", Const, 1, ""},
+		{"TIOCGSOFTCAR", Const, 0, ""},
+		{"TIOCGTSTAMP", Const, 1, ""},
+		{"TIOCGWINSZ", Const, 0, ""},
+		{"TIOCINQ", Const, 0, ""},
+		{"TIOCIXOFF", Const, 0, ""},
+		{"TIOCIXON", Const, 0, ""},
+		{"TIOCLINUX", Const, 0, ""},
+		{"TIOCMBIC", Const, 0, ""},
+		{"TIOCMBIS", Const, 0, ""},
+		{"TIOCMGDTRWAIT", Const, 0, ""},
+		{"TIOCMGET", Const, 0, ""},
+		{"TIOCMIWAIT", Const, 0, ""},
+		{"TIOCMODG", Const, 0, ""},
+		{"TIOCMODS", Const, 0, ""},
+		{"TIOCMSDTRWAIT", Const, 0, ""},
+		{"TIOCMSET", Const, 0, ""},
+		{"TIOCM_CAR", Const, 0, ""},
+		{"TIOCM_CD", Const, 0, ""},
+		{"TIOCM_CTS", Const, 0, ""},
+		{"TIOCM_DCD", Const, 0, ""},
+		{"TIOCM_DSR", Const, 0, ""},
+		{"TIOCM_DTR", Const, 0, ""},
+		{"TIOCM_LE", Const, 0, ""},
+		{"TIOCM_RI", Const, 0, ""},
+		{"TIOCM_RNG", Const, 0, ""},
+		{"TIOCM_RTS", Const, 0, ""},
+		{"TIOCM_SR", Const, 0, ""},
+		{"TIOCM_ST", Const, 0, ""},
+		{"TIOCNOTTY", Const, 0, ""},
+		{"TIOCNXCL", Const, 0, ""},
+		{"TIOCOUTQ", Const, 0, ""},
+		{"TIOCPKT", Const, 0, ""},
+		{"TIOCPKT_DATA", Const, 0, ""},
+		{"TIOCPKT_DOSTOP", Const, 0, ""},
+		{"TIOCPKT_FLUSHREAD", Const, 0, ""},
+		{"TIOCPKT_FLUSHWRITE", Const, 0, ""},
+		{"TIOCPKT_IOCTL", Const, 0, ""},
+		{"TIOCPKT_NOSTOP", Const, 0, ""},
+		{"TIOCPKT_START", Const, 0, ""},
+		{"TIOCPKT_STOP", Const, 0, ""},
+		{"TIOCPTMASTER", Const, 0, ""},
+		{"TIOCPTMGET", Const, 1, ""},
+		{"TIOCPTSNAME", Const, 1, ""},
+		{"TIOCPTYGNAME", Const, 0, ""},
+		{"TIOCPTYGRANT", Const, 0, ""},
+		{"TIOCPTYUNLK", Const, 0, ""},
+		{"TIOCRCVFRAME", Const, 1, ""},
+		{"TIOCREMOTE", Const, 0, ""},
+		{"TIOCSBRK", Const, 0, ""},
+		{"TIOCSCONS", Const, 0, ""},
+		{"TIOCSCTTY", Const, 0, ""},
+		{"TIOCSDRAINWAIT", Const, 0, ""},
+		{"TIOCSDTR", Const, 0, ""},
+		{"TIOCSERCONFIG", Const, 0, ""},
+		{"TIOCSERGETLSR", Const, 0, ""},
+		{"TIOCSERGETMULTI", Const, 0, ""},
+		{"TIOCSERGSTRUCT", Const, 0, ""},
+		{"TIOCSERGWILD", Const, 0, ""},
+		{"TIOCSERSETMULTI", Const, 0, ""},
+		{"TIOCSERSWILD", Const, 0, ""},
+		{"TIOCSER_TEMT", Const, 0, ""},
+		{"TIOCSETA", Const, 0, ""},
+		{"TIOCSETAF", Const, 0, ""},
+		{"TIOCSETAW", Const, 0, ""},
+		{"TIOCSETD", Const, 0, ""},
+		{"TIOCSFLAGS", Const, 1, ""},
+		{"TIOCSIG", Const, 0, ""},
+		{"TIOCSLCKTRMIOS", Const, 0, ""},
+		{"TIOCSLINED", Const, 1, ""},
+		{"TIOCSPGRP", Const, 0, ""},
+		{"TIOCSPTLCK", Const, 0, ""},
+		{"TIOCSQSIZE", Const, 1, ""},
+		{"TIOCSRS485", Const, 0, ""},
+		{"TIOCSSERIAL", Const, 0, ""},
+		{"TIOCSSIZE", Const, 1, ""},
+		{"TIOCSSOFTCAR", Const, 0, ""},
+		{"TIOCSTART", Const, 0, ""},
+		{"TIOCSTAT", Const, 0, ""},
+		{"TIOCSTI", Const, 0, ""},
+		{"TIOCSTOP", Const, 0, ""},
+		{"TIOCSTSTAMP", Const, 1, ""},
+		{"TIOCSWINSZ", Const, 0, ""},
+		{"TIOCTIMESTAMP", Const, 0, ""},
+		{"TIOCUCNTL", Const, 0, ""},
+		{"TIOCVHANGUP", Const, 0, ""},
+		{"TIOCXMTFRAME", Const, 1, ""},
+		{"TOKEN_ADJUST_DEFAULT", Const, 0, ""},
+		{"TOKEN_ADJUST_GROUPS", Const, 0, ""},
+		{"TOKEN_ADJUST_PRIVILEGES", Const, 0, ""},
+		{"TOKEN_ADJUST_SESSIONID", Const, 11, ""},
+		{"TOKEN_ALL_ACCESS", Const, 0, ""},
+		{"TOKEN_ASSIGN_PRIMARY", Const, 0, ""},
+		{"TOKEN_DUPLICATE", Const, 0, ""},
+		{"TOKEN_EXECUTE", Const, 0, ""},
+		{"TOKEN_IMPERSONATE", Const, 0, ""},
+		{"TOKEN_QUERY", Const, 0, ""},
+		{"TOKEN_QUERY_SOURCE", Const, 0, ""},
+		{"TOKEN_READ", Const, 0, ""},
+		{"TOKEN_WRITE", Const, 0, ""},
+		{"TOSTOP", Const, 0, ""},
+		{"TRUNCATE_EXISTING", Const, 0, ""},
+		{"TUNATTACHFILTER", Const, 0, ""},
+		{"TUNDETACHFILTER", Const, 0, ""},
+		{"TUNGETFEATURES", Const, 0, ""},
+		{"TUNGETIFF", Const, 0, ""},
+		{"TUNGETSNDBUF", Const, 0, ""},
+		{"TUNGETVNETHDRSZ", Const, 0, ""},
+		{"TUNSETDEBUG", Const, 0, ""},
+		{"TUNSETGROUP", Const, 0, ""},
+		{"TUNSETIFF", Const, 0, ""},
+		{"TUNSETLINK", Const, 0, ""},
+		{"TUNSETNOCSUM", Const, 0, ""},
+		{"TUNSETOFFLOAD", Const, 0, ""},
+		{"TUNSETOWNER", Const, 0, ""},
+		{"TUNSETPERSIST", Const, 0, ""},
+		{"TUNSETSNDBUF", Const, 0, ""},
+		{"TUNSETTXFILTER", Const, 0, ""},
+		{"TUNSETVNETHDRSZ", Const, 0, ""},
+		{"Tee", Func, 0, "func(rfd int, wfd int, len int, flags int) (n int64, err error)"},
+		{"TerminateProcess", Func, 0, ""},
+		{"Termios", Type, 0, ""},
+		{"Termios.Cc", Field, 0, ""},
+		{"Termios.Cflag", Field, 0, ""},
+		{"Termios.Iflag", Field, 0, ""},
+		{"Termios.Ispeed", Field, 0, ""},
+		{"Termios.Lflag", Field, 0, ""},
+		{"Termios.Line", Field, 0, ""},
+		{"Termios.Oflag", Field, 0, ""},
+		{"Termios.Ospeed", Field, 0, ""},
+		{"Termios.Pad_cgo_0", Field, 0, ""},
+		{"Tgkill", Func, 0, "func(tgid int, tid int, sig Signal) (err error)"},
+		{"Time", Func, 0, "func(t *Time_t) (tt Time_t, err error)"},
+		{"Time_t", Type, 0, ""},
+		{"Times", Func, 0, "func(tms *Tms) (ticks uintptr, err error)"},
+		{"Timespec", Type, 0, ""},
+		{"Timespec.Nsec", Field, 0, ""},
+		{"Timespec.Pad_cgo_0", Field, 2, ""},
+		{"Timespec.Sec", Field, 0, ""},
+		{"TimespecToNsec", Func, 0, "func(ts Timespec) int64"},
+		{"Timeval", Type, 0, ""},
+		{"Timeval.Pad_cgo_0", Field, 0, ""},
+		{"Timeval.Sec", Field, 0, ""},
+		{"Timeval.Usec", Field, 0, ""},
+		{"Timeval32", Type, 0, ""},
+		{"Timeval32.Sec", Field, 0, ""},
+		{"Timeval32.Usec", Field, 0, ""},
+		{"TimevalToNsec", Func, 0, "func(tv Timeval) int64"},
+		{"Timex", Type, 0, ""},
+		{"Timex.Calcnt", Field, 0, ""},
+		{"Timex.Constant", Field, 0, ""},
+		{"Timex.Errcnt", Field, 0, ""},
+		{"Timex.Esterror", Field, 0, ""},
+		{"Timex.Freq", Field, 0, ""},
+		{"Timex.Jitcnt", Field, 0, ""},
+		{"Timex.Jitter", Field, 0, ""},
+		{"Timex.Maxerror", Field, 0, ""},
+		{"Timex.Modes", Field, 0, ""},
+		{"Timex.Offset", Field, 0, ""},
+		{"Timex.Pad_cgo_0", Field, 0, ""},
+		{"Timex.Pad_cgo_1", Field, 0, ""},
+		{"Timex.Pad_cgo_2", Field, 0, ""},
+		{"Timex.Pad_cgo_3", Field, 0, ""},
+		{"Timex.Ppsfreq", Field, 0, ""},
+		{"Timex.Precision", Field, 0, ""},
+		{"Timex.Shift", Field, 0, ""},
+		{"Timex.Stabil", Field, 0, ""},
+		{"Timex.Status", Field, 0, ""},
+		{"Timex.Stbcnt", Field, 0, ""},
+		{"Timex.Tai", Field, 0, ""},
+		{"Timex.Tick", Field, 0, ""},
+		{"Timex.Time", Field, 0, ""},
+		{"Timex.Tolerance", Field, 0, ""},
+		{"Timezoneinformation", Type, 0, ""},
+		{"Timezoneinformation.Bias", Field, 0, ""},
+		{"Timezoneinformation.DaylightBias", Field, 0, ""},
+		{"Timezoneinformation.DaylightDate", Field, 0, ""},
+		{"Timezoneinformation.DaylightName", Field, 0, ""},
+		{"Timezoneinformation.StandardBias", Field, 0, ""},
+		{"Timezoneinformation.StandardDate", Field, 0, ""},
+		{"Timezoneinformation.StandardName", Field, 0, ""},
+		{"Tms", Type, 0, ""},
+		{"Tms.Cstime", Field, 0, ""},
+		{"Tms.Cutime", Field, 0, ""},
+		{"Tms.Stime", Field, 0, ""},
+		{"Tms.Utime", Field, 0, ""},
+		{"Token", Type, 0, ""},
+		{"TokenAccessInformation", Const, 0, ""},
+		{"TokenAuditPolicy", Const, 0, ""},
+		{"TokenDefaultDacl", Const, 0, ""},
+		{"TokenElevation", Const, 0, ""},
+		{"TokenElevationType", Const, 0, ""},
+		{"TokenGroups", Const, 0, ""},
+		{"TokenGroupsAndPrivileges", Const, 0, ""},
+		{"TokenHasRestrictions", Const, 0, ""},
+		{"TokenImpersonationLevel", Const, 0, ""},
+		{"TokenIntegrityLevel", Const, 0, ""},
+		{"TokenLinkedToken", Const, 0, ""},
+		{"TokenLogonSid", Const, 0, ""},
+		{"TokenMandatoryPolicy", Const, 0, ""},
+		{"TokenOrigin", Const, 0, ""},
+		{"TokenOwner", Const, 0, ""},
+		{"TokenPrimaryGroup", Const, 0, ""},
+		{"TokenPrivileges", Const, 0, ""},
+		{"TokenRestrictedSids", Const, 0, ""},
+		{"TokenSandBoxInert", Const, 0, ""},
+		{"TokenSessionId", Const, 0, ""},
+		{"TokenSessionReference", Const, 0, ""},
+		{"TokenSource", Const, 0, ""},
+		{"TokenStatistics", Const, 0, ""},
+		{"TokenType", Const, 0, ""},
+		{"TokenUIAccess", Const, 0, ""},
+		{"TokenUser", Const, 0, ""},
+		{"TokenVirtualizationAllowed", Const, 0, ""},
+		{"TokenVirtualizationEnabled", Const, 0, ""},
+		{"Tokenprimarygroup", Type, 0, ""},
+		{"Tokenprimarygroup.PrimaryGroup", Field, 0, ""},
+		{"Tokenuser", Type, 0, ""},
+		{"Tokenuser.User", Field, 0, ""},
+		{"TranslateAccountName", Func, 0, ""},
+		{"TranslateName", Func, 0, ""},
+		{"TransmitFile", Func, 0, ""},
+		{"TransmitFileBuffers", Type, 0, ""},
+		{"TransmitFileBuffers.Head", Field, 0, ""},
+		{"TransmitFileBuffers.HeadLength", Field, 0, ""},
+		{"TransmitFileBuffers.Tail", Field, 0, ""},
+		{"TransmitFileBuffers.TailLength", Field, 0, ""},
+		{"Truncate", Func, 0, "func(path string, length int64) (err error)"},
+		{"UNIX_PATH_MAX", Const, 12, ""},
+		{"USAGE_MATCH_TYPE_AND", Const, 0, ""},
+		{"USAGE_MATCH_TYPE_OR", Const, 0, ""},
+		{"UTF16FromString", Func, 1, ""},
+		{"UTF16PtrFromString", Func, 1, ""},
+		{"UTF16ToString", Func, 0, ""},
+		{"Ucred", Type, 0, ""},
+		{"Ucred.Gid", Field, 0, ""},
+		{"Ucred.Pid", Field, 0, ""},
+		{"Ucred.Uid", Field, 0, ""},
+		{"Umask", Func, 0, "func(mask int) (oldmask int)"},
+		{"Uname", Func, 0, "func(buf *Utsname) (err error)"},
+		{"Undelete", Func, 0, ""},
+		{"UnixCredentials", Func, 0, "func(ucred *Ucred) []byte"},
+		{"UnixRights", Func, 0, "func(fds ...int) []byte"},
+		{"Unlink", Func, 0, "func(path string) error"},
+		{"Unlinkat", Func, 0, "func(dirfd int, path string) error"},
+		{"UnmapViewOfFile", Func, 0, ""},
+		{"Unmount", Func, 0, "func(target string, flags int) (err error)"},
+		{"Unsetenv", Func, 4, "func(key string) error"},
+		{"Unshare", Func, 0, "func(flags int) (err error)"},
+		{"UserInfo10", Type, 0, ""},
+		{"UserInfo10.Comment", Field, 0, ""},
+		{"UserInfo10.FullName", Field, 0, ""},
+		{"UserInfo10.Name", Field, 0, ""},
+		{"UserInfo10.UsrComment", Field, 0, ""},
+		{"Ustat", Func, 0, "func(dev int, ubuf *Ustat_t) (err error)"},
+		{"Ustat_t", Type, 0, ""},
+		{"Ustat_t.Fname", Field, 0, ""},
+		{"Ustat_t.Fpack", Field, 0, ""},
+		{"Ustat_t.Pad_cgo_0", Field, 0, ""},
+		{"Ustat_t.Pad_cgo_1", Field, 0, ""},
+		{"Ustat_t.Tfree", Field, 0, ""},
+		{"Ustat_t.Tinode", Field, 0, ""},
+		{"Utimbuf", Type, 0, ""},
+		{"Utimbuf.Actime", Field, 0, ""},
+		{"Utimbuf.Modtime", Field, 0, ""},
+		{"Utime", Func, 0, "func(path string, buf *Utimbuf) (err error)"},
+		{"Utimes", Func, 0, "func(path string, tv []Timeval) (err error)"},
+		{"UtimesNano", Func, 1, "func(path string, ts []Timespec) (err error)"},
+		{"Utsname", Type, 0, ""},
+		{"Utsname.Domainname", Field, 0, ""},
+		{"Utsname.Machine", Field, 0, ""},
+		{"Utsname.Nodename", Field, 0, ""},
+		{"Utsname.Release", Field, 0, ""},
+		{"Utsname.Sysname", Field, 0, ""},
+		{"Utsname.Version", Field, 0, ""},
+		{"VDISCARD", Const, 0, ""},
+		{"VDSUSP", Const, 1, ""},
+		{"VEOF", Const, 0, ""},
+		{"VEOL", Const, 0, ""},
+		{"VEOL2", Const, 0, ""},
+		{"VERASE", Const, 0, ""},
+		{"VERASE2", Const, 1, ""},
+		{"VINTR", Const, 0, ""},
+		{"VKILL", Const, 0, ""},
+		{"VLNEXT", Const, 0, ""},
+		{"VMIN", Const, 0, ""},
+		{"VQUIT", Const, 0, ""},
+		{"VREPRINT", Const, 0, ""},
+		{"VSTART", Const, 0, ""},
+		{"VSTATUS", Const, 1, ""},
+		{"VSTOP", Const, 0, ""},
+		{"VSUSP", Const, 0, ""},
+		{"VSWTC", Const, 0, ""},
+		{"VT0", Const, 1, ""},
+		{"VT1", Const, 1, ""},
+		{"VTDLY", Const, 1, ""},
+		{"VTIME", Const, 0, ""},
+		{"VWERASE", Const, 0, ""},
+		{"VirtualLock", Func, 0, ""},
+		{"VirtualUnlock", Func, 0, ""},
+		{"WAIT_ABANDONED", Const, 0, ""},
+		{"WAIT_FAILED", Const, 0, ""},
+		{"WAIT_OBJECT_0", Const, 0, ""},
+		{"WAIT_TIMEOUT", Const, 0, ""},
+		{"WALL", Const, 0, ""},
+		{"WALLSIG", Const, 1, ""},
+		{"WALTSIG", Const, 1, ""},
+		{"WCLONE", Const, 0, ""},
+		{"WCONTINUED", Const, 0, ""},
+		{"WCOREFLAG", Const, 0, ""},
+		{"WEXITED", Const, 0, ""},
+		{"WLINUXCLONE", Const, 0, ""},
+		{"WNOHANG", Const, 0, ""},
+		{"WNOTHREAD", Const, 0, ""},
+		{"WNOWAIT", Const, 0, ""},
+		{"WNOZOMBIE", Const, 1, ""},
+		{"WOPTSCHECKED", Const, 1, ""},
+		{"WORDSIZE", Const, 0, ""},
+		{"WSABuf", Type, 0, ""},
+		{"WSABuf.Buf", Field, 0, ""},
+		{"WSABuf.Len", Field, 0, ""},
+		{"WSACleanup", Func, 0, ""},
+		{"WSADESCRIPTION_LEN", Const, 0, ""},
+		{"WSAData", Type, 0, ""},
+		{"WSAData.Description", Field, 0, ""},
+		{"WSAData.HighVersion", Field, 0, ""},
+		{"WSAData.MaxSockets", Field, 0, ""},
+		{"WSAData.MaxUdpDg", Field, 0, ""},
+		{"WSAData.SystemStatus", Field, 0, ""},
+		{"WSAData.VendorInfo", Field, 0, ""},
+		{"WSAData.Version", Field, 0, ""},
+		{"WSAEACCES", Const, 2, ""},
+		{"WSAECONNABORTED", Const, 9, ""},
+		{"WSAECONNRESET", Const, 3, ""},
+		{"WSAENOPROTOOPT", Const, 23, ""},
+		{"WSAEnumProtocols", Func, 2, ""},
+		{"WSAID_CONNECTEX", Var, 1, ""},
+		{"WSAIoctl", Func, 0, ""},
+		{"WSAPROTOCOL_LEN", Const, 2, ""},
+		{"WSAProtocolChain", Type, 2, ""},
+		{"WSAProtocolChain.ChainEntries", Field, 2, ""},
+		{"WSAProtocolChain.ChainLen", Field, 2, ""},
+		{"WSAProtocolInfo", Type, 2, ""},
+		{"WSAProtocolInfo.AddressFamily", Field, 2, ""},
+		{"WSAProtocolInfo.CatalogEntryId", Field, 2, ""},
+		{"WSAProtocolInfo.MaxSockAddr", Field, 2, ""},
+		{"WSAProtocolInfo.MessageSize", Field, 2, ""},
+		{"WSAProtocolInfo.MinSockAddr", Field, 2, ""},
+		{"WSAProtocolInfo.NetworkByteOrder", Field, 2, ""},
+		{"WSAProtocolInfo.Protocol", Field, 2, ""},
+		{"WSAProtocolInfo.ProtocolChain", Field, 2, ""},
+		{"WSAProtocolInfo.ProtocolMaxOffset", Field, 2, ""},
+		{"WSAProtocolInfo.ProtocolName", Field, 2, ""},
+		{"WSAProtocolInfo.ProviderFlags", Field, 2, ""},
+		{"WSAProtocolInfo.ProviderId", Field, 2, ""},
+		{"WSAProtocolInfo.ProviderReserved", Field, 2, ""},
+		{"WSAProtocolInfo.SecurityScheme", Field, 2, ""},
+		{"WSAProtocolInfo.ServiceFlags1", Field, 2, ""},
+		{"WSAProtocolInfo.ServiceFlags2", Field, 2, ""},
+		{"WSAProtocolInfo.ServiceFlags3", Field, 2, ""},
+		{"WSAProtocolInfo.ServiceFlags4", Field, 2, ""},
+		{"WSAProtocolInfo.SocketType", Field, 2, ""},
+		{"WSAProtocolInfo.Version", Field, 2, ""},
+		{"WSARecv", Func, 0, ""},
+		{"WSARecvFrom", Func, 0, ""},
+		{"WSASYS_STATUS_LEN", Const, 0, ""},
+		{"WSASend", Func, 0, ""},
+		{"WSASendTo", Func, 0, ""},
+		{"WSASendto", Func, 0, ""},
+		{"WSAStartup", Func, 0, ""},
+		{"WSTOPPED", Const, 0, ""},
+		{"WTRAPPED", Const, 1, ""},
+		{"WUNTRACED", Const, 0, ""},
+		{"Wait4", Func, 0, "func(pid int, wstatus *WaitStatus, options int, rusage *Rusage) (wpid int, err error)"},
+		{"WaitForSingleObject", Func, 0, ""},
+		{"WaitStatus", Type, 0, ""},
+		{"WaitStatus.ExitCode", Field, 0, ""},
+		{"Win32FileAttributeData", Type, 0, ""},
+		{"Win32FileAttributeData.CreationTime", Field, 0, ""},
+		{"Win32FileAttributeData.FileAttributes", Field, 0, ""},
+		{"Win32FileAttributeData.FileSizeHigh", Field, 0, ""},
+		{"Win32FileAttributeData.FileSizeLow", Field, 0, ""},
+		{"Win32FileAttributeData.LastAccessTime", Field, 0, ""},
+		{"Win32FileAttributeData.LastWriteTime", Field, 0, ""},
+		{"Win32finddata", Type, 0, ""},
+		{"Win32finddata.AlternateFileName", Field, 0, ""},
+		{"Win32finddata.CreationTime", Field, 0, ""},
+		{"Win32finddata.FileAttributes", Field, 0, ""},
+		{"Win32finddata.FileName", Field, 0, ""},
+		{"Win32finddata.FileSizeHigh", Field, 0, ""},
+		{"Win32finddata.FileSizeLow", Field, 0, ""},
+		{"Win32finddata.LastAccessTime", Field, 0, ""},
+		{"Win32finddata.LastWriteTime", Field, 0, ""},
+		{"Win32finddata.Reserved0", Field, 0, ""},
+		{"Win32finddata.Reserved1", Field, 0, ""},
+		{"Write", Func, 0, "func(fd int, p []byte) (n int, err error)"},
+		{"WriteConsole", Func, 1, ""},
+		{"WriteFile", Func, 0, ""},
+		{"X509_ASN_ENCODING", Const, 0, ""},
+		{"XCASE", Const, 0, ""},
+		{"XP1_CONNECTIONLESS", Const, 2, ""},
+		{"XP1_CONNECT_DATA", Const, 2, ""},
+		{"XP1_DISCONNECT_DATA", Const, 2, ""},
+		{"XP1_EXPEDITED_DATA", Const, 2, ""},
+		{"XP1_GRACEFUL_CLOSE", Const, 2, ""},
+		{"XP1_GUARANTEED_DELIVERY", Const, 2, ""},
+		{"XP1_GUARANTEED_ORDER", Const, 2, ""},
+		{"XP1_IFS_HANDLES", Const, 2, ""},
+		{"XP1_MESSAGE_ORIENTED", Const, 2, ""},
+		{"XP1_MULTIPOINT_CONTROL_PLANE", Const, 2, ""},
+		{"XP1_MULTIPOINT_DATA_PLANE", Const, 2, ""},
+		{"XP1_PARTIAL_MESSAGE", Const, 2, ""},
+		{"XP1_PSEUDO_STREAM", Const, 2, ""},
+		{"XP1_QOS_SUPPORTED", Const, 2, ""},
+		{"XP1_SAN_SUPPORT_SDP", Const, 2, ""},
+		{"XP1_SUPPORT_BROADCAST", Const, 2, ""},
+		{"XP1_SUPPORT_MULTIPOINT", Const, 2, ""},
+		{"XP1_UNI_RECV", Const, 2, ""},
+		{"XP1_UNI_SEND", Const, 2, ""},
+	},
+	"syscall/js": {
+		{"CopyBytesToGo", Func, 0, ""},
+		{"CopyBytesToJS", Func, 0, ""},
+		{"Error", Type, 0, ""},
+		{"Func", Type, 0, ""},
+		{"FuncOf", Func, 0, ""},
+		{"Global", Func, 0, ""},
+		{"Null", Func, 0, ""},
+		{"Type", Type, 0, ""},
+		{"TypeBoolean", Const, 0, ""},
+		{"TypeFunction", Const, 0, ""},
+		{"TypeNull", Const, 0, ""},
+		{"TypeNumber", Const, 0, ""},
+		{"TypeObject", Const, 0, ""},
+		{"TypeString", Const, 0, ""},
+		{"TypeSymbol", Const, 0, ""},
+		{"TypeUndefined", Const, 0, ""},
+		{"Undefined", Func, 0, ""},
+		{"Value", Type, 0, ""},
+		{"ValueError", Type, 0, ""},
+		{"ValueOf", Func, 0, ""},
+	},
+	"testing": {
+		{"(*B).ArtifactDir", Method, 26, ""},
+		{"(*B).Attr", Method, 25, ""},
+		{"(*B).Chdir", Method, 24, ""},
+		{"(*B).Cleanup", Method, 14, ""},
+		{"(*B).Context", Method, 24, ""},
+		{"(*B).Elapsed", Method, 20, ""},
+		{"(*B).Error", Method, 0, ""},
+		{"(*B).Errorf", Method, 0, ""},
+		{"(*B).Fail", Method, 0, ""},
+		{"(*B).FailNow", Method, 0, ""},
+		{"(*B).Failed", Method, 0, ""},
+		{"(*B).Fatal", Method, 0, ""},
+		{"(*B).Fatalf", Method, 0, ""},
+		{"(*B).Helper", Method, 9, ""},
+		{"(*B).Log", Method, 0, ""},
+		{"(*B).Logf", Method, 0, ""},
+		{"(*B).Loop", Method, 24, ""},
+		{"(*B).Name", Method, 8, ""},
+		{"(*B).Output", Method, 25, ""},
+		{"(*B).ReportAllocs", Method, 1, ""},
+		{"(*B).ReportMetric", Method, 13, ""},
+		{"(*B).ResetTimer", Method, 0, ""},
+		{"(*B).Run", Method, 7, ""},
+		{"(*B).RunParallel", Method, 3, ""},
+		{"(*B).SetBytes", Method, 0, ""},
+		{"(*B).SetParallelism", Method, 3, ""},
+		{"(*B).Setenv", Method, 17, ""},
+		{"(*B).Skip", Method, 1, ""},
+		{"(*B).SkipNow", Method, 1, ""},
+		{"(*B).Skipf", Method, 1, ""},
+		{"(*B).Skipped", Method, 1, ""},
+		{"(*B).StartTimer", Method, 0, ""},
+		{"(*B).StopTimer", Method, 0, ""},
+		{"(*B).TempDir", Method, 15, ""},
+		{"(*F).Add", Method, 18, ""},
+		{"(*F).ArtifactDir", Method, 26, ""},
+		{"(*F).Attr", Method, 25, ""},
+		{"(*F).Chdir", Method, 24, ""},
+		{"(*F).Cleanup", Method, 18, ""},
+		{"(*F).Context", Method, 24, ""},
+		{"(*F).Error", Method, 18, ""},
+		{"(*F).Errorf", Method, 18, ""},
+		{"(*F).Fail", Method, 18, ""},
+		{"(*F).FailNow", Method, 18, ""},
+		{"(*F).Failed", Method, 18, ""},
+		{"(*F).Fatal", Method, 18, ""},
+		{"(*F).Fatalf", Method, 18, ""},
+		{"(*F).Fuzz", Method, 18, ""},
+		{"(*F).Helper", Method, 18, ""},
+		{"(*F).Log", Method, 18, ""},
+		{"(*F).Logf", Method, 18, ""},
+		{"(*F).Name", Method, 18, ""},
+		{"(*F).Output", Method, 25, ""},
+		{"(*F).Setenv", Method, 18, ""},
+		{"(*F).Skip", Method, 18, ""},
+		{"(*F).SkipNow", Method, 18, ""},
+		{"(*F).Skipf", Method, 18, ""},
+		{"(*F).Skipped", Method, 18, ""},
+		{"(*F).TempDir", Method, 18, ""},
+		{"(*M).Run", Method, 4, ""},
+		{"(*PB).Next", Method, 3, ""},
+		{"(*T).ArtifactDir", Method, 26, ""},
+		{"(*T).Attr", Method, 25, ""},
+		{"(*T).Chdir", Method, 24, ""},
+		{"(*T).Cleanup", Method, 14, ""},
+		{"(*T).Context", Method, 24, ""},
+		{"(*T).Deadline", Method, 15, ""},
+		{"(*T).Error", Method, 0, ""},
+		{"(*T).Errorf", Method, 0, ""},
+		{"(*T).Fail", Method, 0, ""},
+		{"(*T).FailNow", Method, 0, ""},
+		{"(*T).Failed", Method, 0, ""},
+		{"(*T).Fatal", Method, 0, ""},
+		{"(*T).Fatalf", Method, 0, ""},
+		{"(*T).Helper", Method, 9, ""},
+		{"(*T).Log", Method, 0, ""},
+		{"(*T).Logf", Method, 0, ""},
+		{"(*T).Name", Method, 8, ""},
+		{"(*T).Output", Method, 25, ""},
+		{"(*T).Parallel", Method, 0, ""},
+		{"(*T).Run", Method, 7, ""},
+		{"(*T).Setenv", Method, 17, ""},
+		{"(*T).Skip", Method, 1, ""},
+		{"(*T).SkipNow", Method, 1, ""},
+		{"(*T).Skipf", Method, 1, ""},
+		{"(*T).Skipped", Method, 1, ""},
+		{"(*T).TempDir", Method, 15, ""},
+		{"(BenchmarkResult).AllocedBytesPerOp", Method, 1, ""},
+		{"(BenchmarkResult).AllocsPerOp", Method, 1, ""},
+		{"(BenchmarkResult).MemString", Method, 1, ""},
+		{"(BenchmarkResult).NsPerOp", Method, 0, ""},
+		{"(BenchmarkResult).String", Method, 0, ""},
+		{"(TB).ArtifactDir", Method, 26, ""},
+		{"(TB).Attr", Method, 25, ""},
+		{"(TB).Chdir", Method, 24, ""},
+		{"(TB).Cleanup", Method, 14, ""},
+		{"(TB).Context", Method, 24, ""},
+		{"(TB).Error", Method, 2, ""},
+		{"(TB).Errorf", Method, 2, ""},
+		{"(TB).Fail", Method, 2, ""},
+		{"(TB).FailNow", Method, 2, ""},
+		{"(TB).Failed", Method, 2, ""},
+		{"(TB).Fatal", Method, 2, ""},
+		{"(TB).Fatalf", Method, 2, ""},
+		{"(TB).Helper", Method, 9, ""},
+		{"(TB).Log", Method, 2, ""},
+		{"(TB).Logf", Method, 2, ""},
+		{"(TB).Name", Method, 8, ""},
+		{"(TB).Output", Method, 25, ""},
+		{"(TB).Setenv", Method, 17, ""},
+		{"(TB).Skip", Method, 2, ""},
+		{"(TB).SkipNow", Method, 2, ""},
+		{"(TB).Skipf", Method, 2, ""},
+		{"(TB).Skipped", Method, 2, ""},
+		{"(TB).TempDir", Method, 15, ""},
+		{"AllocsPerRun", Func, 1, "func(runs int, f func()) (avg float64)"},
+		{"B", Type, 0, ""},
+		{"B.N", Field, 0, ""},
+		{"Benchmark", Func, 0, "func(f func(b *B)) BenchmarkResult"},
+		{"BenchmarkResult", Type, 0, ""},
+		{"BenchmarkResult.Bytes", Field, 0, ""},
+		{"BenchmarkResult.Extra", Field, 13, ""},
+		{"BenchmarkResult.MemAllocs", Field, 1, ""},
+		{"BenchmarkResult.MemBytes", Field, 1, ""},
+		{"BenchmarkResult.N", Field, 0, ""},
+		{"BenchmarkResult.T", Field, 0, ""},
+		{"Cover", Type, 2, ""},
+		{"Cover.Blocks", Field, 2, ""},
+		{"Cover.Counters", Field, 2, ""},
+		{"Cover.CoveredPackages", Field, 2, ""},
+		{"Cover.Mode", Field, 2, ""},
+		{"CoverBlock", Type, 2, ""},
+		{"CoverBlock.Col0", Field, 2, ""},
+		{"CoverBlock.Col1", Field, 2, ""},
+		{"CoverBlock.Line0", Field, 2, ""},
+		{"CoverBlock.Line1", Field, 2, ""},
+		{"CoverBlock.Stmts", Field, 2, ""},
+		{"CoverMode", Func, 8, "func() string"},
+		{"Coverage", Func, 4, "func() float64"},
+		{"F", Type, 18, ""},
+		{"Init", Func, 13, "func()"},
+		{"InternalBenchmark", Type, 0, ""},
+		{"InternalBenchmark.F", Field, 0, ""},
+		{"InternalBenchmark.Name", Field, 0, ""},
+		{"InternalExample", Type, 0, ""},
+		{"InternalExample.F", Field, 0, ""},
+		{"InternalExample.Name", Field, 0, ""},
+		{"InternalExample.Output", Field, 0, ""},
+		{"InternalExample.Unordered", Field, 7, ""},
+		{"InternalFuzzTarget", Type, 18, ""},
+		{"InternalFuzzTarget.Fn", Field, 18, ""},
+		{"InternalFuzzTarget.Name", Field, 18, ""},
+		{"InternalTest", Type, 0, ""},
+		{"InternalTest.F", Field, 0, ""},
+		{"InternalTest.Name", Field, 0, ""},
+		{"M", Type, 4, ""},
+		{"Main", Func, 0, "func(matchString func(pat string, str string) (bool, error), tests []InternalTest, benchmarks []InternalBenchmark, examples []InternalExample)"},
+		{"MainStart", Func, 4, "func(deps testDeps, tests []InternalTest, benchmarks []InternalBenchmark, fuzzTargets []InternalFuzzTarget, examples []InternalExample) *M"},
+		{"PB", Type, 3, ""},
+		{"RegisterCover", Func, 2, "func(c Cover)"},
+		{"RunBenchmarks", Func, 0, "func(matchString func(pat string, str string) (bool, error), benchmarks []InternalBenchmark)"},
+		{"RunExamples", Func, 0, "func(matchString func(pat string, str string) (bool, error), examples []InternalExample) (ok bool)"},
+		{"RunTests", Func, 0, "func(matchString func(pat string, str string) (bool, error), tests []InternalTest) (ok bool)"},
+		{"Short", Func, 0, "func() bool"},
+		{"T", Type, 0, ""},
+		{"Testing", Func, 21, "func() bool"},
+		{"Verbose", Func, 1, "func() bool"},
+	},
+	"testing/cryptotest": {
+		{"SetGlobalRandom", Func, 26, "func(t *testing.T, seed uint64)"},
+	},
+	"testing/fstest": {
+		{"(MapFS).Glob", Method, 16, ""},
+		{"(MapFS).Lstat", Method, 25, ""},
+		{"(MapFS).Open", Method, 16, ""},
+		{"(MapFS).ReadDir", Method, 16, ""},
+		{"(MapFS).ReadFile", Method, 16, ""},
+		{"(MapFS).ReadLink", Method, 25, ""},
+		{"(MapFS).Stat", Method, 16, ""},
+		{"(MapFS).Sub", Method, 16, ""},
+		{"MapFS", Type, 16, ""},
+		{"MapFile", Type, 16, ""},
+		{"MapFile.Data", Field, 16, ""},
+		{"MapFile.ModTime", Field, 16, ""},
+		{"MapFile.Mode", Field, 16, ""},
+		{"MapFile.Sys", Field, 16, ""},
+		{"TestFS", Func, 16, "func(fsys fs.FS, expected ...string) error"},
+	},
+	"testing/iotest": {
+		{"DataErrReader", Func, 0, "func(r io.Reader) io.Reader"},
+		{"ErrReader", Func, 16, "func(err error) io.Reader"},
+		{"ErrTimeout", Var, 0, ""},
+		{"HalfReader", Func, 0, "func(r io.Reader) io.Reader"},
+		{"NewReadLogger", Func, 0, "func(prefix string, r io.Reader) io.Reader"},
+		{"NewWriteLogger", Func, 0, "func(prefix string, w io.Writer) io.Writer"},
+		{"OneByteReader", Func, 0, "func(r io.Reader) io.Reader"},
+		{"TestReader", Func, 16, "func(r io.Reader, content []byte) error"},
+		{"TimeoutReader", Func, 0, "func(r io.Reader) io.Reader"},
+		{"TruncateWriter", Func, 0, "func(w io.Writer, n int64) io.Writer"},
+	},
+	"testing/quick": {
+		{"(*CheckEqualError).Error", Method, 0, ""},
+		{"(*CheckError).Error", Method, 0, ""},
+		{"(Generator).Generate", Method, 0, ""},
+		{"(SetupError).Error", Method, 0, ""},
+		{"Check", Func, 0, "func(f any, config *Config) error"},
+		{"CheckEqual", Func, 0, "func(f any, g any, config *Config) error"},
+		{"CheckEqualError", Type, 0, ""},
+		{"CheckEqualError.CheckError", Field, 0, ""},
+		{"CheckEqualError.Out1", Field, 0, ""},
+		{"CheckEqualError.Out2", Field, 0, ""},
+		{"CheckError", Type, 0, ""},
+		{"CheckError.Count", Field, 0, ""},
+		{"CheckError.In", Field, 0, ""},
+		{"Config", Type, 0, ""},
+		{"Config.MaxCount", Field, 0, ""},
+		{"Config.MaxCountScale", Field, 0, ""},
+		{"Config.Rand", Field, 0, ""},
+		{"Config.Values", Field, 0, ""},
+		{"Generator", Type, 0, ""},
+		{"SetupError", Type, 0, ""},
+		{"Value", Func, 0, "func(t reflect.Type, rand *rand.Rand) (value reflect.Value, ok bool)"},
+	},
+	"testing/slogtest": {
+		{"Run", Func, 22, "func(t *testing.T, newHandler func(*testing.T) slog.Handler, result func(*testing.T) map[string]any)"},
+		{"TestHandler", Func, 21, "func(h slog.Handler, results func() []map[string]any) error"},
+	},
+	"testing/synctest": {
+		{"Test", Func, 25, "func(t *testing.T, f func(*testing.T))"},
+		{"Wait", Func, 25, "func()"},
+	},
+	"text/scanner": {
+		{"(*Position).IsValid", Method, 0, ""},
+		{"(*Scanner).Init", Method, 0, ""},
+		{"(*Scanner).IsValid", Method, 0, ""},
+		{"(*Scanner).Next", Method, 0, ""},
+		{"(*Scanner).Peek", Method, 0, ""},
+		{"(*Scanner).Pos", Method, 0, ""},
+		{"(*Scanner).Scan", Method, 0, ""},
+		{"(*Scanner).TokenText", Method, 0, ""},
+		{"(Position).String", Method, 0, ""},
+		{"(Scanner).String", Method, 0, ""},
+		{"Char", Const, 0, ""},
+		{"Comment", Const, 0, ""},
+		{"EOF", Const, 0, ""},
+		{"Float", Const, 0, ""},
+		{"GoTokens", Const, 0, ""},
+		{"GoWhitespace", Const, 0, ""},
+		{"Ident", Const, 0, ""},
+		{"Int", Const, 0, ""},
+		{"Position", Type, 0, ""},
+		{"Position.Column", Field, 0, ""},
+		{"Position.Filename", Field, 0, ""},
+		{"Position.Line", Field, 0, ""},
+		{"Position.Offset", Field, 0, ""},
+		{"RawString", Const, 0, ""},
+		{"ScanChars", Const, 0, ""},
+		{"ScanComments", Const, 0, ""},
+		{"ScanFloats", Const, 0, ""},
+		{"ScanIdents", Const, 0, ""},
+		{"ScanInts", Const, 0, ""},
+		{"ScanRawStrings", Const, 0, ""},
+		{"ScanStrings", Const, 0, ""},
+		{"Scanner", Type, 0, ""},
+		{"Scanner.Error", Field, 0, ""},
+		{"Scanner.ErrorCount", Field, 0, ""},
+		{"Scanner.IsIdentRune", Field, 4, ""},
+		{"Scanner.Mode", Field, 0, ""},
+		{"Scanner.Position", Field, 0, ""},
+		{"Scanner.Whitespace", Field, 0, ""},
+		{"SkipComments", Const, 0, ""},
+		{"String", Const, 0, ""},
+		{"TokenString", Func, 0, "func(tok rune) string"},
+	},
+	"text/tabwriter": {
+		{"(*Writer).Flush", Method, 0, ""},
+		{"(*Writer).Init", Method, 0, ""},
+		{"(*Writer).Write", Method, 0, ""},
+		{"AlignRight", Const, 0, ""},
+		{"Debug", Const, 0, ""},
+		{"DiscardEmptyColumns", Const, 0, ""},
+		{"Escape", Const, 0, ""},
+		{"FilterHTML", Const, 0, ""},
+		{"NewWriter", Func, 0, "func(output io.Writer, minwidth int, tabwidth int, padding int, padchar byte, flags uint) *Writer"},
+		{"StripEscape", Const, 0, ""},
+		{"TabIndent", Const, 0, ""},
+		{"Writer", Type, 0, ""},
+	},
+	"text/template": {
+		{"(*Template).AddParseTree", Method, 0, ""},
+		{"(*Template).Clone", Method, 0, ""},
+		{"(*Template).DefinedTemplates", Method, 5, ""},
+		{"(*Template).Delims", Method, 0, ""},
+		{"(*Template).Execute", Method, 0, ""},
+		{"(*Template).ExecuteTemplate", Method, 0, ""},
+		{"(*Template).Funcs", Method, 0, ""},
+		{"(*Template).Lookup", Method, 0, ""},
+		{"(*Template).Name", Method, 0, ""},
+		{"(*Template).New", Method, 0, ""},
+		{"(*Template).Option", Method, 5, ""},
+		{"(*Template).Parse", Method, 0, ""},
+		{"(*Template).ParseFS", Method, 16, ""},
+		{"(*Template).ParseFiles", Method, 0, ""},
+		{"(*Template).ParseGlob", Method, 0, ""},
+		{"(*Template).Templates", Method, 0, ""},
+		{"(ExecError).Error", Method, 6, ""},
+		{"(ExecError).Unwrap", Method, 13, ""},
+		{"(Template).Copy", Method, 2, ""},
+		{"(Template).ErrorContext", Method, 1, ""},
+		{"ExecError", Type, 6, ""},
+		{"ExecError.Err", Field, 6, ""},
+		{"ExecError.Name", Field, 6, ""},
+		{"FuncMap", Type, 0, ""},
+		{"HTMLEscape", Func, 0, "func(w io.Writer, b []byte)"},
+		{"HTMLEscapeString", Func, 0, "func(s string) string"},
+		{"HTMLEscaper", Func, 0, "func(args ...any) string"},
+		{"IsTrue", Func, 6, "func(val any) (truth bool, ok bool)"},
+		{"JSEscape", Func, 0, "func(w io.Writer, b []byte)"},
+		{"JSEscapeString", Func, 0, "func(s string) string"},
+		{"JSEscaper", Func, 0, "func(args ...any) string"},
+		{"Must", Func, 0, "func(t *Template, err error) *Template"},
+		{"New", Func, 0, "func(name string) *Template"},
+		{"ParseFS", Func, 16, "func(fsys fs.FS, patterns ...string) (*Template, error)"},
+		{"ParseFiles", Func, 0, "func(filenames ...string) (*Template, error)"},
+		{"ParseGlob", Func, 0, "func(pattern string) (*Template, error)"},
+		{"Template", Type, 0, ""},
+		{"Template.Tree", Field, 0, ""},
+		{"URLQueryEscaper", Func, 0, "func(args ...any) string"},
+	},
+	"text/template/parse": {
+		{"(*ActionNode).Copy", Method, 0, ""},
+		{"(*ActionNode).String", Method, 0, ""},
+		{"(*BoolNode).Copy", Method, 0, ""},
+		{"(*BoolNode).String", Method, 0, ""},
+		{"(*BranchNode).Copy", Method, 4, ""},
+		{"(*BranchNode).String", Method, 0, ""},
+		{"(*BreakNode).Copy", Method, 18, ""},
+		{"(*BreakNode).String", Method, 18, ""},
+		{"(*ChainNode).Add", Method, 1, ""},
+		{"(*ChainNode).Copy", Method, 1, ""},
+		{"(*ChainNode).String", Method, 1, ""},
+		{"(*CommandNode).Copy", Method, 0, ""},
+		{"(*CommandNode).String", Method, 0, ""},
+		{"(*CommentNode).Copy", Method, 16, ""},
+		{"(*CommentNode).String", Method, 16, ""},
+		{"(*ContinueNode).Copy", Method, 18, ""},
+		{"(*ContinueNode).String", Method, 18, ""},
+		{"(*DotNode).Copy", Method, 0, ""},
+		{"(*DotNode).String", Method, 0, ""},
+		{"(*DotNode).Type", Method, 0, ""},
+		{"(*FieldNode).Copy", Method, 0, ""},
+		{"(*FieldNode).String", Method, 0, ""},
+		{"(*IdentifierNode).Copy", Method, 0, ""},
+		{"(*IdentifierNode).SetPos", Method, 1, ""},
+		{"(*IdentifierNode).SetTree", Method, 4, ""},
+		{"(*IdentifierNode).String", Method, 0, ""},
+		{"(*IfNode).Copy", Method, 0, ""},
+		{"(*IfNode).String", Method, 0, ""},
+		{"(*ListNode).Copy", Method, 0, ""},
+		{"(*ListNode).CopyList", Method, 0, ""},
+		{"(*ListNode).String", Method, 0, ""},
+		{"(*NilNode).Copy", Method, 1, ""},
+		{"(*NilNode).String", Method, 1, ""},
+		{"(*NilNode).Type", Method, 1, ""},
+		{"(*NumberNode).Copy", Method, 0, ""},
+		{"(*NumberNode).String", Method, 0, ""},
+		{"(*PipeNode).Copy", Method, 0, ""},
+		{"(*PipeNode).CopyPipe", Method, 0, ""},
+		{"(*PipeNode).String", Method, 0, ""},
+		{"(*RangeNode).Copy", Method, 0, ""},
+		{"(*RangeNode).String", Method, 0, ""},
+		{"(*StringNode).Copy", Method, 0, ""},
+		{"(*StringNode).String", Method, 0, ""},
+		{"(*TemplateNode).Copy", Method, 0, ""},
+		{"(*TemplateNode).String", Method, 0, ""},
+		{"(*TextNode).Copy", Method, 0, ""},
+		{"(*TextNode).String", Method, 0, ""},
+		{"(*Tree).Copy", Method, 2, ""},
+		{"(*Tree).ErrorContext", Method, 1, ""},
+		{"(*Tree).Parse", Method, 0, ""},
+		{"(*VariableNode).Copy", Method, 0, ""},
+		{"(*VariableNode).String", Method, 0, ""},
+		{"(*WithNode).Copy", Method, 0, ""},
+		{"(*WithNode).String", Method, 0, ""},
+		{"(ActionNode).Position", Method, 1, ""},
+		{"(ActionNode).Type", Method, 0, ""},
+		{"(BoolNode).Position", Method, 1, ""},
+		{"(BoolNode).Type", Method, 0, ""},
+		{"(BranchNode).Position", Method, 1, ""},
+		{"(BranchNode).Type", Method, 0, ""},
+		{"(BreakNode).Position", Method, 18, ""},
+		{"(BreakNode).Type", Method, 18, ""},
+		{"(ChainNode).Position", Method, 1, ""},
+		{"(ChainNode).Type", Method, 1, ""},
+		{"(CommandNode).Position", Method, 1, ""},
+		{"(CommandNode).Type", Method, 0, ""},
+		{"(CommentNode).Position", Method, 16, ""},
+		{"(CommentNode).Type", Method, 16, ""},
+		{"(ContinueNode).Position", Method, 18, ""},
+		{"(ContinueNode).Type", Method, 18, ""},
+		{"(DotNode).Position", Method, 1, ""},
+		{"(FieldNode).Position", Method, 1, ""},
+		{"(FieldNode).Type", Method, 0, ""},
+		{"(IdentifierNode).Position", Method, 1, ""},
+		{"(IdentifierNode).Type", Method, 0, ""},
+		{"(IfNode).Position", Method, 1, ""},
+		{"(IfNode).Type", Method, 0, ""},
+		{"(ListNode).Position", Method, 1, ""},
+		{"(ListNode).Type", Method, 0, ""},
+		{"(NilNode).Position", Method, 1, ""},
+		{"(Node).Copy", Method, 0, ""},
+		{"(Node).Position", Method, 1, ""},
+		{"(Node).String", Method, 0, ""},
+		{"(Node).Type", Method, 0, ""},
+		{"(NodeType).Type", Method, 0, ""},
+		{"(NumberNode).Position", Method, 1, ""},
+		{"(NumberNode).Type", Method, 0, ""},
+		{"(PipeNode).Position", Method, 1, ""},
+		{"(PipeNode).Type", Method, 0, ""},
+		{"(Pos).Position", Method, 1, ""},
+		{"(RangeNode).Position", Method, 1, ""},
+		{"(RangeNode).Type", Method, 0, ""},
+		{"(StringNode).Position", Method, 1, ""},
+		{"(StringNode).Type", Method, 0, ""},
+		{"(TemplateNode).Position", Method, 1, ""},
+		{"(TemplateNode).Type", Method, 0, ""},
+		{"(TextNode).Position", Method, 1, ""},
+		{"(TextNode).Type", Method, 0, ""},
+		{"(VariableNode).Position", Method, 1, ""},
+		{"(VariableNode).Type", Method, 0, ""},
+		{"(WithNode).Position", Method, 1, ""},
+		{"(WithNode).Type", Method, 0, ""},
+		{"ActionNode", Type, 0, ""},
+		{"ActionNode.Line", Field, 0, ""},
+		{"ActionNode.NodeType", Field, 0, ""},
+		{"ActionNode.Pipe", Field, 0, ""},
+		{"ActionNode.Pos", Field, 1, ""},
+		{"BoolNode", Type, 0, ""},
+		{"BoolNode.NodeType", Field, 0, ""},
+		{"BoolNode.Pos", Field, 1, ""},
+		{"BoolNode.True", Field, 0, ""},
+		{"BranchNode", Type, 0, ""},
+		{"BranchNode.ElseList", Field, 0, ""},
+		{"BranchNode.Line", Field, 0, ""},
+		{"BranchNode.List", Field, 0, ""},
+		{"BranchNode.NodeType", Field, 0, ""},
+		{"BranchNode.Pipe", Field, 0, ""},
+		{"BranchNode.Pos", Field, 1, ""},
+		{"BreakNode", Type, 18, ""},
+		{"BreakNode.Line", Field, 18, ""},
+		{"BreakNode.NodeType", Field, 18, ""},
+		{"BreakNode.Pos", Field, 18, ""},
+		{"ChainNode", Type, 1, ""},
+		{"ChainNode.Field", Field, 1, ""},
+		{"ChainNode.Node", Field, 1, ""},
+		{"ChainNode.NodeType", Field, 1, ""},
+		{"ChainNode.Pos", Field, 1, ""},
+		{"CommandNode", Type, 0, ""},
+		{"CommandNode.Args", Field, 0, ""},
+		{"CommandNode.NodeType", Field, 0, ""},
+		{"CommandNode.Pos", Field, 1, ""},
+		{"CommentNode", Type, 16, ""},
+		{"CommentNode.NodeType", Field, 16, ""},
+		{"CommentNode.Pos", Field, 16, ""},
+		{"CommentNode.Text", Field, 16, ""},
+		{"ContinueNode", Type, 18, ""},
+		{"ContinueNode.Line", Field, 18, ""},
+		{"ContinueNode.NodeType", Field, 18, ""},
+		{"ContinueNode.Pos", Field, 18, ""},
+		{"DotNode", Type, 0, ""},
+		{"DotNode.NodeType", Field, 4, ""},
+		{"DotNode.Pos", Field, 1, ""},
+		{"FieldNode", Type, 0, ""},
+		{"FieldNode.Ident", Field, 0, ""},
+		{"FieldNode.NodeType", Field, 0, ""},
+		{"FieldNode.Pos", Field, 1, ""},
+		{"IdentifierNode", Type, 0, ""},
+		{"IdentifierNode.Ident", Field, 0, ""},
+		{"IdentifierNode.NodeType", Field, 0, ""},
+		{"IdentifierNode.Pos", Field, 1, ""},
+		{"IfNode", Type, 0, ""},
+		{"IfNode.BranchNode", Field, 0, ""},
+		{"IsEmptyTree", Func, 0, "func(n Node) bool"},
+		{"ListNode", Type, 0, ""},
+		{"ListNode.NodeType", Field, 0, ""},
+		{"ListNode.Nodes", Field, 0, ""},
+		{"ListNode.Pos", Field, 1, ""},
+		{"Mode", Type, 16, ""},
+		{"New", Func, 0, "func(name string, funcs ...map[string]any) *Tree"},
+		{"NewIdentifier", Func, 0, "func(ident string) *IdentifierNode"},
+		{"NilNode", Type, 1, ""},
+		{"NilNode.NodeType", Field, 4, ""},
+		{"NilNode.Pos", Field, 1, ""},
+		{"Node", Type, 0, ""},
+		{"NodeAction", Const, 0, ""},
+		{"NodeBool", Const, 0, ""},
+		{"NodeBreak", Const, 18, ""},
+		{"NodeChain", Const, 1, ""},
+		{"NodeCommand", Const, 0, ""},
+		{"NodeComment", Const, 16, ""},
+		{"NodeContinue", Const, 18, ""},
+		{"NodeDot", Const, 0, ""},
+		{"NodeField", Const, 0, ""},
+		{"NodeIdentifier", Const, 0, ""},
+		{"NodeIf", Const, 0, ""},
+		{"NodeList", Const, 0, ""},
+		{"NodeNil", Const, 1, ""},
+		{"NodeNumber", Const, 0, ""},
+		{"NodePipe", Const, 0, ""},
+		{"NodeRange", Const, 0, ""},
+		{"NodeString", Const, 0, ""},
+		{"NodeTemplate", Const, 0, ""},
+		{"NodeText", Const, 0, ""},
+		{"NodeType", Type, 0, ""},
+		{"NodeVariable", Const, 0, ""},
+		{"NodeWith", Const, 0, ""},
+		{"NumberNode", Type, 0, ""},
+		{"NumberNode.Complex128", Field, 0, ""},
+		{"NumberNode.Float64", Field, 0, ""},
+		{"NumberNode.Int64", Field, 0, ""},
+		{"NumberNode.IsComplex", Field, 0, ""},
+		{"NumberNode.IsFloat", Field, 0, ""},
+		{"NumberNode.IsInt", Field, 0, ""},
+		{"NumberNode.IsUint", Field, 0, ""},
+		{"NumberNode.NodeType", Field, 0, ""},
+		{"NumberNode.Pos", Field, 1, ""},
+		{"NumberNode.Text", Field, 0, ""},
+		{"NumberNode.Uint64", Field, 0, ""},
+		{"Parse", Func, 0, "func(name string, text string, leftDelim string, rightDelim string, funcs ...map[string]any) (map[string]*Tree, error)"},
+		{"ParseComments", Const, 16, ""},
+		{"PipeNode", Type, 0, ""},
+		{"PipeNode.Cmds", Field, 0, ""},
+		{"PipeNode.Decl", Field, 0, ""},
+		{"PipeNode.IsAssign", Field, 11, ""},
+		{"PipeNode.Line", Field, 0, ""},
+		{"PipeNode.NodeType", Field, 0, ""},
+		{"PipeNode.Pos", Field, 1, ""},
+		{"Pos", Type, 1, ""},
+		{"RangeNode", Type, 0, ""},
+		{"RangeNode.BranchNode", Field, 0, ""},
+		{"SkipFuncCheck", Const, 17, ""},
+		{"StringNode", Type, 0, ""},
+		{"StringNode.NodeType", Field, 0, ""},
+		{"StringNode.Pos", Field, 1, ""},
+		{"StringNode.Quoted", Field, 0, ""},
+		{"StringNode.Text", Field, 0, ""},
+		{"TemplateNode", Type, 0, ""},
+		{"TemplateNode.Line", Field, 0, ""},
+		{"TemplateNode.Name", Field, 0, ""},
+		{"TemplateNode.NodeType", Field, 0, ""},
+		{"TemplateNode.Pipe", Field, 0, ""},
+		{"TemplateNode.Pos", Field, 1, ""},
+		{"TextNode", Type, 0, ""},
+		{"TextNode.NodeType", Field, 0, ""},
+		{"TextNode.Pos", Field, 1, ""},
+		{"TextNode.Text", Field, 0, ""},
+		{"Tree", Type, 0, ""},
+		{"Tree.Mode", Field, 16, ""},
+		{"Tree.Name", Field, 0, ""},
+		{"Tree.ParseName", Field, 1, ""},
+		{"Tree.Root", Field, 0, ""},
+		{"VariableNode", Type, 0, ""},
+		{"VariableNode.Ident", Field, 0, ""},
+		{"VariableNode.NodeType", Field, 0, ""},
+		{"VariableNode.Pos", Field, 1, ""},
+		{"WithNode", Type, 0, ""},
+		{"WithNode.BranchNode", Field, 0, ""},
+	},
+	"time": {
+		{"(*Location).String", Method, 0, ""},
+		{"(*ParseError).Error", Method, 0, ""},
+		{"(*Ticker).Reset", Method, 15, ""},
+		{"(*Ticker).Stop", Method, 0, ""},
+		{"(*Time).GobDecode", Method, 0, ""},
+		{"(*Time).UnmarshalBinary", Method, 2, ""},
+		{"(*Time).UnmarshalJSON", Method, 0, ""},
+		{"(*Time).UnmarshalText", Method, 2, ""},
+		{"(*Timer).Reset", Method, 1, ""},
+		{"(*Timer).Stop", Method, 0, ""},
+		{"(Duration).Abs", Method, 19, ""},
+		{"(Duration).Hours", Method, 0, ""},
+		{"(Duration).Microseconds", Method, 13, ""},
+		{"(Duration).Milliseconds", Method, 13, ""},
+		{"(Duration).Minutes", Method, 0, ""},
+		{"(Duration).Nanoseconds", Method, 0, ""},
+		{"(Duration).Round", Method, 9, ""},
+		{"(Duration).Seconds", Method, 0, ""},
+		{"(Duration).String", Method, 0, ""},
+		{"(Duration).Truncate", Method, 9, ""},
+		{"(Month).String", Method, 0, ""},
+		{"(Time).Add", Method, 0, ""},
+		{"(Time).AddDate", Method, 0, ""},
+		{"(Time).After", Method, 0, ""},
+		{"(Time).AppendBinary", Method, 24, ""},
+		{"(Time).AppendFormat", Method, 5, ""},
+		{"(Time).AppendText", Method, 24, ""},
+		{"(Time).Before", Method, 0, ""},
+		{"(Time).Clock", Method, 0, ""},
+		{"(Time).Compare", Method, 20, ""},
+		{"(Time).Date", Method, 0, ""},
+		{"(Time).Day", Method, 0, ""},
+		{"(Time).Equal", Method, 0, ""},
+		{"(Time).Format", Method, 0, ""},
+		{"(Time).GoString", Method, 17, ""},
+		{"(Time).GobEncode", Method, 0, ""},
+		{"(Time).Hour", Method, 0, ""},
+		{"(Time).ISOWeek", Method, 0, ""},
+		{"(Time).In", Method, 0, ""},
+		{"(Time).IsDST", Method, 17, ""},
+		{"(Time).IsZero", Method, 0, ""},
+		{"(Time).Local", Method, 0, ""},
+		{"(Time).Location", Method, 0, ""},
+		{"(Time).MarshalBinary", Method, 2, ""},
+		{"(Time).MarshalJSON", Method, 0, ""},
+		{"(Time).MarshalText", Method, 2, ""},
+		{"(Time).Minute", Method, 0, ""},
+		{"(Time).Month", Method, 0, ""},
+		{"(Time).Nanosecond", Method, 0, ""},
+		{"(Time).Round", Method, 1, ""},
+		{"(Time).Second", Method, 0, ""},
+		{"(Time).String", Method, 0, ""},
+		{"(Time).Sub", Method, 0, ""},
+		{"(Time).Truncate", Method, 1, ""},
+		{"(Time).UTC", Method, 0, ""},
+		{"(Time).Unix", Method, 0, ""},
+		{"(Time).UnixMicro", Method, 17, ""},
+		{"(Time).UnixMilli", Method, 17, ""},
+		{"(Time).UnixNano", Method, 0, ""},
+		{"(Time).Weekday", Method, 0, ""},
+		{"(Time).Year", Method, 0, ""},
+		{"(Time).YearDay", Method, 1, ""},
+		{"(Time).Zone", Method, 0, ""},
+		{"(Time).ZoneBounds", Method, 19, ""},
+		{"(Weekday).String", Method, 0, ""},
+		{"ANSIC", Const, 0, ""},
+		{"After", Func, 0, "func(d Duration) <-chan Time"},
+		{"AfterFunc", Func, 0, "func(d Duration, f func()) *Timer"},
+		{"April", Const, 0, ""},
+		{"August", Const, 0, ""},
+		{"Date", Func, 0, "func(year int, month Month, day int, hour int, min int, sec int, nsec int, loc *Location) Time"},
+		{"DateOnly", Const, 20, ""},
+		{"DateTime", Const, 20, ""},
+		{"December", Const, 0, ""},
+		{"Duration", Type, 0, ""},
+		{"February", Const, 0, ""},
+		{"FixedZone", Func, 0, "func(name string, offset int) *Location"},
+		{"Friday", Const, 0, ""},
+		{"Hour", Const, 0, ""},
+		{"January", Const, 0, ""},
+		{"July", Const, 0, ""},
+		{"June", Const, 0, ""},
+		{"Kitchen", Const, 0, ""},
+		{"Layout", Const, 17, ""},
+		{"LoadLocation", Func, 0, "func(name string) (*Location, error)"},
+		{"LoadLocationFromTZData", Func, 10, "func(name string, data []byte) (*Location, error)"},
+		{"Local", Var, 0, ""},
+		{"Location", Type, 0, ""},
+		{"March", Const, 0, ""},
+		{"May", Const, 0, ""},
+		{"Microsecond", Const, 0, ""},
+		{"Millisecond", Const, 0, ""},
+		{"Minute", Const, 0, ""},
+		{"Monday", Const, 0, ""},
+		{"Month", Type, 0, ""},
+		{"Nanosecond", Const, 0, ""},
+		{"NewTicker", Func, 0, "func(d Duration) *Ticker"},
+		{"NewTimer", Func, 0, "func(d Duration) *Timer"},
+		{"November", Const, 0, ""},
+		{"Now", Func, 0, "func() Time"},
+		{"October", Const, 0, ""},
+		{"Parse", Func, 0, "func(layout string, value string) (Time, error)"},
+		{"ParseDuration", Func, 0, "func(s string) (Duration, error)"},
+		{"ParseError", Type, 0, ""},
+		{"ParseError.Layout", Field, 0, ""},
+		{"ParseError.LayoutElem", Field, 0, ""},
+		{"ParseError.Message", Field, 0, ""},
+		{"ParseError.Value", Field, 0, ""},
+		{"ParseError.ValueElem", Field, 0, ""},
+		{"ParseInLocation", Func, 1, "func(layout string, value string, loc *Location) (Time, error)"},
+		{"RFC1123", Const, 0, ""},
+		{"RFC1123Z", Const, 0, ""},
+		{"RFC3339", Const, 0, ""},
+		{"RFC3339Nano", Const, 0, ""},
+		{"RFC822", Const, 0, ""},
+		{"RFC822Z", Const, 0, ""},
+		{"RFC850", Const, 0, ""},
+		{"RubyDate", Const, 0, ""},
+		{"Saturday", Const, 0, ""},
+		{"Second", Const, 0, ""},
+		{"September", Const, 0, ""},
+		{"Since", Func, 0, "func(t Time) Duration"},
+		{"Sleep", Func, 0, "func(d Duration)"},
+		{"Stamp", Const, 0, ""},
+		{"StampMicro", Const, 0, ""},
+		{"StampMilli", Const, 0, ""},
+		{"StampNano", Const, 0, ""},
+		{"Sunday", Const, 0, ""},
+		{"Thursday", Const, 0, ""},
+		{"Tick", Func, 0, "func(d Duration) <-chan Time"},
+		{"Ticker", Type, 0, ""},
+		{"Ticker.C", Field, 0, ""},
+		{"Time", Type, 0, ""},
+		{"TimeOnly", Const, 20, ""},
+		{"Timer", Type, 0, ""},
+		{"Timer.C", Field, 0, ""},
+		{"Tuesday", Const, 0, ""},
+		{"UTC", Var, 0, ""},
+		{"Unix", Func, 0, "func(sec int64, nsec int64) Time"},
+		{"UnixDate", Const, 0, ""},
+		{"UnixMicro", Func, 17, "func(usec int64) Time"},
+		{"UnixMilli", Func, 17, "func(msec int64) Time"},
+		{"Until", Func, 8, "func(t Time) Duration"},
+		{"Wednesday", Const, 0, ""},
+		{"Weekday", Type, 0, ""},
+	},
+	"unicode": {
+		{"(SpecialCase).ToLower", Method, 0, ""},
+		{"(SpecialCase).ToTitle", Method, 0, ""},
+		{"(SpecialCase).ToUpper", Method, 0, ""},
+		{"ASCII_Hex_Digit", Var, 0, ""},
+		{"Adlam", Var, 7, ""},
+		{"Ahom", Var, 5, ""},
+		{"Anatolian_Hieroglyphs", Var, 5, ""},
+		{"Arabic", Var, 0, ""},
+		{"Armenian", Var, 0, ""},
+		{"Avestan", Var, 0, ""},
+		{"AzeriCase", Var, 0, ""},
+		{"Balinese", Var, 0, ""},
+		{"Bamum", Var, 0, ""},
+		{"Bassa_Vah", Var, 4, ""},
+		{"Batak", Var, 0, ""},
+		{"Bengali", Var, 0, ""},
+		{"Bhaiksuki", Var, 7, ""},
+		{"Bidi_Control", Var, 0, ""},
+		{"Bopomofo", Var, 0, ""},
+		{"Brahmi", Var, 0, ""},
+		{"Braille", Var, 0, ""},
+		{"Buginese", Var, 0, ""},
+		{"Buhid", Var, 0, ""},
+		{"C", Var, 0, ""},
+		{"Canadian_Aboriginal", Var, 0, ""},
+		{"Carian", Var, 0, ""},
+		{"CaseRange", Type, 0, ""},
+		{"CaseRange.Delta", Field, 0, ""},
+		{"CaseRange.Hi", Field, 0, ""},
+		{"CaseRange.Lo", Field, 0, ""},
+		{"CaseRanges", Var, 0, ""},
+		{"Categories", Var, 0, ""},
+		{"CategoryAliases", Var, 25, ""},
+		{"Caucasian_Albanian", Var, 4, ""},
+		{"Cc", Var, 0, ""},
+		{"Cf", Var, 0, ""},
+		{"Chakma", Var, 1, ""},
+		{"Cham", Var, 0, ""},
+		{"Cherokee", Var, 0, ""},
+		{"Chorasmian", Var, 16, ""},
+		{"Cn", Var, 25, ""},
+		{"Co", Var, 0, ""},
+		{"Common", Var, 0, ""},
+		{"Coptic", Var, 0, ""},
+		{"Cs", Var, 0, ""},
+		{"Cuneiform", Var, 0, ""},
+		{"Cypriot", Var, 0, ""},
+		{"Cypro_Minoan", Var, 21, ""},
+		{"Cyrillic", Var, 0, ""},
+		{"Dash", Var, 0, ""},
+		{"Deprecated", Var, 0, ""},
+		{"Deseret", Var, 0, ""},
+		{"Devanagari", Var, 0, ""},
+		{"Diacritic", Var, 0, ""},
+		{"Digit", Var, 0, ""},
+		{"Dives_Akuru", Var, 16, ""},
+		{"Dogra", Var, 13, ""},
+		{"Duployan", Var, 4, ""},
+		{"Egyptian_Hieroglyphs", Var, 0, ""},
+		{"Elbasan", Var, 4, ""},
+		{"Elymaic", Var, 14, ""},
+		{"Ethiopic", Var, 0, ""},
+		{"Extender", Var, 0, ""},
+		{"FoldCategory", Var, 0, ""},
+		{"FoldScript", Var, 0, ""},
+		{"Georgian", Var, 0, ""},
+		{"Glagolitic", Var, 0, ""},
+		{"Gothic", Var, 0, ""},
+		{"Grantha", Var, 4, ""},
+		{"GraphicRanges", Var, 0, ""},
+		{"Greek", Var, 0, ""},
+		{"Gujarati", Var, 0, ""},
+		{"Gunjala_Gondi", Var, 13, ""},
+		{"Gurmukhi", Var, 0, ""},
+		{"Han", Var, 0, ""},
+		{"Hangul", Var, 0, ""},
+		{"Hanifi_Rohingya", Var, 13, ""},
+		{"Hanunoo", Var, 0, ""},
+		{"Hatran", Var, 5, ""},
+		{"Hebrew", Var, 0, ""},
+		{"Hex_Digit", Var, 0, ""},
+		{"Hiragana", Var, 0, ""},
+		{"Hyphen", Var, 0, ""},
+		{"IDS_Binary_Operator", Var, 0, ""},
+		{"IDS_Trinary_Operator", Var, 0, ""},
+		{"Ideographic", Var, 0, ""},
+		{"Imperial_Aramaic", Var, 0, ""},
+		{"In", Func, 2, "func(r rune, ranges ...*RangeTable) bool"},
+		{"Inherited", Var, 0, ""},
+		{"Inscriptional_Pahlavi", Var, 0, ""},
+		{"Inscriptional_Parthian", Var, 0, ""},
+		{"Is", Func, 0, "func(rangeTab *RangeTable, r rune) bool"},
+		{"IsControl", Func, 0, "func(r rune) bool"},
+		{"IsDigit", Func, 0, "func(r rune) bool"},
+		{"IsGraphic", Func, 0, "func(r rune) bool"},
+		{"IsLetter", Func, 0, "func(r rune) bool"},
+		{"IsLower", Func, 0, "func(r rune) bool"},
+		{"IsMark", Func, 0, "func(r rune) bool"},
+		{"IsNumber", Func, 0, "func(r rune) bool"},
+		{"IsOneOf", Func, 0, "func(ranges []*RangeTable, r rune) bool"},
+		{"IsPrint", Func, 0, "func(r rune) bool"},
+		{"IsPunct", Func, 0, "func(r rune) bool"},
+		{"IsSpace", Func, 0, "func(r rune) bool"},
+		{"IsSymbol", Func, 0, "func(r rune) bool"},
+		{"IsTitle", Func, 0, "func(r rune) bool"},
+		{"IsUpper", Func, 0, "func(r rune) bool"},
+		{"Javanese", Var, 0, ""},
+		{"Join_Control", Var, 0, ""},
+		{"Kaithi", Var, 0, ""},
+		{"Kannada", Var, 0, ""},
+		{"Katakana", Var, 0, ""},
+		{"Kawi", Var, 21, ""},
+		{"Kayah_Li", Var, 0, ""},
+		{"Kharoshthi", Var, 0, ""},
+		{"Khitan_Small_Script", Var, 16, ""},
+		{"Khmer", Var, 0, ""},
+		{"Khojki", Var, 4, ""},
+		{"Khudawadi", Var, 4, ""},
+		{"L", Var, 0, ""},
+		{"LC", Var, 25, ""},
+		{"Lao", Var, 0, ""},
+		{"Latin", Var, 0, ""},
+		{"Lepcha", Var, 0, ""},
+		{"Letter", Var, 0, ""},
+		{"Limbu", Var, 0, ""},
+		{"Linear_A", Var, 4, ""},
+		{"Linear_B", Var, 0, ""},
+		{"Lisu", Var, 0, ""},
+		{"Ll", Var, 0, ""},
+		{"Lm", Var, 0, ""},
+		{"Lo", Var, 0, ""},
+		{"Logical_Order_Exception", Var, 0, ""},
+		{"Lower", Var, 0, ""},
+		{"LowerCase", Const, 0, ""},
+		{"Lt", Var, 0, ""},
+		{"Lu", Var, 0, ""},
+		{"Lycian", Var, 0, ""},
+		{"Lydian", Var, 0, ""},
+		{"M", Var, 0, ""},
+		{"Mahajani", Var, 4, ""},
+		{"Makasar", Var, 13, ""},
+		{"Malayalam", Var, 0, ""},
+		{"Mandaic", Var, 0, ""},
+		{"Manichaean", Var, 4, ""},
+		{"Marchen", Var, 7, ""},
+		{"Mark", Var, 0, ""},
+		{"Masaram_Gondi", Var, 10, ""},
+		{"MaxASCII", Const, 0, ""},
+		{"MaxCase", Const, 0, ""},
+		{"MaxLatin1", Const, 0, ""},
+		{"MaxRune", Const, 0, ""},
+		{"Mc", Var, 0, ""},
+		{"Me", Var, 0, ""},
+		{"Medefaidrin", Var, 13, ""},
+		{"Meetei_Mayek", Var, 0, ""},
+		{"Mende_Kikakui", Var, 4, ""},
+		{"Meroitic_Cursive", Var, 1, ""},
+		{"Meroitic_Hieroglyphs", Var, 1, ""},
+		{"Miao", Var, 1, ""},
+		{"Mn", Var, 0, ""},
+		{"Modi", Var, 4, ""},
+		{"Mongolian", Var, 0, ""},
+		{"Mro", Var, 4, ""},
+		{"Multani", Var, 5, ""},
+		{"Myanmar", Var, 0, ""},
+		{"N", Var, 0, ""},
+		{"Nabataean", Var, 4, ""},
+		{"Nag_Mundari", Var, 21, ""},
+		{"Nandinagari", Var, 14, ""},
+		{"Nd", Var, 0, ""},
+		{"New_Tai_Lue", Var, 0, ""},
+		{"Newa", Var, 7, ""},
+		{"Nko", Var, 0, ""},
+		{"Nl", Var, 0, ""},
+		{"No", Var, 0, ""},
+		{"Noncharacter_Code_Point", Var, 0, ""},
+		{"Number", Var, 0, ""},
+		{"Nushu", Var, 10, ""},
+		{"Nyiakeng_Puachue_Hmong", Var, 14, ""},
+		{"Ogham", Var, 0, ""},
+		{"Ol_Chiki", Var, 0, ""},
+		{"Old_Hungarian", Var, 5, ""},
+		{"Old_Italic", Var, 0, ""},
+		{"Old_North_Arabian", Var, 4, ""},
+		{"Old_Permic", Var, 4, ""},
+		{"Old_Persian", Var, 0, ""},
+		{"Old_Sogdian", Var, 13, ""},
+		{"Old_South_Arabian", Var, 0, ""},
+		{"Old_Turkic", Var, 0, ""},
+		{"Old_Uyghur", Var, 21, ""},
+		{"Oriya", Var, 0, ""},
+		{"Osage", Var, 7, ""},
+		{"Osmanya", Var, 0, ""},
+		{"Other", Var, 0, ""},
+		{"Other_Alphabetic", Var, 0, ""},
+		{"Other_Default_Ignorable_Code_Point", Var, 0, ""},
+		{"Other_Grapheme_Extend", Var, 0, ""},
+		{"Other_ID_Continue", Var, 0, ""},
+		{"Other_ID_Start", Var, 0, ""},
+		{"Other_Lowercase", Var, 0, ""},
+		{"Other_Math", Var, 0, ""},
+		{"Other_Uppercase", Var, 0, ""},
+		{"P", Var, 0, ""},
+		{"Pahawh_Hmong", Var, 4, ""},
+		{"Palmyrene", Var, 4, ""},
+		{"Pattern_Syntax", Var, 0, ""},
+		{"Pattern_White_Space", Var, 0, ""},
+		{"Pau_Cin_Hau", Var, 4, ""},
+		{"Pc", Var, 0, ""},
+		{"Pd", Var, 0, ""},
+		{"Pe", Var, 0, ""},
+		{"Pf", Var, 0, ""},
+		{"Phags_Pa", Var, 0, ""},
+		{"Phoenician", Var, 0, ""},
+		{"Pi", Var, 0, ""},
+		{"Po", Var, 0, ""},
+		{"Prepended_Concatenation_Mark", Var, 7, ""},
+		{"PrintRanges", Var, 0, ""},
+		{"Properties", Var, 0, ""},
+		{"Ps", Var, 0, ""},
+		{"Psalter_Pahlavi", Var, 4, ""},
+		{"Punct", Var, 0, ""},
+		{"Quotation_Mark", Var, 0, ""},
+		{"Radical", Var, 0, ""},
+		{"Range16", Type, 0, ""},
+		{"Range16.Hi", Field, 0, ""},
+		{"Range16.Lo", Field, 0, ""},
+		{"Range16.Stride", Field, 0, ""},
+		{"Range32", Type, 0, ""},
+		{"Range32.Hi", Field, 0, ""},
+		{"Range32.Lo", Field, 0, ""},
+		{"Range32.Stride", Field, 0, ""},
+		{"RangeTable", Type, 0, ""},
+		{"RangeTable.LatinOffset", Field, 1, ""},
+		{"RangeTable.R16", Field, 0, ""},
+		{"RangeTable.R32", Field, 0, ""},
+		{"Regional_Indicator", Var, 10, ""},
+		{"Rejang", Var, 0, ""},
+		{"ReplacementChar", Const, 0, ""},
+		{"Runic", Var, 0, ""},
+		{"S", Var, 0, ""},
+		{"STerm", Var, 0, ""},
+		{"Samaritan", Var, 0, ""},
+		{"Saurashtra", Var, 0, ""},
+		{"Sc", Var, 0, ""},
+		{"Scripts", Var, 0, ""},
+		{"Sentence_Terminal", Var, 7, ""},
+		{"Sharada", Var, 1, ""},
+		{"Shavian", Var, 0, ""},
+		{"Siddham", Var, 4, ""},
+		{"SignWriting", Var, 5, ""},
+		{"SimpleFold", Func, 0, "func(r rune) rune"},
+		{"Sinhala", Var, 0, ""},
+		{"Sk", Var, 0, ""},
+		{"Sm", Var, 0, ""},
+		{"So", Var, 0, ""},
+		{"Soft_Dotted", Var, 0, ""},
+		{"Sogdian", Var, 13, ""},
+		{"Sora_Sompeng", Var, 1, ""},
+		{"Soyombo", Var, 10, ""},
+		{"Space", Var, 0, ""},
+		{"SpecialCase", Type, 0, ""},
+		{"Sundanese", Var, 0, ""},
+		{"Syloti_Nagri", Var, 0, ""},
+		{"Symbol", Var, 0, ""},
+		{"Syriac", Var, 0, ""},
+		{"Tagalog", Var, 0, ""},
+		{"Tagbanwa", Var, 0, ""},
+		{"Tai_Le", Var, 0, ""},
+		{"Tai_Tham", Var, 0, ""},
+		{"Tai_Viet", Var, 0, ""},
+		{"Takri", Var, 1, ""},
+		{"Tamil", Var, 0, ""},
+		{"Tangsa", Var, 21, ""},
+		{"Tangut", Var, 7, ""},
+		{"Telugu", Var, 0, ""},
+		{"Terminal_Punctuation", Var, 0, ""},
+		{"Thaana", Var, 0, ""},
+		{"Thai", Var, 0, ""},
+		{"Tibetan", Var, 0, ""},
+		{"Tifinagh", Var, 0, ""},
+		{"Tirhuta", Var, 4, ""},
+		{"Title", Var, 0, ""},
+		{"TitleCase", Const, 0, ""},
+		{"To", Func, 0, "func(_case int, r rune) rune"},
+		{"ToLower", Func, 0, "func(r rune) rune"},
+		{"ToTitle", Func, 0, "func(r rune) rune"},
+		{"ToUpper", Func, 0, "func(r rune) rune"},
+		{"Toto", Var, 21, ""},
+		{"TurkishCase", Var, 0, ""},
+		{"Ugaritic", Var, 0, ""},
+		{"Unified_Ideograph", Var, 0, ""},
+		{"Upper", Var, 0, ""},
+		{"UpperCase", Const, 0, ""},
+		{"UpperLower", Const, 0, ""},
+		{"Vai", Var, 0, ""},
+		{"Variation_Selector", Var, 0, ""},
+		{"Version", Const, 0, ""},
+		{"Vithkuqi", Var, 21, ""},
+		{"Wancho", Var, 14, ""},
+		{"Warang_Citi", Var, 4, ""},
+		{"White_Space", Var, 0, ""},
+		{"Yezidi", Var, 16, ""},
+		{"Yi", Var, 0, ""},
+		{"Z", Var, 0, ""},
+		{"Zanabazar_Square", Var, 10, ""},
+		{"Zl", Var, 0, ""},
+		{"Zp", Var, 0, ""},
+		{"Zs", Var, 0, ""},
+	},
+	"unicode/utf16": {
+		{"AppendRune", Func, 20, "func(a []uint16, r rune) []uint16"},
+		{"Decode", Func, 0, "func(s []uint16) []rune"},
+		{"DecodeRune", Func, 0, "func(r1 rune, r2 rune) rune"},
+		{"Encode", Func, 0, "func(s []rune) []uint16"},
+		{"EncodeRune", Func, 0, "func(r rune) (r1 rune, r2 rune)"},
+		{"IsSurrogate", Func, 0, "func(r rune) bool"},
+		{"RuneLen", Func, 23, "func(r rune) int"},
+	},
+	"unicode/utf8": {
+		{"AppendRune", Func, 18, "func(p []byte, r rune) []byte"},
+		{"DecodeLastRune", Func, 0, "func(p []byte) (r rune, size int)"},
+		{"DecodeLastRuneInString", Func, 0, "func(s string) (r rune, size int)"},
+		{"DecodeRune", Func, 0, "func(p []byte) (r rune, size int)"},
+		{"DecodeRuneInString", Func, 0, "func(s string) (r rune, size int)"},
+		{"EncodeRune", Func, 0, "func(p []byte, r rune) int"},
+		{"FullRune", Func, 0, "func(p []byte) bool"},
+		{"FullRuneInString", Func, 0, "func(s string) bool"},
+		{"MaxRune", Const, 0, ""},
+		{"RuneCount", Func, 0, "func(p []byte) int"},
+		{"RuneCountInString", Func, 0, "func(s string) (n int)"},
+		{"RuneError", Const, 0, ""},
+		{"RuneLen", Func, 0, "func(r rune) int"},
+		{"RuneSelf", Const, 0, ""},
+		{"RuneStart", Func, 0, "func(b byte) bool"},
+		{"UTFMax", Const, 0, ""},
+		{"Valid", Func, 0, "func(p []byte) bool"},
+		{"ValidRune", Func, 1, "func(r rune) bool"},
+		{"ValidString", Func, 0, "func(s string) bool"},
+	},
+	"unique": {
+		{"(Handle).Value", Method, 23, ""},
+		{"Handle", Type, 23, ""},
+		{"Make", Func, 23, "func[T comparable](value T) Handle[T]"},
+	},
+	"unsafe": {
+		{"Add", Func, 0, ""},
+		{"Alignof", Func, 0, ""},
+		{"Offsetof", Func, 0, ""},
+		{"Pointer", Type, 0, ""},
+		{"Sizeof", Func, 0, ""},
+		{"Slice", Func, 0, ""},
+		{"SliceData", Func, 0, ""},
+		{"String", Func, 0, ""},
+		{"StringData", Func, 0, ""},
+	},
+	"weak": {
+		{"(Pointer).Value", Method, 24, ""},
+		{"Make", Func, 24, "func[T any](ptr *T) Pointer[T]"},
+		{"Pointer", Type, 24, ""},
+	},
+}
diff --git a/vendor/golang.org/x/tools/internal/stdlib/stdlib.go b/vendor/golang.org/x/tools/internal/stdlib/stdlib.go
new file mode 100644
index 0000000000..59a5de36a2
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/stdlib/stdlib.go
@@ -0,0 +1,105 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:generate go run generate.go
+
+// Package stdlib provides a table of all exported symbols in the
+// standard library, along with the version at which they first
+// appeared. It also provides the import graph of std packages.
+package stdlib
+
+import (
+	"fmt"
+	"strings"
+)
+
+type Symbol struct {
+	Name    string
+	Kind    Kind
+	Version Version // Go version that first included the symbol
+	// Signature provides the type of a function (defined only for Kind=Func).
+	// Imported types are denoted as pkg.T; pkg is not fully qualified.
+	// TODO(adonovan): use an unambiguous encoding that is parseable.
+	//
+	// Example2:
+	//    func[M ~map[K]V, K comparable, V any](m M) M
+	//    func(fi fs.FileInfo, link string) (*Header, error)
+	Signature string // if Kind == stdlib.Func
+}
+
+// A Kind indicates the kind of a symbol:
+// function, variable, constant, type, and so on.
+type Kind int8
+
+const (
+	Invalid Kind = iota // Example name:
+	Type                // "Buffer"
+	Func                // "Println"
+	Var                 // "EOF"
+	Const               // "Pi"
+	Field               // "Point.X"
+	Method              // "(*Buffer).Grow" or "(Reader).Read"
+)
+
+func (kind Kind) String() string {
+	return [...]string{
+		Invalid: "invalid",
+		Type:    "type",
+		Func:    "func",
+		Var:     "var",
+		Const:   "const",
+		Field:   "field",
+		Method:  "method",
+	}[kind]
+}
+
+// A Version represents a version of Go of the form "go1.%d".
+type Version int8
+
+// String returns a version string of the form "go1.23", without allocating.
+func (v Version) String() string { return versions[v] }
+
+var versions [30]string // (increase constant as needed)
+
+func init() {
+	for i := range versions {
+		versions[i] = fmt.Sprintf("go1.%d", i)
+	}
+}
+
+// HasPackage reports whether the specified package path is part of
+// the standard library's public API.
+func HasPackage(path string) bool {
+	_, ok := PackageSymbols[path]
+	return ok
+}
+
+// SplitField splits the field symbol name into type and field
+// components. It must be called only on Field symbols.
+//
+// Example: "File.Package" -> ("File", "Package")
+func (sym *Symbol) SplitField() (typename, name string) {
+	if sym.Kind != Field {
+		panic("not a field")
+	}
+	typename, name, _ = strings.Cut(sym.Name, ".")
+	return
+}
+
+// SplitMethod splits the method symbol name into pointer, receiver,
+// and method components. It must be called only on Method symbols.
+//
+// Example: "(*Buffer).Grow" -> (true, "Buffer", "Grow")
+func (sym *Symbol) SplitMethod() (ptr bool, recv, name string) {
+	if sym.Kind != Method {
+		panic("not a method")
+	}
+	recv, name, _ = strings.Cut(sym.Name, ".")
+	recv = recv[len("(") : len(recv)-len(")")]
+	ptr = recv[0] == '*'
+	if ptr {
+		recv = recv[len("*"):]
+	}
+	return
+}
diff --git a/vendor/golang.org/x/tools/internal/typeparams/common.go b/vendor/golang.org/x/tools/internal/typeparams/common.go
new file mode 100644
index 0000000000..cdae2b8e81
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typeparams/common.go
@@ -0,0 +1,68 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package typeparams contains common utilities for writing tools that
+// interact with generic Go code, as introduced with Go 1.18. It
+// supplements the standard library APIs. Notably, the StructuralTerms
+// API computes a minimal representation of the structural
+// restrictions on a type parameter.
+//
+// An external version of these APIs is available in the
+// golang.org/x/exp/typeparams module.
+package typeparams
+
+import (
+	"go/ast"
+	"go/token"
+	"go/types"
+)
+
+// UnpackIndexExpr extracts data from AST nodes that represent index
+// expressions.
+//
+// For an ast.IndexExpr, the resulting indices slice will contain exactly one
+// index expression. For an ast.IndexListExpr (go1.18+), it may have a variable
+// number of index expressions.
+//
+// For nodes that don't represent index expressions, the first return value of
+// UnpackIndexExpr will be nil.
+func UnpackIndexExpr(n ast.Node) (x ast.Expr, lbrack token.Pos, indices []ast.Expr, rbrack token.Pos) {
+	switch e := n.(type) {
+	case *ast.IndexExpr:
+		return e.X, e.Lbrack, []ast.Expr{e.Index}, e.Rbrack
+	case *ast.IndexListExpr:
+		return e.X, e.Lbrack, e.Indices, e.Rbrack
+	}
+	return nil, token.NoPos, nil, token.NoPos
+}
+
+// PackIndexExpr returns an *ast.IndexExpr or *ast.IndexListExpr, depending on
+// the cardinality of indices. Calling PackIndexExpr with len(indices) == 0
+// will panic.
+func PackIndexExpr(x ast.Expr, lbrack token.Pos, indices []ast.Expr, rbrack token.Pos) ast.Expr {
+	switch len(indices) {
+	case 0:
+		panic("empty indices")
+	case 1:
+		return &ast.IndexExpr{
+			X:      x,
+			Lbrack: lbrack,
+			Index:  indices[0],
+			Rbrack: rbrack,
+		}
+	default:
+		return &ast.IndexListExpr{
+			X:       x,
+			Lbrack:  lbrack,
+			Indices: indices,
+			Rbrack:  rbrack,
+		}
+	}
+}
+
+// IsTypeParam reports whether t is a type parameter (or an alias of one).
+func IsTypeParam(t types.Type) bool {
+	_, ok := types.Unalias(t).(*types.TypeParam)
+	return ok
+}
diff --git a/vendor/golang.org/x/tools/internal/typeparams/coretype.go b/vendor/golang.org/x/tools/internal/typeparams/coretype.go
new file mode 100644
index 0000000000..27a2b17929
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typeparams/coretype.go
@@ -0,0 +1,155 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typeparams
+
+import (
+	"fmt"
+	"go/types"
+)
+
+// CoreType returns the core type of T or nil if T does not have a core type.
+//
+// See https://go.dev/ref/spec#Core_types for the definition of a core type.
+func CoreType(T types.Type) types.Type {
+	U := T.Underlying()
+	if _, ok := U.(*types.Interface); !ok {
+		return U // for non-interface types,
+	}
+
+	terms, err := NormalTerms(U)
+	if len(terms) == 0 || err != nil {
+		// len(terms) -> empty type set of interface.
+		// err != nil => U is invalid, exceeds complexity bounds, or has an empty type set.
+		return nil // no core type.
+	}
+
+	U = terms[0].Type().Underlying()
+	var identical int // i in [0,identical) => Identical(U, terms[i].Type().Underlying())
+	for identical = 1; identical < len(terms); identical++ {
+		if !types.Identical(U, terms[identical].Type().Underlying()) {
+			break
+		}
+	}
+
+	if identical == len(terms) {
+		// https://go.dev/ref/spec#Core_types
+		// "There is a single type U which is the underlying type of all types in the type set of T"
+		return U
+	}
+	ch, ok := U.(*types.Chan)
+	if !ok {
+		return nil // no core type as identical < len(terms) and U is not a channel.
+	}
+	// https://go.dev/ref/spec#Core_types
+	// "the type chan E if T contains only bidirectional channels, or the type chan<- E or
+	// <-chan E depending on the direction of the directional channels present."
+	for chans := identical; chans < len(terms); chans++ {
+		curr, ok := terms[chans].Type().Underlying().(*types.Chan)
+		if !ok {
+			return nil
+		}
+		if !types.Identical(ch.Elem(), curr.Elem()) {
+			return nil // channel elements are not identical.
+		}
+		if ch.Dir() == types.SendRecv {
+			// ch is bidirectional. We can safely always use curr's direction.
+			ch = curr
+		} else if curr.Dir() != types.SendRecv && ch.Dir() != curr.Dir() {
+			// ch and curr are not bidirectional and not the same direction.
+			return nil
+		}
+	}
+	return ch
+}
+
+// NormalTerms returns a slice of terms representing the normalized structural
+// type restrictions of a type, if any.
+//
+// For all types other than *types.TypeParam, *types.Interface, and
+// *types.Union, this is just a single term with Tilde() == false and
+// Type() == typ. For *types.TypeParam, *types.Interface, and *types.Union, see
+// below.
+//
+// Structural type restrictions of a type parameter are created via
+// non-interface types embedded in its constraint interface (directly, or via a
+// chain of interface embeddings). For example, in the declaration type
+// T[P interface{~int; m()}] int the structural restriction of the type
+// parameter P is ~int.
+//
+// With interface embedding and unions, the specification of structural type
+// restrictions may be arbitrarily complex. For example, consider the
+// following:
+//
+//	type A interface{ ~string|~[]byte }
+//
+//	type B interface{ int|string }
+//
+//	type C interface { ~string|~int }
+//
+//	type T[P interface{ A|B; C }] int
+//
+// In this example, the structural type restriction of P is ~string|int: A|B
+// expands to ~string|~[]byte|int|string, which reduces to ~string|~[]byte|int,
+// which when intersected with C (~string|~int) yields ~string|int.
+//
+// NormalTerms computes these expansions and reductions, producing a
+// "normalized" form of the embeddings. A structural restriction is normalized
+// if it is a single union containing no interface terms, and is minimal in the
+// sense that removing any term changes the set of types satisfying the
+// constraint. It is left as a proof for the reader that, modulo sorting, there
+// is exactly one such normalized form.
+//
+// Because the minimal representation always takes this form, NormalTerms
+// returns a slice of tilde terms corresponding to the terms of the union in
+// the normalized structural restriction. An error is returned if the type is
+// invalid, exceeds complexity bounds, or has an empty type set. In the latter
+// case, NormalTerms returns ErrEmptyTypeSet.
+//
+// NormalTerms makes no guarantees about the order of terms, except that it
+// is deterministic.
+func NormalTerms(T types.Type) ([]*types.Term, error) {
+	// typeSetOf(T) == typeSetOf(Unalias(T))
+	typ := types.Unalias(T)
+	if named, ok := typ.(*types.Named); ok {
+		typ = named.Underlying()
+	}
+	switch typ := typ.(type) {
+	case *types.TypeParam:
+		return StructuralTerms(typ)
+	case *types.Union:
+		return UnionTermSet(typ)
+	case *types.Interface:
+		return InterfaceTermSet(typ)
+	default:
+		return []*types.Term{types.NewTerm(false, T)}, nil
+	}
+}
+
+// Deref returns the type of the variable pointed to by t,
+// if t's core type is a pointer; otherwise it returns t.
+//
+// Do not assume that Deref(T)==T implies T is not a pointer:
+// consider "type T *T", for example.
+//
+// TODO(adonovan): ideally this would live in typesinternal, but that
+// creates an import cycle. Move there when we melt this package down.
+func Deref(t types.Type) types.Type {
+	if ptr, ok := CoreType(t).(*types.Pointer); ok {
+		return ptr.Elem()
+	}
+	return t
+}
+
+// MustDeref returns the type of the variable pointed to by t.
+// It panics if t's core type is not a pointer.
+//
+// TODO(adonovan): ideally this would live in typesinternal, but that
+// creates an import cycle. Move there when we melt this package down.
+func MustDeref(t types.Type) types.Type {
+	if ptr, ok := CoreType(t).(*types.Pointer); ok {
+		return ptr.Elem()
+	}
+	panic(fmt.Sprintf("%v is not a pointer", t))
+}
diff --git a/vendor/golang.org/x/tools/internal/typeparams/free.go b/vendor/golang.org/x/tools/internal/typeparams/free.go
new file mode 100644
index 0000000000..709d2fc144
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typeparams/free.go
@@ -0,0 +1,131 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typeparams
+
+import (
+	"go/types"
+
+	"golang.org/x/tools/internal/aliases"
+)
+
+// Free is a memoization of the set of free type parameters within a
+// type. It makes a sequence of calls to [Free.Has] for overlapping
+// types more efficient. The zero value is ready for use.
+//
+// NOTE: Adapted from go/types/infer.go. If it is later exported, factor.
+type Free struct {
+	seen map[types.Type]bool
+}
+
+// Has reports whether the specified type has a free type parameter.
+func (w *Free) Has(typ types.Type) (res bool) {
+	// detect cycles
+	if x, ok := w.seen[typ]; ok {
+		return x
+	}
+	if w.seen == nil {
+		w.seen = make(map[types.Type]bool)
+	}
+	w.seen[typ] = false
+	defer func() {
+		w.seen[typ] = res
+	}()
+
+	switch t := typ.(type) {
+	case nil, *types.Basic: // TODO(gri) should nil be handled here?
+		break
+
+	case *types.Alias:
+		if aliases.TypeParams(t).Len() > aliases.TypeArgs(t).Len() {
+			return true // This is an uninstantiated Alias.
+		}
+		// The expansion of an alias can have free type parameters,
+		// whether or not the alias itself has type parameters:
+		//
+		//   func _[K comparable]() {
+		//     type Set      = map[K]bool // free(Set)      = {K}
+		//     type MapTo[V] = map[K]V    // free(Map[foo]) = {V}
+		//   }
+		//
+		// So, we must Unalias.
+		return w.Has(types.Unalias(t))
+
+	case *types.Array:
+		return w.Has(t.Elem())
+
+	case *types.Slice:
+		return w.Has(t.Elem())
+
+	case *types.Struct:
+		for i, n := 0, t.NumFields(); i < n; i++ {
+			if w.Has(t.Field(i).Type()) {
+				return true
+			}
+		}
+
+	case *types.Pointer:
+		return w.Has(t.Elem())
+
+	case *types.Tuple:
+		n := t.Len()
+		for i := range n {
+			if w.Has(t.At(i).Type()) {
+				return true
+			}
+		}
+
+	case *types.Signature:
+		// t.tparams may not be nil if we are looking at a signature
+		// of a generic function type (or an interface method) that is
+		// part of the type we're testing. We don't care about these type
+		// parameters.
+		// Similarly, the receiver of a method may declare (rather than
+		// use) type parameters, we don't care about those either.
+		// Thus, we only need to look at the input and result parameters.
+		return w.Has(t.Params()) || w.Has(t.Results())
+
+	case *types.Interface:
+		for i, n := 0, t.NumMethods(); i < n; i++ {
+			if w.Has(t.Method(i).Type()) {
+				return true
+			}
+		}
+		terms, err := InterfaceTermSet(t)
+		if err != nil {
+			return false // ill typed
+		}
+		for _, term := range terms {
+			if w.Has(term.Type()) {
+				return true
+			}
+		}
+
+	case *types.Map:
+		return w.Has(t.Key()) || w.Has(t.Elem())
+
+	case *types.Chan:
+		return w.Has(t.Elem())
+
+	case *types.Named:
+		args := t.TypeArgs()
+		if params := t.TypeParams(); params.Len() > args.Len() {
+			return true // this is an uninstantiated named type.
+		}
+		for i, n := 0, args.Len(); i < n; i++ {
+			if w.Has(args.At(i)) {
+				return true
+			}
+		}
+		return w.Has(t.Underlying()) // recurse for types local to parameterized functions
+
+	case *types.TypeParam:
+		return true
+
+	default:
+		panic(t) // unreachable
+	}
+
+	return false
+}
diff --git a/vendor/golang.org/x/tools/internal/typeparams/normalize.go b/vendor/golang.org/x/tools/internal/typeparams/normalize.go
new file mode 100644
index 0000000000..8d13f12147
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typeparams/normalize.go
@@ -0,0 +1,216 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typeparams
+
+import (
+	"errors"
+	"fmt"
+	"go/types"
+	"os"
+	"strings"
+)
+
+//go:generate go run copytermlist.go
+
+const debug = false
+
+var ErrEmptyTypeSet = errors.New("empty type set")
+
+// StructuralTerms returns a slice of terms representing the normalized
+// structural type restrictions of a type parameter, if any.
+//
+// Structural type restrictions of a type parameter are created via
+// non-interface types embedded in its constraint interface (directly, or via a
+// chain of interface embeddings). For example, in the declaration
+//
+//	type T[P interface{~int; m()}] int
+//
+// the structural restriction of the type parameter P is ~int.
+//
+// With interface embedding and unions, the specification of structural type
+// restrictions may be arbitrarily complex. For example, consider the
+// following:
+//
+//	type A interface{ ~string|~[]byte }
+//
+//	type B interface{ int|string }
+//
+//	type C interface { ~string|~int }
+//
+//	type T[P interface{ A|B; C }] int
+//
+// In this example, the structural type restriction of P is ~string|int: A|B
+// expands to ~string|~[]byte|int|string, which reduces to ~string|~[]byte|int,
+// which when intersected with C (~string|~int) yields ~string|int.
+//
+// StructuralTerms computes these expansions and reductions, producing a
+// "normalized" form of the embeddings. A structural restriction is normalized
+// if it is a single union containing no interface terms, and is minimal in the
+// sense that removing any term changes the set of types satisfying the
+// constraint. It is left as a proof for the reader that, modulo sorting, there
+// is exactly one such normalized form.
+//
+// Because the minimal representation always takes this form, StructuralTerms
+// returns a slice of tilde terms corresponding to the terms of the union in
+// the normalized structural restriction. An error is returned if the
+// constraint interface is invalid, exceeds complexity bounds, or has an empty
+// type set. In the latter case, StructuralTerms returns ErrEmptyTypeSet.
+//
+// StructuralTerms makes no guarantees about the order of terms, except that it
+// is deterministic.
+func StructuralTerms(tparam *types.TypeParam) ([]*types.Term, error) {
+	constraint := tparam.Constraint()
+	if constraint == nil {
+		return nil, fmt.Errorf("%s has nil constraint", tparam)
+	}
+	iface, _ := constraint.Underlying().(*types.Interface)
+	if iface == nil {
+		return nil, fmt.Errorf("constraint is %T, not *types.Interface", constraint.Underlying())
+	}
+	return InterfaceTermSet(iface)
+}
+
+// InterfaceTermSet computes the normalized terms for a constraint interface,
+// returning an error if the term set cannot be computed or is empty. In the
+// latter case, the error will be ErrEmptyTypeSet.
+//
+// See the documentation of StructuralTerms for more information on
+// normalization.
+func InterfaceTermSet(iface *types.Interface) ([]*types.Term, error) {
+	return computeTermSet(iface)
+}
+
+// UnionTermSet computes the normalized terms for a union, returning an error
+// if the term set cannot be computed or is empty. In the latter case, the
+// error will be ErrEmptyTypeSet.
+//
+// See the documentation of StructuralTerms for more information on
+// normalization.
+func UnionTermSet(union *types.Union) ([]*types.Term, error) {
+	return computeTermSet(union)
+}
+
+func computeTermSet(typ types.Type) ([]*types.Term, error) {
+	tset, err := computeTermSetInternal(typ, make(map[types.Type]*termSet), 0)
+	if err != nil {
+		return nil, err
+	}
+	if tset.terms.isEmpty() {
+		return nil, ErrEmptyTypeSet
+	}
+	if tset.terms.isAll() {
+		return nil, nil
+	}
+	var terms []*types.Term
+	for _, term := range tset.terms {
+		terms = append(terms, types.NewTerm(term.tilde, term.typ))
+	}
+	return terms, nil
+}
+
+// A termSet holds the normalized set of terms for a given type.
+//
+// The name termSet is intentionally distinct from 'type set': a type set is
+// all types that implement a type (and includes method restrictions), whereas
+// a term set just represents the structural restrictions on a type.
+type termSet struct {
+	complete bool
+	terms    termlist
+}
+
+func indentf(depth int, format string, args ...any) {
+	fmt.Fprintf(os.Stderr, strings.Repeat(".", depth)+format+"\n", args...)
+}
+
+func computeTermSetInternal(t types.Type, seen map[types.Type]*termSet, depth int) (res *termSet, err error) {
+	if t == nil {
+		panic("nil type")
+	}
+
+	if debug {
+		indentf(depth, "%s", t.String())
+		defer func() {
+			if err != nil {
+				indentf(depth, "=> %s", err)
+			} else {
+				indentf(depth, "=> %s", res.terms.String())
+			}
+		}()
+	}
+
+	const maxTermCount = 100
+	if tset, ok := seen[t]; ok {
+		if !tset.complete {
+			return nil, fmt.Errorf("cycle detected in the declaration of %s", t)
+		}
+		return tset, nil
+	}
+
+	// Mark the current type as seen to avoid infinite recursion.
+	tset := new(termSet)
+	defer func() {
+		tset.complete = true
+	}()
+	seen[t] = tset
+
+	switch u := t.Underlying().(type) {
+	case *types.Interface:
+		// The term set of an interface is the intersection of the term sets of its
+		// embedded types.
+		tset.terms = allTermlist
+		for embedded := range u.EmbeddedTypes() {
+			if _, ok := embedded.Underlying().(*types.TypeParam); ok {
+				return nil, fmt.Errorf("invalid embedded type %T", embedded)
+			}
+			tset2, err := computeTermSetInternal(embedded, seen, depth+1)
+			if err != nil {
+				return nil, err
+			}
+			tset.terms = tset.terms.intersect(tset2.terms)
+		}
+	case *types.Union:
+		// The term set of a union is the union of term sets of its terms.
+		tset.terms = nil
+		for t := range u.Terms() {
+			var terms termlist
+			switch t.Type().Underlying().(type) {
+			case *types.Interface:
+				tset2, err := computeTermSetInternal(t.Type(), seen, depth+1)
+				if err != nil {
+					return nil, err
+				}
+				terms = tset2.terms
+			case *types.TypeParam, *types.Union:
+				// A stand-alone type parameter or union is not permitted as union
+				// term.
+				return nil, fmt.Errorf("invalid union term %T", t)
+			default:
+				if t.Type() == types.Typ[types.Invalid] {
+					continue
+				}
+				terms = termlist{{t.Tilde(), t.Type()}}
+			}
+			tset.terms = tset.terms.union(terms)
+			if len(tset.terms) > maxTermCount {
+				return nil, fmt.Errorf("exceeded max term count %d", maxTermCount)
+			}
+		}
+	case *types.TypeParam:
+		panic("unreachable")
+	default:
+		// For all other types, the term set is just a single non-tilde term
+		// holding the type itself.
+		if u != types.Typ[types.Invalid] {
+			tset.terms = termlist{{false, t}}
+		}
+	}
+	return tset, nil
+}
+
+// under is a facade for the go/types internal function of the same name. It is
+// used by typeterm.go.
+func under(t types.Type) types.Type {
+	return t.Underlying()
+}
diff --git a/vendor/golang.org/x/tools/internal/typeparams/termlist.go b/vendor/golang.org/x/tools/internal/typeparams/termlist.go
new file mode 100644
index 0000000000..9bc29143f6
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typeparams/termlist.go
@@ -0,0 +1,169 @@
+// Code generated by "go test -run=Generate -write=all"; DO NOT EDIT.
+// Source: ../../cmd/compile/internal/types2/termlist.go
+
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by copytermlist.go DO NOT EDIT.
+
+package typeparams
+
+import (
+	"go/types"
+	"strings"
+)
+
+// A termlist represents the type set represented by the union
+// t1 ∪ y2 ∪ ... tn of the type sets of the terms t1 to tn.
+// A termlist is in normal form if all terms are disjoint.
+// termlist operations don't require the operands to be in
+// normal form.
+type termlist []*term
+
+// allTermlist represents the set of all types.
+// It is in normal form.
+var allTermlist = termlist{new(term)}
+
+// termSep is the separator used between individual terms.
+const termSep = " | "
+
+// String prints the termlist exactly (without normalization).
+func (xl termlist) String() string {
+	if len(xl) == 0 {
+		return "∅"
+	}
+	var buf strings.Builder
+	for i, x := range xl {
+		if i > 0 {
+			buf.WriteString(termSep)
+		}
+		buf.WriteString(x.String())
+	}
+	return buf.String()
+}
+
+// isEmpty reports whether the termlist xl represents the empty set of types.
+func (xl termlist) isEmpty() bool {
+	// If there's a non-nil term, the entire list is not empty.
+	// If the termlist is in normal form, this requires at most
+	// one iteration.
+	for _, x := range xl {
+		if x != nil {
+			return false
+		}
+	}
+	return true
+}
+
+// isAll reports whether the termlist xl represents the set of all types.
+func (xl termlist) isAll() bool {
+	// If there's a 𝓤 term, the entire list is 𝓤.
+	// If the termlist is in normal form, this requires at most
+	// one iteration.
+	for _, x := range xl {
+		if x != nil && x.typ == nil {
+			return true
+		}
+	}
+	return false
+}
+
+// norm returns the normal form of xl.
+func (xl termlist) norm() termlist {
+	// Quadratic algorithm, but good enough for now.
+	// TODO(gri) fix asymptotic performance
+	used := make([]bool, len(xl))
+	var rl termlist
+	for i, xi := range xl {
+		if xi == nil || used[i] {
+			continue
+		}
+		for j := i + 1; j < len(xl); j++ {
+			xj := xl[j]
+			if xj == nil || used[j] {
+				continue
+			}
+			if u1, u2 := xi.union(xj); u2 == nil {
+				// If we encounter a 𝓤 term, the entire list is 𝓤.
+				// Exit early.
+				// (Note that this is not just an optimization;
+				// if we continue, we may end up with a 𝓤 term
+				// and other terms and the result would not be
+				// in normal form.)
+				if u1.typ == nil {
+					return allTermlist
+				}
+				xi = u1
+				used[j] = true // xj is now unioned into xi - ignore it in future iterations
+			}
+		}
+		rl = append(rl, xi)
+	}
+	return rl
+}
+
+// union returns the union xl ∪ yl.
+func (xl termlist) union(yl termlist) termlist {
+	return append(xl, yl...).norm()
+}
+
+// intersect returns the intersection xl ∩ yl.
+func (xl termlist) intersect(yl termlist) termlist {
+	if xl.isEmpty() || yl.isEmpty() {
+		return nil
+	}
+
+	// Quadratic algorithm, but good enough for now.
+	// TODO(gri) fix asymptotic performance
+	var rl termlist
+	for _, x := range xl {
+		for _, y := range yl {
+			if r := x.intersect(y); r != nil {
+				rl = append(rl, r)
+			}
+		}
+	}
+	return rl.norm()
+}
+
+// equal reports whether xl and yl represent the same type set.
+func (xl termlist) equal(yl termlist) bool {
+	// TODO(gri) this should be more efficient
+	return xl.subsetOf(yl) && yl.subsetOf(xl)
+}
+
+// includes reports whether t ∈ xl.
+func (xl termlist) includes(t types.Type) bool {
+	for _, x := range xl {
+		if x.includes(t) {
+			return true
+		}
+	}
+	return false
+}
+
+// supersetOf reports whether y ⊆ xl.
+func (xl termlist) supersetOf(y *term) bool {
+	for _, x := range xl {
+		if y.subsetOf(x) {
+			return true
+		}
+	}
+	return false
+}
+
+// subsetOf reports whether xl ⊆ yl.
+func (xl termlist) subsetOf(yl termlist) bool {
+	if yl.isEmpty() {
+		return xl.isEmpty()
+	}
+
+	// each term x of xl must be a subset of yl
+	for _, x := range xl {
+		if !yl.supersetOf(x) {
+			return false // x is not a subset yl
+		}
+	}
+	return true
+}
diff --git a/vendor/golang.org/x/tools/internal/typeparams/typeterm.go b/vendor/golang.org/x/tools/internal/typeparams/typeterm.go
new file mode 100644
index 0000000000..fa758cdc98
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typeparams/typeterm.go
@@ -0,0 +1,172 @@
+// Code generated by "go test -run=Generate -write=all"; DO NOT EDIT.
+// Source: ../../cmd/compile/internal/types2/typeterm.go
+
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by copytermlist.go DO NOT EDIT.
+
+package typeparams
+
+import "go/types"
+
+// A term describes elementary type sets:
+//
+//	 ∅:  (*term)(nil)     == ∅                      // set of no types (empty set)
+//	 𝓤:  &term{}          == 𝓤                      // set of all types (𝓤niverse)
+//	 T:  &term{false, T}  == {T}                    // set of type T
+//	~t:  &term{true, t}   == {t' | under(t') == t}  // set of types with underlying type t
+type term struct {
+	tilde bool // valid if typ != nil
+	typ   types.Type
+}
+
+func (x *term) String() string {
+	switch {
+	case x == nil:
+		return "∅"
+	case x.typ == nil:
+		return "𝓤"
+	case x.tilde:
+		return "~" + x.typ.String()
+	default:
+		return x.typ.String()
+	}
+}
+
+// equal reports whether x and y represent the same type set.
+func (x *term) equal(y *term) bool {
+	// easy cases
+	switch {
+	case x == nil || y == nil:
+		return x == y
+	case x.typ == nil || y.typ == nil:
+		return x.typ == y.typ
+	}
+	// ∅ ⊂ x, y ⊂ 𝓤
+
+	return x.tilde == y.tilde && types.Identical(x.typ, y.typ)
+}
+
+// union returns the union x ∪ y: zero, one, or two non-nil terms.
+func (x *term) union(y *term) (_, _ *term) {
+	// easy cases
+	switch {
+	case x == nil && y == nil:
+		return nil, nil // ∅ ∪ ∅ == ∅
+	case x == nil:
+		return y, nil // ∅ ∪ y == y
+	case y == nil:
+		return x, nil // x ∪ ∅ == x
+	case x.typ == nil:
+		return x, nil // 𝓤 ∪ y == 𝓤
+	case y.typ == nil:
+		return y, nil // x ∪ 𝓤 == 𝓤
+	}
+	// ∅ ⊂ x, y ⊂ 𝓤
+
+	if x.disjoint(y) {
+		return x, y // x ∪ y == (x, y) if x ∩ y == ∅
+	}
+	// x.typ == y.typ
+
+	// ~t ∪ ~t == ~t
+	// ~t ∪  T == ~t
+	//  T ∪ ~t == ~t
+	//  T ∪  T ==  T
+	if x.tilde || !y.tilde {
+		return x, nil
+	}
+	return y, nil
+}
+
+// intersect returns the intersection x ∩ y.
+func (x *term) intersect(y *term) *term {
+	// easy cases
+	switch {
+	case x == nil || y == nil:
+		return nil // ∅ ∩ y == ∅ and ∩ ∅ == ∅
+	case x.typ == nil:
+		return y // 𝓤 ∩ y == y
+	case y.typ == nil:
+		return x // x ∩ 𝓤 == x
+	}
+	// ∅ ⊂ x, y ⊂ 𝓤
+
+	if x.disjoint(y) {
+		return nil // x ∩ y == ∅ if x ∩ y == ∅
+	}
+	// x.typ == y.typ
+
+	// ~t ∩ ~t == ~t
+	// ~t ∩  T ==  T
+	//  T ∩ ~t ==  T
+	//  T ∩  T ==  T
+	if !x.tilde || y.tilde {
+		return x
+	}
+	return y
+}
+
+// includes reports whether t ∈ x.
+func (x *term) includes(t types.Type) bool {
+	// easy cases
+	switch {
+	case x == nil:
+		return false // t ∈ ∅ == false
+	case x.typ == nil:
+		return true // t ∈ 𝓤 == true
+	}
+	// ∅ ⊂ x ⊂ 𝓤
+
+	u := t
+	if x.tilde {
+		u = under(u)
+	}
+	return types.Identical(x.typ, u)
+}
+
+// subsetOf reports whether x ⊆ y.
+func (x *term) subsetOf(y *term) bool {
+	// easy cases
+	switch {
+	case x == nil:
+		return true // ∅ ⊆ y == true
+	case y == nil:
+		return false // x ⊆ ∅ == false since x != ∅
+	case y.typ == nil:
+		return true // x ⊆ 𝓤 == true
+	case x.typ == nil:
+		return false // 𝓤 ⊆ y == false since y != 𝓤
+	}
+	// ∅ ⊂ x, y ⊂ 𝓤
+
+	if x.disjoint(y) {
+		return false // x ⊆ y == false if x ∩ y == ∅
+	}
+	// x.typ == y.typ
+
+	// ~t ⊆ ~t == true
+	// ~t ⊆ T == false
+	//  T ⊆ ~t == true
+	//  T ⊆  T == true
+	return !x.tilde || y.tilde
+}
+
+// disjoint reports whether x ∩ y == ∅.
+// x.typ and y.typ must not be nil.
+func (x *term) disjoint(y *term) bool {
+	if debug && (x.typ == nil || y.typ == nil) {
+		panic("invalid argument(s)")
+	}
+	ux := x.typ
+	if y.tilde {
+		ux = under(ux)
+	}
+	uy := y.typ
+	if x.tilde {
+		uy = under(uy)
+	}
+	return !types.Identical(ux, uy)
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/classify_call.go b/vendor/golang.org/x/tools/internal/typesinternal/classify_call.go
new file mode 100644
index 0000000000..7ebe9768bc
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/classify_call.go
@@ -0,0 +1,137 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"fmt"
+	"go/ast"
+	"go/types"
+	_ "unsafe" // for go:linkname hack
+)
+
+// CallKind describes the function position of an [*ast.CallExpr].
+type CallKind int
+
+const (
+	CallStatic     CallKind = iota // static call to known function
+	CallInterface                  // dynamic call through an interface method
+	CallDynamic                    // dynamic call of a func value
+	CallBuiltin                    // call to a builtin function
+	CallConversion                 // a conversion (not a call)
+)
+
+var callKindNames = []string{
+	"CallStatic",
+	"CallInterface",
+	"CallDynamic",
+	"CallBuiltin",
+	"CallConversion",
+}
+
+func (k CallKind) String() string {
+	if i := int(k); i >= 0 && i < len(callKindNames) {
+		return callKindNames[i]
+	}
+	return fmt.Sprintf("typeutil.CallKind(%d)", k)
+}
+
+// ClassifyCall classifies the function position of a call expression ([*ast.CallExpr]).
+// It distinguishes among true function calls, calls to builtins, and type conversions,
+// and further classifies function calls as static calls (where the function is known),
+// dynamic interface calls, and other dynamic calls.
+//
+// For the declarations:
+//
+//	func f() {}
+//	func g[T any]() {}
+//	var v func()
+//	var s []func()
+//	type I interface { M() }
+//	var i I
+//
+// ClassifyCall returns the following:
+//
+//	f()           CallStatic
+//	g[int]()      CallStatic
+//	i.M()         CallInterface
+//	min(1, 2)     CallBuiltin
+//	v()           CallDynamic
+//	s[0]()        CallDynamic
+//	int(x)        CallConversion
+//	[]byte("")    CallConversion
+func ClassifyCall(info *types.Info, call *ast.CallExpr) CallKind {
+	if info.Types == nil {
+		panic("ClassifyCall: info.Types is nil")
+	}
+	tv := info.Types[call.Fun]
+	if tv.IsType() {
+		return CallConversion
+	}
+	if tv.IsBuiltin() {
+		return CallBuiltin
+	}
+	obj := info.Uses[UsedIdent(info, call.Fun)]
+	// Classify the call by the type of the object, if any.
+	switch obj := obj.(type) {
+	case *types.Func:
+		if interfaceMethod(obj) {
+			return CallInterface
+		}
+		return CallStatic
+	default:
+		return CallDynamic
+	}
+}
+
+// UsedIdent returns the identifier such that info.Uses[UsedIdent(info, e)]
+// is the [types.Object] used by e, if any.
+//
+// If e is one of various forms of reference:
+//
+//	f, c, v, T           lexical reference
+//	pkg.X                qualified identifier
+//	f[T] or pkg.F[K,V]   instantiations of the above kinds
+//	expr.f               field or method value selector
+//	T.f                  method expression selector
+//
+// UsedIdent returns the identifier whose is associated value in [types.Info.Uses]
+// is the object to which it refers.
+//
+// For the declarations:
+//
+//	func F[T any] {...}
+//	type I interface { M() }
+//	var (
+//	  x int
+//	  s struct { f  int }
+//	  a []int
+//	  i I
+//	)
+//
+// UsedIdent returns the following:
+//
+//	Expr          UsedIdent
+//	x             x
+//	s.f           f
+//	F[int]        F
+//	i.M           M
+//	I.M           M
+//	min           min
+//	int           int
+//	1             nil
+//	a[0]          nil
+//	[]byte        nil
+//
+// Note: if e is an instantiated function or method, UsedIdent returns
+// the corresponding generic function or method on the generic type.
+func UsedIdent(info *types.Info, e ast.Expr) *ast.Ident {
+	return usedIdent(info, e)
+}
+
+//go:linkname usedIdent golang.org/x/tools/go/types/typeutil.usedIdent
+func usedIdent(info *types.Info, e ast.Expr) *ast.Ident
+
+//go:linkname interfaceMethod golang.org/x/tools/go/types/typeutil.interfaceMethod
+func interfaceMethod(f *types.Func) bool
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/element.go b/vendor/golang.org/x/tools/internal/typesinternal/element.go
new file mode 100644
index 0000000000..5fe4d8abcb
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/element.go
@@ -0,0 +1,133 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"fmt"
+	"go/types"
+
+	"golang.org/x/tools/go/types/typeutil"
+)
+
+// ForEachElement calls f for type T and each type reachable from its
+// type through reflection. It does this by recursively stripping off
+// type constructors; in addition, for each named type N, the type *N
+// is added to the result as it may have additional methods.
+//
+// The caller must provide an initially empty set used to de-duplicate
+// identical types, potentially across multiple calls to ForEachElement.
+// (Its final value holds all the elements seen, matching the arguments
+// passed to f.)
+//
+// TODO(adonovan): share/harmonize with go/callgraph/rta.
+func ForEachElement(rtypes *typeutil.Map, msets *typeutil.MethodSetCache, T types.Type, f func(types.Type)) {
+	var visit func(T types.Type, skip bool)
+	visit = func(T types.Type, skip bool) {
+		if !skip {
+			if seen, _ := rtypes.Set(T, true).(bool); seen {
+				return // de-dup
+			}
+
+			f(T) // notify caller of new element type
+		}
+
+		// Recursion over signatures of each method.
+		tmset := msets.MethodSet(T)
+		for method := range tmset.Methods() {
+			sig := method.Type().(*types.Signature)
+			// It is tempting to call visit(sig, false)
+			// but, as noted in golang.org/cl/65450043,
+			// the Signature.Recv field is ignored by
+			// types.Identical and typeutil.Map, which
+			// is confusing at best.
+			//
+			// More importantly, the true signature rtype
+			// reachable from a method using reflection
+			// has no receiver but an extra ordinary parameter.
+			// For the Read method of io.Reader we want:
+			//   func(Reader, []byte) (int, error)
+			// but here sig is:
+			//   func([]byte) (int, error)
+			// with .Recv = Reader (though it is hard to
+			// notice because it doesn't affect Signature.String
+			// or types.Identical).
+			//
+			// TODO(adonovan): construct and visit the correct
+			// non-method signature with an extra parameter
+			// (though since unnamed func types have no methods
+			// there is essentially no actual demand for this).
+			//
+			// TODO(adonovan): document whether or not it is
+			// safe to skip non-exported methods (as RTA does).
+			visit(sig.Params(), true)  // skip the Tuple
+			visit(sig.Results(), true) // skip the Tuple
+		}
+
+		switch T := T.(type) {
+		case *types.Alias:
+			visit(types.Unalias(T), skip) // emulates the pre-Alias behavior
+
+		case *types.Basic:
+			// nop
+
+		case *types.Interface:
+			// nop---handled by recursion over method set.
+
+		case *types.Pointer:
+			visit(T.Elem(), false)
+
+		case *types.Slice:
+			visit(T.Elem(), false)
+
+		case *types.Chan:
+			visit(T.Elem(), false)
+
+		case *types.Map:
+			visit(T.Key(), false)
+			visit(T.Elem(), false)
+
+		case *types.Signature:
+			if T.Recv() != nil {
+				panic(fmt.Sprintf("Signature %s has Recv %s", T, T.Recv()))
+			}
+			visit(T.Params(), true)  // skip the Tuple
+			visit(T.Results(), true) // skip the Tuple
+
+		case *types.Named:
+			// A pointer-to-named type can be derived from a named
+			// type via reflection.  It may have methods too.
+			visit(types.NewPointer(T), false)
+
+			// Consider 'type T struct{S}' where S has methods.
+			// Reflection provides no way to get from T to struct{S},
+			// only to S, so the method set of struct{S} is unwanted,
+			// so set 'skip' flag during recursion.
+			visit(T.Underlying(), true) // skip the unnamed type
+
+		case *types.Array:
+			visit(T.Elem(), false)
+
+		case *types.Struct:
+			for i, n := 0, T.NumFields(); i < n; i++ {
+				// TODO(adonovan): document whether or not
+				// it is safe to skip non-exported fields.
+				visit(T.Field(i).Type(), false)
+			}
+
+		case *types.Tuple:
+			for i, n := 0, T.Len(); i < n; i++ {
+				visit(T.At(i).Type(), false)
+			}
+
+		case *types.TypeParam, *types.Union:
+			// forEachReachable must not be called on parameterized types.
+			panic(T)
+
+		default:
+			panic(T)
+		}
+	}
+	visit(T, false)
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/errorcode.go b/vendor/golang.org/x/tools/internal/typesinternal/errorcode.go
new file mode 100644
index 0000000000..235a6defc4
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/errorcode.go
@@ -0,0 +1,1560 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+//go:generate stringer -type=ErrorCode
+
+type ErrorCode int
+
+// This file defines the error codes that can be produced during type-checking.
+// Collectively, these codes provide an identifier that may be used to
+// implement special handling for certain types of errors.
+//
+// Error codes should be fine-grained enough that the exact nature of the error
+// can be easily determined, but coarse enough that they are not an
+// implementation detail of the type checking algorithm. As a rule-of-thumb,
+// errors should be considered equivalent if there is a theoretical refactoring
+// of the type checker in which they are emitted in exactly one place. For
+// example, the type checker emits different error messages for "too many
+// arguments" and "too few arguments", but one can imagine an alternative type
+// checker where this check instead just emits a single "wrong number of
+// arguments", so these errors should have the same code.
+//
+// Error code names should be as brief as possible while retaining accuracy and
+// distinctiveness. In most cases names should start with an adjective
+// describing the nature of the error (e.g. "invalid", "unused", "misplaced"),
+// and end with a noun identifying the relevant language object. For example,
+// "DuplicateDecl" or "InvalidSliceExpr". For brevity, naming follows the
+// convention that "bad" implies a problem with syntax, and "invalid" implies a
+// problem with types.
+
+const (
+	// InvalidSyntaxTree occurs if an invalid syntax tree is provided
+	// to the type checker. It should never happen.
+	InvalidSyntaxTree ErrorCode = -1
+)
+
+const (
+	_ ErrorCode = iota
+
+	// Test is reserved for errors that only apply while in self-test mode.
+	Test
+
+	/* package names */
+
+	// BlankPkgName occurs when a package name is the blank identifier "_".
+	//
+	// Per the spec:
+	//  "The PackageName must not be the blank identifier."
+	BlankPkgName
+
+	// MismatchedPkgName occurs when a file's package name doesn't match the
+	// package name already established by other files.
+	MismatchedPkgName
+
+	// InvalidPkgUse occurs when a package identifier is used outside of a
+	// selector expression.
+	//
+	// Example:
+	//  import "fmt"
+	//
+	//  var _ = fmt
+	InvalidPkgUse
+
+	/* imports */
+
+	// BadImportPath occurs when an import path is not valid.
+	BadImportPath
+
+	// BrokenImport occurs when importing a package fails.
+	//
+	// Example:
+	//  import "amissingpackage"
+	BrokenImport
+
+	// ImportCRenamed occurs when the special import "C" is renamed. "C" is a
+	// pseudo-package, and must not be renamed.
+	//
+	// Example:
+	//  import _ "C"
+	ImportCRenamed
+
+	// UnusedImport occurs when an import is unused.
+	//
+	// Example:
+	//  import "fmt"
+	//
+	//  func main() {}
+	UnusedImport
+
+	/* initialization */
+
+	// InvalidInitCycle occurs when an invalid cycle is detected within the
+	// initialization graph.
+	//
+	// Example:
+	//  var x int = f()
+	//
+	//  func f() int { return x }
+	InvalidInitCycle
+
+	/* decls */
+
+	// DuplicateDecl occurs when an identifier is declared multiple times.
+	//
+	// Example:
+	//  var x = 1
+	//  var x = 2
+	DuplicateDecl
+
+	// InvalidDeclCycle occurs when a declaration cycle is not valid.
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  type T struct {
+	//  	a [n]int
+	//  }
+	//
+	//  var n = unsafe.Sizeof(T{})
+	InvalidDeclCycle
+
+	// InvalidTypeCycle occurs when a cycle in type definitions results in a
+	// type that is not well-defined.
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  type T [unsafe.Sizeof(T{})]int
+	InvalidTypeCycle
+
+	/* decls > const */
+
+	// InvalidConstInit occurs when a const declaration has a non-constant
+	// initializer.
+	//
+	// Example:
+	//  var x int
+	//  const _ = x
+	InvalidConstInit
+
+	// InvalidConstVal occurs when a const value cannot be converted to its
+	// target type.
+	//
+	// TODO(findleyr): this error code and example are not very clear. Consider
+	// removing it.
+	//
+	// Example:
+	//  const _ = 1 << "hello"
+	InvalidConstVal
+
+	// InvalidConstType occurs when the underlying type in a const declaration
+	// is not a valid constant type.
+	//
+	// Example:
+	//  const c *int = 4
+	InvalidConstType
+
+	/* decls > var (+ other variable assignment codes) */
+
+	// UntypedNilUse occurs when the predeclared (untyped) value nil is used to
+	// initialize a variable declared without an explicit type.
+	//
+	// Example:
+	//  var x = nil
+	UntypedNilUse
+
+	// WrongAssignCount occurs when the number of values on the right-hand side
+	// of an assignment or initialization expression does not match the number
+	// of variables on the left-hand side.
+	//
+	// Example:
+	//  var x = 1, 2
+	WrongAssignCount
+
+	// UnassignableOperand occurs when the left-hand side of an assignment is
+	// not assignable.
+	//
+	// Example:
+	//  func f() {
+	//  	const c = 1
+	//  	c = 2
+	//  }
+	UnassignableOperand
+
+	// NoNewVar occurs when a short variable declaration (':=') does not declare
+	// new variables.
+	//
+	// Example:
+	//  func f() {
+	//  	x := 1
+	//  	x := 2
+	//  }
+	NoNewVar
+
+	// MultiValAssignOp occurs when an assignment operation (+=, *=, etc) does
+	// not have single-valued left-hand or right-hand side.
+	//
+	// Per the spec:
+	//  "In assignment operations, both the left- and right-hand expression lists
+	//  must contain exactly one single-valued expression"
+	//
+	// Example:
+	//  func f() int {
+	//  	x, y := 1, 2
+	//  	x, y += 1
+	//  	return x + y
+	//  }
+	MultiValAssignOp
+
+	// InvalidIfaceAssign occurs when a value of type T is used as an
+	// interface, but T does not implement a method of the expected interface.
+	//
+	// Example:
+	//  type I interface {
+	//  	f()
+	//  }
+	//
+	//  type T int
+	//
+	//  var x I = T(1)
+	InvalidIfaceAssign
+
+	// InvalidChanAssign occurs when a chan assignment is invalid.
+	//
+	// Per the spec, a value x is assignable to a channel type T if:
+	//  "x is a bidirectional channel value, T is a channel type, x's type V and
+	//  T have identical element types, and at least one of V or T is not a
+	//  defined type."
+	//
+	// Example:
+	//  type T1 chan int
+	//  type T2 chan int
+	//
+	//  var x T1
+	//  // Invalid assignment because both types are named
+	//  var _ T2 = x
+	InvalidChanAssign
+
+	// IncompatibleAssign occurs when the type of the right-hand side expression
+	// in an assignment cannot be assigned to the type of the variable being
+	// assigned.
+	//
+	// Example:
+	//  var x []int
+	//  var _ int = x
+	IncompatibleAssign
+
+	// UnaddressableFieldAssign occurs when trying to assign to a struct field
+	// in a map value.
+	//
+	// Example:
+	//  func f() {
+	//  	m := make(map[string]struct{i int})
+	//  	m["foo"].i = 42
+	//  }
+	UnaddressableFieldAssign
+
+	/* decls > type (+ other type expression codes) */
+
+	// NotAType occurs when the identifier used as the underlying type in a type
+	// declaration or the right-hand side of a type alias does not denote a type.
+	//
+	// Example:
+	//  var S = 2
+	//
+	//  type T S
+	NotAType
+
+	// InvalidArrayLen occurs when an array length is not a constant value.
+	//
+	// Example:
+	//  var n = 3
+	//  var _ = [n]int{}
+	InvalidArrayLen
+
+	// BlankIfaceMethod occurs when a method name is '_'.
+	//
+	// Per the spec:
+	//  "The name of each explicitly specified method must be unique and not
+	//  blank."
+	//
+	// Example:
+	//  type T interface {
+	//  	_(int)
+	//  }
+	BlankIfaceMethod
+
+	// IncomparableMapKey occurs when a map key type does not support the == and
+	// != operators.
+	//
+	// Per the spec:
+	//  "The comparison operators == and != must be fully defined for operands of
+	//  the key type; thus the key type must not be a function, map, or slice."
+	//
+	// Example:
+	//  var x map[T]int
+	//
+	//  type T []int
+	IncomparableMapKey
+
+	// InvalidIfaceEmbed occurs when a non-interface type is embedded in an
+	// interface.
+	//
+	// Example:
+	//  type T struct {}
+	//
+	//  func (T) m()
+	//
+	//  type I interface {
+	//  	T
+	//  }
+	InvalidIfaceEmbed
+
+	// InvalidPtrEmbed occurs when an embedded field is of the pointer form *T,
+	// and T itself is itself a pointer, an unsafe.Pointer, or an interface.
+	//
+	// Per the spec:
+	//  "An embedded field must be specified as a type name T or as a pointer to
+	//  a non-interface type name *T, and T itself may not be a pointer type."
+	//
+	// Example:
+	//  type T *int
+	//
+	//  type S struct {
+	//  	*T
+	//  }
+	InvalidPtrEmbed
+
+	/* decls > func and method */
+
+	// BadRecv occurs when a method declaration does not have exactly one
+	// receiver parameter.
+	//
+	// Example:
+	//  func () _() {}
+	BadRecv
+
+	// InvalidRecv occurs when a receiver type expression is not of the form T
+	// or *T, or T is a pointer type.
+	//
+	// Example:
+	//  type T struct {}
+	//
+	//  func (**T) m() {}
+	InvalidRecv
+
+	// DuplicateFieldAndMethod occurs when an identifier appears as both a field
+	// and method name.
+	//
+	// Example:
+	//  type T struct {
+	//  	m int
+	//  }
+	//
+	//  func (T) m() {}
+	DuplicateFieldAndMethod
+
+	// DuplicateMethod occurs when two methods on the same receiver type have
+	// the same name.
+	//
+	// Example:
+	//  type T struct {}
+	//  func (T) m() {}
+	//  func (T) m(i int) int { return i }
+	DuplicateMethod
+
+	/* decls > special */
+
+	// InvalidBlank occurs when a blank identifier is used as a value or type.
+	//
+	// Per the spec:
+	//  "The blank identifier may appear as an operand only on the left-hand side
+	//  of an assignment."
+	//
+	// Example:
+	//  var x = _
+	InvalidBlank
+
+	// InvalidIota occurs when the predeclared identifier iota is used outside
+	// of a constant declaration.
+	//
+	// Example:
+	//  var x = iota
+	InvalidIota
+
+	// MissingInitBody occurs when an init function is missing its body.
+	//
+	// Example:
+	//  func init()
+	MissingInitBody
+
+	// InvalidInitSig occurs when an init function declares parameters or
+	// results.
+	//
+	// Example:
+	//  func init() int { return 1 }
+	InvalidInitSig
+
+	// InvalidInitDecl occurs when init is declared as anything other than a
+	// function.
+	//
+	// Example:
+	//  var init = 1
+	InvalidInitDecl
+
+	// InvalidMainDecl occurs when main is declared as anything other than a
+	// function, in a main package.
+	InvalidMainDecl
+
+	/* exprs */
+
+	// TooManyValues occurs when a function returns too many values for the
+	// expression context in which it is used.
+	//
+	// Example:
+	//  func ReturnTwo() (int, int) {
+	//  	return 1, 2
+	//  }
+	//
+	//  var x = ReturnTwo()
+	TooManyValues
+
+	// NotAnExpr occurs when a type expression is used where a value expression
+	// is expected.
+	//
+	// Example:
+	//  type T struct {}
+	//
+	//  func f() {
+	//  	T
+	//  }
+	NotAnExpr
+
+	/* exprs > const */
+
+	// TruncatedFloat occurs when a float constant is truncated to an integer
+	// value.
+	//
+	// Example:
+	//  var _ int = 98.6
+	TruncatedFloat
+
+	// NumericOverflow occurs when a numeric constant overflows its target type.
+	//
+	// Example:
+	//  var x int8 = 1000
+	NumericOverflow
+
+	/* exprs > operation */
+
+	// UndefinedOp occurs when an operator is not defined for the type(s) used
+	// in an operation.
+	//
+	// Example:
+	//  var c = "a" - "b"
+	UndefinedOp
+
+	// MismatchedTypes occurs when operand types are incompatible in a binary
+	// operation.
+	//
+	// Example:
+	//  var a = "hello"
+	//  var b = 1
+	//  var c = a - b
+	MismatchedTypes
+
+	// DivByZero occurs when a division operation is provable at compile
+	// time to be a division by zero.
+	//
+	// Example:
+	//  const divisor = 0
+	//  var x int = 1/divisor
+	DivByZero
+
+	// NonNumericIncDec occurs when an increment or decrement operator is
+	// applied to a non-numeric value.
+	//
+	// Example:
+	//  func f() {
+	//  	var c = "c"
+	//  	c++
+	//  }
+	NonNumericIncDec
+
+	/* exprs > ptr */
+
+	// UnaddressableOperand occurs when the & operator is applied to an
+	// unaddressable expression.
+	//
+	// Example:
+	//  var x = &1
+	UnaddressableOperand
+
+	// InvalidIndirection occurs when a non-pointer value is indirected via the
+	// '*' operator.
+	//
+	// Example:
+	//  var x int
+	//  var y = *x
+	InvalidIndirection
+
+	/* exprs > [] */
+
+	// NonIndexableOperand occurs when an index operation is applied to a value
+	// that cannot be indexed.
+	//
+	// Example:
+	//  var x = 1
+	//  var y = x[1]
+	NonIndexableOperand
+
+	// InvalidIndex occurs when an index argument is not of integer type,
+	// negative, or out-of-bounds.
+	//
+	// Example:
+	//  var s = [...]int{1,2,3}
+	//  var x = s[5]
+	//
+	// Example:
+	//  var s = []int{1,2,3}
+	//  var _ = s[-1]
+	//
+	// Example:
+	//  var s = []int{1,2,3}
+	//  var i string
+	//  var _ = s[i]
+	InvalidIndex
+
+	// SwappedSliceIndices occurs when constant indices in a slice expression
+	// are decreasing in value.
+	//
+	// Example:
+	//  var _ = []int{1,2,3}[2:1]
+	SwappedSliceIndices
+
+	/* operators > slice */
+
+	// NonSliceableOperand occurs when a slice operation is applied to a value
+	// whose type is not sliceable, or is unaddressable.
+	//
+	// Example:
+	//  var x = [...]int{1, 2, 3}[:1]
+	//
+	// Example:
+	//  var x = 1
+	//  var y = 1[:1]
+	NonSliceableOperand
+
+	// InvalidSliceExpr occurs when a three-index slice expression (a[x:y:z]) is
+	// applied to a string.
+	//
+	// Example:
+	//  var s = "hello"
+	//  var x = s[1:2:3]
+	InvalidSliceExpr
+
+	/* exprs > shift */
+
+	// InvalidShiftCount occurs when the right-hand side of a shift operation is
+	// either non-integer, negative, or too large.
+	//
+	// Example:
+	//  var (
+	//  	x string
+	//  	y int = 1 << x
+	//  )
+	InvalidShiftCount
+
+	// InvalidShiftOperand occurs when the shifted operand is not an integer.
+	//
+	// Example:
+	//  var s = "hello"
+	//  var x = s << 2
+	InvalidShiftOperand
+
+	/* exprs > chan */
+
+	// InvalidReceive occurs when there is a channel receive from a value that
+	// is either not a channel, or is a send-only channel.
+	//
+	// Example:
+	//  func f() {
+	//  	var x = 1
+	//  	<-x
+	//  }
+	InvalidReceive
+
+	// InvalidSend occurs when there is a channel send to a value that is not a
+	// channel, or is a receive-only channel.
+	//
+	// Example:
+	//  func f() {
+	//  	var x = 1
+	//  	x <- "hello!"
+	//  }
+	InvalidSend
+
+	/* exprs > literal */
+
+	// DuplicateLitKey occurs when an index is duplicated in a slice, array, or
+	// map literal.
+	//
+	// Example:
+	//  var _ = []int{0:1, 0:2}
+	//
+	// Example:
+	//  var _ = map[string]int{"a": 1, "a": 2}
+	DuplicateLitKey
+
+	// MissingLitKey occurs when a map literal is missing a key expression.
+	//
+	// Example:
+	//  var _ = map[string]int{1}
+	MissingLitKey
+
+	// InvalidLitIndex occurs when the key in a key-value element of a slice or
+	// array literal is not an integer constant.
+	//
+	// Example:
+	//  var i = 0
+	//  var x = []string{i: "world"}
+	InvalidLitIndex
+
+	// OversizeArrayLit occurs when an array literal exceeds its length.
+	//
+	// Example:
+	//  var _ = [2]int{1,2,3}
+	OversizeArrayLit
+
+	// MixedStructLit occurs when a struct literal contains a mix of positional
+	// and named elements.
+	//
+	// Example:
+	//  var _ = struct{i, j int}{i: 1, 2}
+	MixedStructLit
+
+	// InvalidStructLit occurs when a positional struct literal has an incorrect
+	// number of values.
+	//
+	// Example:
+	//  var _ = struct{i, j int}{1,2,3}
+	InvalidStructLit
+
+	// MissingLitField occurs when a struct literal refers to a field that does
+	// not exist on the struct type.
+	//
+	// Example:
+	//  var _ = struct{i int}{j: 2}
+	MissingLitField
+
+	// DuplicateLitField occurs when a struct literal contains duplicated
+	// fields.
+	//
+	// Example:
+	//  var _ = struct{i int}{i: 1, i: 2}
+	DuplicateLitField
+
+	// UnexportedLitField occurs when a positional struct literal implicitly
+	// assigns an unexported field of an imported type.
+	UnexportedLitField
+
+	// InvalidLitField occurs when a field name is not a valid identifier.
+	//
+	// Example:
+	//  var _ = struct{i int}{1: 1}
+	InvalidLitField
+
+	// UntypedLit occurs when a composite literal omits a required type
+	// identifier.
+	//
+	// Example:
+	//  type outer struct{
+	//  	inner struct { i int }
+	//  }
+	//
+	//  var _ = outer{inner: {1}}
+	UntypedLit
+
+	// InvalidLit occurs when a composite literal expression does not match its
+	// type.
+	//
+	// Example:
+	//  type P *struct{
+	//  	x int
+	//  }
+	//  var _ = P {}
+	InvalidLit
+
+	/* exprs > selector */
+
+	// AmbiguousSelector occurs when a selector is ambiguous.
+	//
+	// Example:
+	//  type E1 struct { i int }
+	//  type E2 struct { i int }
+	//  type T struct { E1; E2 }
+	//
+	//  var x T
+	//  var _ = x.i
+	AmbiguousSelector
+
+	// UndeclaredImportedName occurs when a package-qualified identifier is
+	// undeclared by the imported package.
+	//
+	// Example:
+	//  import "go/types"
+	//
+	//  var _ = types.NotAnActualIdentifier
+	UndeclaredImportedName
+
+	// UnexportedName occurs when a selector refers to an unexported identifier
+	// of an imported package.
+	//
+	// Example:
+	//  import "reflect"
+	//
+	//  type _ reflect.flag
+	UnexportedName
+
+	// UndeclaredName occurs when an identifier is not declared in the current
+	// scope.
+	//
+	// Example:
+	//  var x T
+	UndeclaredName
+
+	// MissingFieldOrMethod occurs when a selector references a field or method
+	// that does not exist.
+	//
+	// Example:
+	//  type T struct {}
+	//
+	//  var x = T{}.f
+	MissingFieldOrMethod
+
+	/* exprs > ... */
+
+	// BadDotDotDotSyntax occurs when a "..." occurs in a context where it is
+	// not valid.
+	//
+	// Example:
+	//  var _ = map[int][...]int{0: {}}
+	BadDotDotDotSyntax
+
+	// NonVariadicDotDotDot occurs when a "..." is used on the final argument to
+	// a non-variadic function.
+	//
+	// Example:
+	//  func printArgs(s []string) {
+	//  	for _, a := range s {
+	//  		println(a)
+	//  	}
+	//  }
+	//
+	//  func f() {
+	//  	s := []string{"a", "b", "c"}
+	//  	printArgs(s...)
+	//  }
+	NonVariadicDotDotDot
+
+	// MisplacedDotDotDot occurs when a "..." is used somewhere other than the
+	// final argument to a function call.
+	//
+	// Example:
+	//  func printArgs(args ...int) {
+	//  	for _, a := range args {
+	//  		println(a)
+	//  	}
+	//  }
+	//
+	//  func f() {
+	//  	a := []int{1,2,3}
+	//  	printArgs(0, a...)
+	//  }
+	MisplacedDotDotDot
+
+	// InvalidDotDotDotOperand occurs when a "..." operator is applied to a
+	// single-valued operand.
+	//
+	// Example:
+	//  func printArgs(args ...int) {
+	//  	for _, a := range args {
+	//  		println(a)
+	//  	}
+	//  }
+	//
+	//  func f() {
+	//  	a := 1
+	//  	printArgs(a...)
+	//  }
+	//
+	// Example:
+	//  func args() (int, int) {
+	//  	return 1, 2
+	//  }
+	//
+	//  func printArgs(args ...int) {
+	//  	for _, a := range args {
+	//  		println(a)
+	//  	}
+	//  }
+	//
+	//  func g() {
+	//  	printArgs(args()...)
+	//  }
+	InvalidDotDotDotOperand
+
+	// InvalidDotDotDot occurs when a "..." is used in a non-variadic built-in
+	// function.
+	//
+	// Example:
+	//  var s = []int{1, 2, 3}
+	//  var l = len(s...)
+	InvalidDotDotDot
+
+	/* exprs > built-in */
+
+	// UncalledBuiltin occurs when a built-in function is used as a
+	// function-valued expression, instead of being called.
+	//
+	// Per the spec:
+	//  "The built-in functions do not have standard Go types, so they can only
+	//  appear in call expressions; they cannot be used as function values."
+	//
+	// Example:
+	//  var _ = copy
+	UncalledBuiltin
+
+	// InvalidAppend occurs when append is called with a first argument that is
+	// not a slice.
+	//
+	// Example:
+	//  var _ = append(1, 2)
+	InvalidAppend
+
+	// InvalidCap occurs when an argument to the cap built-in function is not of
+	// supported type.
+	//
+	// See https://golang.org/ref/spec#Length_and_capacity for information on
+	// which underlying types are supported as arguments to cap and len.
+	//
+	// Example:
+	//  var s = 2
+	//  var x = cap(s)
+	InvalidCap
+
+	// InvalidClose occurs when close(...) is called with an argument that is
+	// not of channel type, or that is a receive-only channel.
+	//
+	// Example:
+	//  func f() {
+	//  	var x int
+	//  	close(x)
+	//  }
+	InvalidClose
+
+	// InvalidCopy occurs when the arguments are not of slice type or do not
+	// have compatible type.
+	//
+	// See https://golang.org/ref/spec#Appending_and_copying_slices for more
+	// information on the type requirements for the copy built-in.
+	//
+	// Example:
+	//  func f() {
+	//  	var x []int
+	//  	y := []int64{1,2,3}
+	//  	copy(x, y)
+	//  }
+	InvalidCopy
+
+	// InvalidComplex occurs when the complex built-in function is called with
+	// arguments with incompatible types.
+	//
+	// Example:
+	//  var _ = complex(float32(1), float64(2))
+	InvalidComplex
+
+	// InvalidDelete occurs when the delete built-in function is called with a
+	// first argument that is not a map.
+	//
+	// Example:
+	//  func f() {
+	//  	m := "hello"
+	//  	delete(m, "e")
+	//  }
+	InvalidDelete
+
+	// InvalidImag occurs when the imag built-in function is called with an
+	// argument that does not have complex type.
+	//
+	// Example:
+	//  var _ = imag(int(1))
+	InvalidImag
+
+	// InvalidLen occurs when an argument to the len built-in function is not of
+	// supported type.
+	//
+	// See https://golang.org/ref/spec#Length_and_capacity for information on
+	// which underlying types are supported as arguments to cap and len.
+	//
+	// Example:
+	//  var s = 2
+	//  var x = len(s)
+	InvalidLen
+
+	// SwappedMakeArgs occurs when make is called with three arguments, and its
+	// length argument is larger than its capacity argument.
+	//
+	// Example:
+	//  var x = make([]int, 3, 2)
+	SwappedMakeArgs
+
+	// InvalidMake occurs when make is called with an unsupported type argument.
+	//
+	// See https://golang.org/ref/spec#Making_slices_maps_and_channels for
+	// information on the types that may be created using make.
+	//
+	// Example:
+	//  var x = make(int)
+	InvalidMake
+
+	// InvalidReal occurs when the real built-in function is called with an
+	// argument that does not have complex type.
+	//
+	// Example:
+	//  var _ = real(int(1))
+	InvalidReal
+
+	/* exprs > assertion */
+
+	// InvalidAssert occurs when a type assertion is applied to a
+	// value that is not of interface type.
+	//
+	// Example:
+	//  var x = 1
+	//  var _ = x.(float64)
+	InvalidAssert
+
+	// ImpossibleAssert occurs for a type assertion x.(T) when the value x of
+	// interface cannot have dynamic type T, due to a missing or mismatching
+	// method on T.
+	//
+	// Example:
+	//  type T int
+	//
+	//  func (t *T) m() int { return int(*t) }
+	//
+	//  type I interface { m() int }
+	//
+	//  var x I
+	//  var _ = x.(T)
+	ImpossibleAssert
+
+	/* exprs > conversion */
+
+	// InvalidConversion occurs when the argument type cannot be converted to the
+	// target.
+	//
+	// See https://golang.org/ref/spec#Conversions for the rules of
+	// convertibility.
+	//
+	// Example:
+	//  var x float64
+	//  var _ = string(x)
+	InvalidConversion
+
+	// InvalidUntypedConversion occurs when there is no valid implicit
+	// conversion from an untyped value satisfying the type constraints of the
+	// context in which it is used.
+	//
+	// Example:
+	//  var _ = 1 + ""
+	InvalidUntypedConversion
+
+	/* offsetof */
+
+	// BadOffsetofSyntax occurs when unsafe.Offsetof is called with an argument
+	// that is not a selector expression.
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  var x int
+	//  var _ = unsafe.Offsetof(x)
+	BadOffsetofSyntax
+
+	// InvalidOffsetof occurs when unsafe.Offsetof is called with a method
+	// selector, rather than a field selector, or when the field is embedded via
+	// a pointer.
+	//
+	// Per the spec:
+	//
+	//  "If f is an embedded field, it must be reachable without pointer
+	//  indirections through fields of the struct. "
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  type T struct { f int }
+	//  type S struct { *T }
+	//  var s S
+	//  var _ = unsafe.Offsetof(s.f)
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  type S struct{}
+	//
+	//  func (S) m() {}
+	//
+	//  var s S
+	//  var _ = unsafe.Offsetof(s.m)
+	InvalidOffsetof
+
+	/* control flow > scope */
+
+	// UnusedExpr occurs when a side-effect free expression is used as a
+	// statement. Such a statement has no effect.
+	//
+	// Example:
+	//  func f(i int) {
+	//  	i*i
+	//  }
+	UnusedExpr
+
+	// UnusedVar occurs when a variable is declared but unused.
+	//
+	// Example:
+	//  func f() {
+	//  	x := 1
+	//  }
+	UnusedVar
+
+	// MissingReturn occurs when a function with results is missing a return
+	// statement.
+	//
+	// Example:
+	//  func f() int {}
+	MissingReturn
+
+	// WrongResultCount occurs when a return statement returns an incorrect
+	// number of values.
+	//
+	// Example:
+	//  func ReturnOne() int {
+	//  	return 1, 2
+	//  }
+	WrongResultCount
+
+	// OutOfScopeResult occurs when the name of a value implicitly returned by
+	// an empty return statement is shadowed in a nested scope.
+	//
+	// Example:
+	//  func factor(n int) (i int) {
+	//  	for i := 2; i < n; i++ {
+	//  		if n%i == 0 {
+	//  			return
+	//  		}
+	//  	}
+	//  	return 0
+	//  }
+	OutOfScopeResult
+
+	/* control flow > if */
+
+	// InvalidCond occurs when an if condition is not a boolean expression.
+	//
+	// Example:
+	//  func checkReturn(i int) {
+	//  	if i {
+	//  		panic("non-zero return")
+	//  	}
+	//  }
+	InvalidCond
+
+	/* control flow > for */
+
+	// InvalidPostDecl occurs when there is a declaration in a for-loop post
+	// statement.
+	//
+	// Example:
+	//  func f() {
+	//  	for i := 0; i < 10; j := 0 {}
+	//  }
+	InvalidPostDecl
+
+	// InvalidChanRange occurs when a send-only channel used in a range
+	// expression.
+	//
+	// Example:
+	//  func sum(c chan<- int) {
+	//  	s := 0
+	//  	for i := range c {
+	//  		s += i
+	//  	}
+	//  }
+	InvalidChanRange
+
+	// InvalidIterVar occurs when two iteration variables are used while ranging
+	// over a channel.
+	//
+	// Example:
+	//  func f(c chan int) {
+	//  	for k, v := range c {
+	//  		println(k, v)
+	//  	}
+	//  }
+	InvalidIterVar
+
+	// InvalidRangeExpr occurs when the type of a range expression is not array,
+	// slice, string, map, or channel.
+	//
+	// Example:
+	//  func f(i int) {
+	//  	for j := range i {
+	//  		println(j)
+	//  	}
+	//  }
+	InvalidRangeExpr
+
+	/* control flow > switch */
+
+	// MisplacedBreak occurs when a break statement is not within a for, switch,
+	// or select statement of the innermost function definition.
+	//
+	// Example:
+	//  func f() {
+	//  	break
+	//  }
+	MisplacedBreak
+
+	// MisplacedContinue occurs when a continue statement is not within a for
+	// loop of the innermost function definition.
+	//
+	// Example:
+	//  func sumeven(n int) int {
+	//  	proceed := func() {
+	//  		continue
+	//  	}
+	//  	sum := 0
+	//  	for i := 1; i <= n; i++ {
+	//  		if i % 2 != 0 {
+	//  			proceed()
+	//  		}
+	//  		sum += i
+	//  	}
+	//  	return sum
+	//  }
+	MisplacedContinue
+
+	// MisplacedFallthrough occurs when a fallthrough statement is not within an
+	// expression switch.
+	//
+	// Example:
+	//  func typename(i interface{}) string {
+	//  	switch i.(type) {
+	//  	case int64:
+	//  		fallthrough
+	//  	case int:
+	//  		return "int"
+	//  	}
+	//  	return "unsupported"
+	//  }
+	MisplacedFallthrough
+
+	// DuplicateCase occurs when a type or expression switch has duplicate
+	// cases.
+	//
+	// Example:
+	//  func printInt(i int) {
+	//  	switch i {
+	//  	case 1:
+	//  		println("one")
+	//  	case 1:
+	//  		println("One")
+	//  	}
+	//  }
+	DuplicateCase
+
+	// DuplicateDefault occurs when a type or expression switch has multiple
+	// default clauses.
+	//
+	// Example:
+	//  func printInt(i int) {
+	//  	switch i {
+	//  	case 1:
+	//  		println("one")
+	//  	default:
+	//  		println("One")
+	//  	default:
+	//  		println("1")
+	//  	}
+	//  }
+	DuplicateDefault
+
+	// BadTypeKeyword occurs when a .(type) expression is used anywhere other
+	// than a type switch.
+	//
+	// Example:
+	//  type I interface {
+	//  	m()
+	//  }
+	//  var t I
+	//  var _ = t.(type)
+	BadTypeKeyword
+
+	// InvalidTypeSwitch occurs when .(type) is used on an expression that is
+	// not of interface type.
+	//
+	// Example:
+	//  func f(i int) {
+	//  	switch x := i.(type) {}
+	//  }
+	InvalidTypeSwitch
+
+	// InvalidExprSwitch occurs when a switch expression is not comparable.
+	//
+	// Example:
+	//  func _() {
+	//  	var a struct{ _ func() }
+	//  	switch a /* ERROR cannot switch on a */ {
+	//  	}
+	//  }
+	InvalidExprSwitch
+
+	/* control flow > select */
+
+	// InvalidSelectCase occurs when a select case is not a channel send or
+	// receive.
+	//
+	// Example:
+	//  func checkChan(c <-chan int) bool {
+	//  	select {
+	//  	case c:
+	//  		return true
+	//  	default:
+	//  		return false
+	//  	}
+	//  }
+	InvalidSelectCase
+
+	/* control flow > labels and jumps */
+
+	// UndeclaredLabel occurs when an undeclared label is jumped to.
+	//
+	// Example:
+	//  func f() {
+	//  	goto L
+	//  }
+	UndeclaredLabel
+
+	// DuplicateLabel occurs when a label is declared more than once.
+	//
+	// Example:
+	//  func f() int {
+	//  L:
+	//  L:
+	//  	return 1
+	//  }
+	DuplicateLabel
+
+	// MisplacedLabel occurs when a break or continue label is not on a for,
+	// switch, or select statement.
+	//
+	// Example:
+	//  func f() {
+	//  L:
+	//  	a := []int{1,2,3}
+	//  	for _, e := range a {
+	//  		if e > 10 {
+	//  			break L
+	//  		}
+	//  		println(a)
+	//  	}
+	//  }
+	MisplacedLabel
+
+	// UnusedLabel occurs when a label is declared but not used.
+	//
+	// Example:
+	//  func f() {
+	//  L:
+	//  }
+	UnusedLabel
+
+	// JumpOverDecl occurs when a label jumps over a variable declaration.
+	//
+	// Example:
+	//  func f() int {
+	//  	goto L
+	//  	x := 2
+	//  L:
+	//  	x++
+	//  	return x
+	//  }
+	JumpOverDecl
+
+	// JumpIntoBlock occurs when a forward jump goes to a label inside a nested
+	// block.
+	//
+	// Example:
+	//  func f(x int) {
+	//  	goto L
+	//  	if x > 0 {
+	//  	L:
+	//  		print("inside block")
+	//  	}
+	// }
+	JumpIntoBlock
+
+	/* control flow > calls */
+
+	// InvalidMethodExpr occurs when a pointer method is called but the argument
+	// is not addressable.
+	//
+	// Example:
+	//  type T struct {}
+	//
+	//  func (*T) m() int { return 1 }
+	//
+	//  var _ = T.m(T{})
+	InvalidMethodExpr
+
+	// WrongArgCount occurs when too few or too many arguments are passed by a
+	// function call.
+	//
+	// Example:
+	//  func f(i int) {}
+	//  var x = f()
+	WrongArgCount
+
+	// InvalidCall occurs when an expression is called that is not of function
+	// type.
+	//
+	// Example:
+	//  var x = "x"
+	//  var y = x()
+	InvalidCall
+
+	/* control flow > suspended */
+
+	// UnusedResults occurs when a restricted expression-only built-in function
+	// is suspended via go or defer. Such a suspension discards the results of
+	// these side-effect free built-in functions, and therefore is ineffectual.
+	//
+	// Example:
+	//  func f(a []int) int {
+	//  	defer len(a)
+	//  	return i
+	//  }
+	UnusedResults
+
+	// InvalidDefer occurs when a deferred expression is not a function call,
+	// for example if the expression is a type conversion.
+	//
+	// Example:
+	//  func f(i int) int {
+	//  	defer int32(i)
+	//  	return i
+	//  }
+	InvalidDefer
+
+	// InvalidGo occurs when a go expression is not a function call, for example
+	// if the expression is a type conversion.
+	//
+	// Example:
+	//  func f(i int) int {
+	//  	go int32(i)
+	//  	return i
+	//  }
+	InvalidGo
+
+	// All codes below were added in Go 1.17.
+
+	/* decl */
+
+	// BadDecl occurs when a declaration has invalid syntax.
+	BadDecl
+
+	// RepeatedDecl occurs when an identifier occurs more than once on the left
+	// hand side of a short variable declaration.
+	//
+	// Example:
+	//  func _() {
+	//  	x, y, y := 1, 2, 3
+	//  }
+	RepeatedDecl
+
+	/* unsafe */
+
+	// InvalidUnsafeAdd occurs when unsafe.Add is called with a
+	// length argument that is not of integer type.
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  var p unsafe.Pointer
+	//  var _ = unsafe.Add(p, float64(1))
+	InvalidUnsafeAdd
+
+	// InvalidUnsafeSlice occurs when unsafe.Slice is called with a
+	// pointer argument that is not of pointer type or a length argument
+	// that is not of integer type, negative, or out of bounds.
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  var x int
+	//  var _ = unsafe.Slice(x, 1)
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  var x int
+	//  var _ = unsafe.Slice(&x, float64(1))
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  var x int
+	//  var _ = unsafe.Slice(&x, -1)
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  var x int
+	//  var _ = unsafe.Slice(&x, uint64(1) << 63)
+	InvalidUnsafeSlice
+
+	// All codes below were added in Go 1.18.
+
+	/* features */
+
+	// UnsupportedFeature occurs when a language feature is used that is not
+	// supported at this Go version.
+	UnsupportedFeature
+
+	/* type params */
+
+	// NotAGenericType occurs when a non-generic type is used where a generic
+	// type is expected: in type or function instantiation.
+	//
+	// Example:
+	//  type T int
+	//
+	//  var _ T[int]
+	NotAGenericType
+
+	// WrongTypeArgCount occurs when a type or function is instantiated with an
+	// incorrect number of type arguments, including when a generic type or
+	// function is used without instantiation.
+	//
+	// Errors involving failed type inference are assigned other error codes.
+	//
+	// Example:
+	//  type T[p any] int
+	//
+	//  var _ T[int, string]
+	//
+	// Example:
+	//  func f[T any]() {}
+	//
+	//  var x = f
+	WrongTypeArgCount
+
+	// CannotInferTypeArgs occurs when type or function type argument inference
+	// fails to infer all type arguments.
+	//
+	// Example:
+	//  func f[T any]() {}
+	//
+	//  func _() {
+	//  	f()
+	//  }
+	//
+	// Example:
+	//   type N[P, Q any] struct{}
+	//
+	//   var _ N[int]
+	CannotInferTypeArgs
+
+	// InvalidTypeArg occurs when a type argument does not satisfy its
+	// corresponding type parameter constraints.
+	//
+	// Example:
+	//  type T[P ~int] struct{}
+	//
+	//  var _ T[string]
+	InvalidTypeArg // arguments? InferenceFailed
+
+	// InvalidInstanceCycle occurs when an invalid cycle is detected
+	// within the instantiation graph.
+	//
+	// Example:
+	//  func f[T any]() { f[*T]() }
+	InvalidInstanceCycle
+
+	// InvalidUnion occurs when an embedded union or approximation element is
+	// not valid.
+	//
+	// Example:
+	//  type _ interface {
+	//   	~int | interface{ m() }
+	//  }
+	InvalidUnion
+
+	// MisplacedConstraintIface occurs when a constraint-type interface is used
+	// outside of constraint position.
+	//
+	// Example:
+	//   type I interface { ~int }
+	//
+	//   var _ I
+	MisplacedConstraintIface
+
+	// InvalidMethodTypeParams occurs when methods have type parameters.
+	//
+	// It cannot be encountered with an AST parsed using go/parser.
+	InvalidMethodTypeParams
+
+	// MisplacedTypeParam occurs when a type parameter is used in a place where
+	// it is not permitted.
+	//
+	// Example:
+	//  type T[P any] P
+	//
+	// Example:
+	//  type T[P any] struct{ *P }
+	MisplacedTypeParam
+
+	// InvalidUnsafeSliceData occurs when unsafe.SliceData is called with
+	// an argument that is not of slice type. It also occurs if it is used
+	// in a package compiled for a language version before go1.20.
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  var x int
+	//  var _ = unsafe.SliceData(x)
+	InvalidUnsafeSliceData
+
+	// InvalidUnsafeString occurs when unsafe.String is called with
+	// a length argument that is not of integer type, negative, or
+	// out of bounds. It also occurs if it is used in a package
+	// compiled for a language version before go1.20.
+	//
+	// Example:
+	//  import "unsafe"
+	//
+	//  var b [10]byte
+	//  var _ = unsafe.String(&b[0], -1)
+	InvalidUnsafeString
+
+	// InvalidUnsafeStringData occurs if it is used in a package
+	// compiled for a language version before go1.20.
+	_ // not used anymore
+
+)
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/errorcode_string.go b/vendor/golang.org/x/tools/internal/typesinternal/errorcode_string.go
new file mode 100644
index 0000000000..15ecf7c5de
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/errorcode_string.go
@@ -0,0 +1,179 @@
+// Code generated by "stringer -type=ErrorCode"; DO NOT EDIT.
+
+package typesinternal
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[InvalidSyntaxTree - -1]
+	_ = x[Test-1]
+	_ = x[BlankPkgName-2]
+	_ = x[MismatchedPkgName-3]
+	_ = x[InvalidPkgUse-4]
+	_ = x[BadImportPath-5]
+	_ = x[BrokenImport-6]
+	_ = x[ImportCRenamed-7]
+	_ = x[UnusedImport-8]
+	_ = x[InvalidInitCycle-9]
+	_ = x[DuplicateDecl-10]
+	_ = x[InvalidDeclCycle-11]
+	_ = x[InvalidTypeCycle-12]
+	_ = x[InvalidConstInit-13]
+	_ = x[InvalidConstVal-14]
+	_ = x[InvalidConstType-15]
+	_ = x[UntypedNilUse-16]
+	_ = x[WrongAssignCount-17]
+	_ = x[UnassignableOperand-18]
+	_ = x[NoNewVar-19]
+	_ = x[MultiValAssignOp-20]
+	_ = x[InvalidIfaceAssign-21]
+	_ = x[InvalidChanAssign-22]
+	_ = x[IncompatibleAssign-23]
+	_ = x[UnaddressableFieldAssign-24]
+	_ = x[NotAType-25]
+	_ = x[InvalidArrayLen-26]
+	_ = x[BlankIfaceMethod-27]
+	_ = x[IncomparableMapKey-28]
+	_ = x[InvalidIfaceEmbed-29]
+	_ = x[InvalidPtrEmbed-30]
+	_ = x[BadRecv-31]
+	_ = x[InvalidRecv-32]
+	_ = x[DuplicateFieldAndMethod-33]
+	_ = x[DuplicateMethod-34]
+	_ = x[InvalidBlank-35]
+	_ = x[InvalidIota-36]
+	_ = x[MissingInitBody-37]
+	_ = x[InvalidInitSig-38]
+	_ = x[InvalidInitDecl-39]
+	_ = x[InvalidMainDecl-40]
+	_ = x[TooManyValues-41]
+	_ = x[NotAnExpr-42]
+	_ = x[TruncatedFloat-43]
+	_ = x[NumericOverflow-44]
+	_ = x[UndefinedOp-45]
+	_ = x[MismatchedTypes-46]
+	_ = x[DivByZero-47]
+	_ = x[NonNumericIncDec-48]
+	_ = x[UnaddressableOperand-49]
+	_ = x[InvalidIndirection-50]
+	_ = x[NonIndexableOperand-51]
+	_ = x[InvalidIndex-52]
+	_ = x[SwappedSliceIndices-53]
+	_ = x[NonSliceableOperand-54]
+	_ = x[InvalidSliceExpr-55]
+	_ = x[InvalidShiftCount-56]
+	_ = x[InvalidShiftOperand-57]
+	_ = x[InvalidReceive-58]
+	_ = x[InvalidSend-59]
+	_ = x[DuplicateLitKey-60]
+	_ = x[MissingLitKey-61]
+	_ = x[InvalidLitIndex-62]
+	_ = x[OversizeArrayLit-63]
+	_ = x[MixedStructLit-64]
+	_ = x[InvalidStructLit-65]
+	_ = x[MissingLitField-66]
+	_ = x[DuplicateLitField-67]
+	_ = x[UnexportedLitField-68]
+	_ = x[InvalidLitField-69]
+	_ = x[UntypedLit-70]
+	_ = x[InvalidLit-71]
+	_ = x[AmbiguousSelector-72]
+	_ = x[UndeclaredImportedName-73]
+	_ = x[UnexportedName-74]
+	_ = x[UndeclaredName-75]
+	_ = x[MissingFieldOrMethod-76]
+	_ = x[BadDotDotDotSyntax-77]
+	_ = x[NonVariadicDotDotDot-78]
+	_ = x[MisplacedDotDotDot-79]
+	_ = x[InvalidDotDotDotOperand-80]
+	_ = x[InvalidDotDotDot-81]
+	_ = x[UncalledBuiltin-82]
+	_ = x[InvalidAppend-83]
+	_ = x[InvalidCap-84]
+	_ = x[InvalidClose-85]
+	_ = x[InvalidCopy-86]
+	_ = x[InvalidComplex-87]
+	_ = x[InvalidDelete-88]
+	_ = x[InvalidImag-89]
+	_ = x[InvalidLen-90]
+	_ = x[SwappedMakeArgs-91]
+	_ = x[InvalidMake-92]
+	_ = x[InvalidReal-93]
+	_ = x[InvalidAssert-94]
+	_ = x[ImpossibleAssert-95]
+	_ = x[InvalidConversion-96]
+	_ = x[InvalidUntypedConversion-97]
+	_ = x[BadOffsetofSyntax-98]
+	_ = x[InvalidOffsetof-99]
+	_ = x[UnusedExpr-100]
+	_ = x[UnusedVar-101]
+	_ = x[MissingReturn-102]
+	_ = x[WrongResultCount-103]
+	_ = x[OutOfScopeResult-104]
+	_ = x[InvalidCond-105]
+	_ = x[InvalidPostDecl-106]
+	_ = x[InvalidChanRange-107]
+	_ = x[InvalidIterVar-108]
+	_ = x[InvalidRangeExpr-109]
+	_ = x[MisplacedBreak-110]
+	_ = x[MisplacedContinue-111]
+	_ = x[MisplacedFallthrough-112]
+	_ = x[DuplicateCase-113]
+	_ = x[DuplicateDefault-114]
+	_ = x[BadTypeKeyword-115]
+	_ = x[InvalidTypeSwitch-116]
+	_ = x[InvalidExprSwitch-117]
+	_ = x[InvalidSelectCase-118]
+	_ = x[UndeclaredLabel-119]
+	_ = x[DuplicateLabel-120]
+	_ = x[MisplacedLabel-121]
+	_ = x[UnusedLabel-122]
+	_ = x[JumpOverDecl-123]
+	_ = x[JumpIntoBlock-124]
+	_ = x[InvalidMethodExpr-125]
+	_ = x[WrongArgCount-126]
+	_ = x[InvalidCall-127]
+	_ = x[UnusedResults-128]
+	_ = x[InvalidDefer-129]
+	_ = x[InvalidGo-130]
+	_ = x[BadDecl-131]
+	_ = x[RepeatedDecl-132]
+	_ = x[InvalidUnsafeAdd-133]
+	_ = x[InvalidUnsafeSlice-134]
+	_ = x[UnsupportedFeature-135]
+	_ = x[NotAGenericType-136]
+	_ = x[WrongTypeArgCount-137]
+	_ = x[CannotInferTypeArgs-138]
+	_ = x[InvalidTypeArg-139]
+	_ = x[InvalidInstanceCycle-140]
+	_ = x[InvalidUnion-141]
+	_ = x[MisplacedConstraintIface-142]
+	_ = x[InvalidMethodTypeParams-143]
+	_ = x[MisplacedTypeParam-144]
+	_ = x[InvalidUnsafeSliceData-145]
+	_ = x[InvalidUnsafeString-146]
+}
+
+const (
+	_ErrorCode_name_0 = "InvalidSyntaxTree"
+	_ErrorCode_name_1 = "TestBlankPkgNameMismatchedPkgNameInvalidPkgUseBadImportPathBrokenImportImportCRenamedUnusedImportInvalidInitCycleDuplicateDeclInvalidDeclCycleInvalidTypeCycleInvalidConstInitInvalidConstValInvalidConstTypeUntypedNilUseWrongAssignCountUnassignableOperandNoNewVarMultiValAssignOpInvalidIfaceAssignInvalidChanAssignIncompatibleAssignUnaddressableFieldAssignNotATypeInvalidArrayLenBlankIfaceMethodIncomparableMapKeyInvalidIfaceEmbedInvalidPtrEmbedBadRecvInvalidRecvDuplicateFieldAndMethodDuplicateMethodInvalidBlankInvalidIotaMissingInitBodyInvalidInitSigInvalidInitDeclInvalidMainDeclTooManyValuesNotAnExprTruncatedFloatNumericOverflowUndefinedOpMismatchedTypesDivByZeroNonNumericIncDecUnaddressableOperandInvalidIndirectionNonIndexableOperandInvalidIndexSwappedSliceIndicesNonSliceableOperandInvalidSliceExprInvalidShiftCountInvalidShiftOperandInvalidReceiveInvalidSendDuplicateLitKeyMissingLitKeyInvalidLitIndexOversizeArrayLitMixedStructLitInvalidStructLitMissingLitFieldDuplicateLitFieldUnexportedLitFieldInvalidLitFieldUntypedLitInvalidLitAmbiguousSelectorUndeclaredImportedNameUnexportedNameUndeclaredNameMissingFieldOrMethodBadDotDotDotSyntaxNonVariadicDotDotDotMisplacedDotDotDotInvalidDotDotDotOperandInvalidDotDotDotUncalledBuiltinInvalidAppendInvalidCapInvalidCloseInvalidCopyInvalidComplexInvalidDeleteInvalidImagInvalidLenSwappedMakeArgsInvalidMakeInvalidRealInvalidAssertImpossibleAssertInvalidConversionInvalidUntypedConversionBadOffsetofSyntaxInvalidOffsetofUnusedExprUnusedVarMissingReturnWrongResultCountOutOfScopeResultInvalidCondInvalidPostDeclInvalidChanRangeInvalidIterVarInvalidRangeExprMisplacedBreakMisplacedContinueMisplacedFallthroughDuplicateCaseDuplicateDefaultBadTypeKeywordInvalidTypeSwitchInvalidExprSwitchInvalidSelectCaseUndeclaredLabelDuplicateLabelMisplacedLabelUnusedLabelJumpOverDeclJumpIntoBlockInvalidMethodExprWrongArgCountInvalidCallUnusedResultsInvalidDeferInvalidGoBadDeclRepeatedDeclInvalidUnsafeAddInvalidUnsafeSliceUnsupportedFeatureNotAGenericTypeWrongTypeArgCountCannotInferTypeArgsInvalidTypeArgInvalidInstanceCycleInvalidUnionMisplacedConstraintIfaceInvalidMethodTypeParamsMisplacedTypeParamInvalidUnsafeSliceDataInvalidUnsafeString"
+)
+
+var (
+	_ErrorCode_index_1 = [...]uint16{0, 4, 16, 33, 46, 59, 71, 85, 97, 113, 126, 142, 158, 174, 189, 205, 218, 234, 253, 261, 277, 295, 312, 330, 354, 362, 377, 393, 411, 428, 443, 450, 461, 484, 499, 511, 522, 537, 551, 566, 581, 594, 603, 617, 632, 643, 658, 667, 683, 703, 721, 740, 752, 771, 790, 806, 823, 842, 856, 867, 882, 895, 910, 926, 940, 956, 971, 988, 1006, 1021, 1031, 1041, 1058, 1080, 1094, 1108, 1128, 1146, 1166, 1184, 1207, 1223, 1238, 1251, 1261, 1273, 1284, 1298, 1311, 1322, 1332, 1347, 1358, 1369, 1382, 1398, 1415, 1439, 1456, 1471, 1481, 1490, 1503, 1519, 1535, 1546, 1561, 1577, 1591, 1607, 1621, 1638, 1658, 1671, 1687, 1701, 1718, 1735, 1752, 1767, 1781, 1795, 1806, 1818, 1831, 1848, 1861, 1872, 1885, 1897, 1906, 1913, 1925, 1941, 1959, 1977, 1992, 2009, 2028, 2042, 2062, 2074, 2098, 2121, 2139, 2161, 2180}
+)
+
+func (i ErrorCode) String() string {
+	switch {
+	case i == -1:
+		return _ErrorCode_name_0
+	case 1 <= i && i <= 146:
+		i -= 1
+		return _ErrorCode_name_1[_ErrorCode_index_1[i]:_ErrorCode_index_1[i+1]]
+	default:
+		return "ErrorCode(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/fx.go b/vendor/golang.org/x/tools/internal/typesinternal/fx.go
new file mode 100644
index 0000000000..c846a53d5f
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/fx.go
@@ -0,0 +1,88 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"go/ast"
+	"go/token"
+	"go/types"
+)
+
+// NoEffects reports whether the expression has no side effects, i.e., it
+// does not modify the memory state. This function is conservative: it may
+// return false even when the expression has no effect.
+func NoEffects(info *types.Info, expr ast.Expr) bool {
+	noEffects := true
+	ast.Inspect(expr, func(n ast.Node) bool {
+		switch v := n.(type) {
+		case nil, *ast.Ident, *ast.BasicLit, *ast.BinaryExpr, *ast.ParenExpr,
+			*ast.SelectorExpr, *ast.IndexExpr, *ast.SliceExpr, *ast.TypeAssertExpr,
+			*ast.StarExpr, *ast.CompositeLit,
+			// non-expressions that may appear within expressions
+			*ast.KeyValueExpr,
+			*ast.FieldList,
+			*ast.Field,
+			*ast.Ellipsis,
+			*ast.IndexListExpr:
+			// No effect.
+
+		case *ast.ArrayType,
+			*ast.StructType,
+			*ast.ChanType,
+			*ast.FuncType,
+			*ast.MapType,
+			*ast.InterfaceType:
+			// Type syntax: no effects, recursively.
+			// Prune descent.
+			return false
+
+		case *ast.UnaryExpr:
+			// Channel send <-ch has effects.
+			if v.Op == token.ARROW {
+				noEffects = false
+			}
+
+		case *ast.CallExpr:
+			// Type conversion has no effects.
+			if !info.Types[v.Fun].IsType() {
+				if CallsPureBuiltin(info, v) {
+					// A call such as len(e) has no effects of its
+					// own, though the subexpression e might.
+				} else {
+					noEffects = false
+				}
+			}
+
+		case *ast.FuncLit:
+			// A FuncLit has no effects, but do not descend into it.
+			return false
+
+		default:
+			// All other expressions have effects
+			noEffects = false
+		}
+
+		return noEffects
+	})
+	return noEffects
+}
+
+// CallsPureBuiltin reports whether call is a call of a built-in
+// function that is a pure computation over its operands (analogous to
+// a + operator). Because it does not depend on program state, it may
+// be evaluated at any point--though not necessarily at multiple
+// points (consider new, make).
+func CallsPureBuiltin(info *types.Info, call *ast.CallExpr) bool {
+	if id, ok := ast.Unparen(call.Fun).(*ast.Ident); ok {
+		if b, ok := info.ObjectOf(id).(*types.Builtin); ok {
+			switch b.Name() {
+			case "len", "cap", "complex", "imag", "real", "make", "new", "max", "min":
+				return true
+			}
+			// Not: append clear close copy delete panic print println recover
+		}
+	}
+	return false
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go b/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go
new file mode 100644
index 0000000000..e0d63c46c6
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go
@@ -0,0 +1,71 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"go/types"
+	"slices"
+)
+
+// IsTypeNamed reports whether t is (or is an alias for) a
+// package-level defined type with the given package path and one of
+// the given names. It returns false if t is nil.
+//
+// This function avoids allocating the concatenation of "pkg.Name",
+// which is important for the performance of syntax matching.
+func IsTypeNamed(t types.Type, pkgPath string, names ...string) bool {
+	if named, ok := types.Unalias(t).(*types.Named); ok {
+		tname := named.Obj()
+		return tname != nil &&
+			IsPackageLevel(tname) &&
+			tname.Pkg().Path() == pkgPath &&
+			slices.Contains(names, tname.Name())
+	}
+	return false
+}
+
+// IsPointerToNamed reports whether t is (or is an alias for) a pointer to a
+// package-level defined type with the given package path and one of the given
+// names. It returns false if t is not a pointer type.
+func IsPointerToNamed(t types.Type, pkgPath string, names ...string) bool {
+	r := Unpointer(t)
+	if r == t {
+		return false
+	}
+	return IsTypeNamed(r, pkgPath, names...)
+}
+
+// IsFunctionNamed reports whether obj is a package-level function
+// defined in the given package and has one of the given names.
+// It returns false if obj is nil.
+//
+// This function avoids allocating the concatenation of "pkg.Name",
+// which is important for the performance of syntax matching.
+func IsFunctionNamed(obj types.Object, pkgPath string, names ...string) bool {
+	f, ok := obj.(*types.Func)
+	return ok &&
+		IsPackageLevel(obj) &&
+		f.Pkg().Path() == pkgPath &&
+		f.Signature().Recv() == nil &&
+		slices.Contains(names, f.Name())
+}
+
+// IsMethodNamed reports whether obj is a method defined on a
+// package-level type with the given package and type name, and has
+// one of the given names. It returns false if obj is nil.
+//
+// This function avoids allocating the concatenation of "pkg.TypeName.Name",
+// which is important for the performance of syntax matching.
+func IsMethodNamed(obj types.Object, pkgPath string, typeName string, names ...string) bool {
+	if fn, ok := obj.(*types.Func); ok {
+		if recv := fn.Signature().Recv(); recv != nil {
+			_, T := ReceiverNamed(recv)
+			return T != nil &&
+				IsTypeNamed(T, pkgPath, typeName) &&
+				slices.Contains(names, fn.Name())
+		}
+	}
+	return false
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go b/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go
new file mode 100644
index 0000000000..4e2756fc49
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go
@@ -0,0 +1,54 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"go/ast"
+	"go/types"
+	"strconv"
+)
+
+// FileQualifier returns a [types.Qualifier] function that qualifies
+// imported symbols appropriately based on the import environment of a given
+// file.
+// If the same package is imported multiple times, the last appearance is
+// recorded.
+//
+// TODO(adonovan): this function ignores the effect of shadowing. It
+// should accept a [token.Pos] and a [types.Info] and compute only the
+// set of imports that are not shadowed at that point, analogous to
+// [analysis.AddImport]. It could also compute (as a side
+// effect) the set of additional imports required to ensure that there
+// is an accessible import for each necessary package, making it
+// converge even more closely with AddImport.
+func FileQualifier(f *ast.File, pkg *types.Package) types.Qualifier {
+	// Construct mapping of import paths to their defined names.
+	// It is only necessary to look at renaming imports.
+	imports := make(map[string]string)
+	for _, imp := range f.Imports {
+		if imp.Name != nil && imp.Name.Name != "_" {
+			path, _ := strconv.Unquote(imp.Path.Value)
+			imports[path] = imp.Name.Name
+		}
+	}
+
+	// Define qualifier to replace full package paths with names of the imports.
+	return func(p *types.Package) string {
+		if p == nil || p == pkg {
+			return ""
+		}
+
+		if name, ok := imports[p.Path()]; ok {
+			if name == "." {
+				return ""
+			} else {
+				return name
+			}
+		}
+
+		// If there is no local renaming, fall back to the package name.
+		return p.Name()
+	}
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/recv.go b/vendor/golang.org/x/tools/internal/typesinternal/recv.go
new file mode 100644
index 0000000000..8352ea7617
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/recv.go
@@ -0,0 +1,44 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"go/types"
+)
+
+// ReceiverNamed returns the named type (if any) associated with the
+// type of recv, which may be of the form N or *N, or aliases thereof.
+// It also reports whether a Pointer was present.
+//
+// The named result may be nil if recv is from a method on an
+// anonymous interface or struct types or in ill-typed code.
+func ReceiverNamed(recv *types.Var) (isPtr bool, named *types.Named) {
+	t := recv.Type()
+	if ptr, ok := types.Unalias(t).(*types.Pointer); ok {
+		isPtr = true
+		t = ptr.Elem()
+	}
+	named, _ = types.Unalias(t).(*types.Named)
+	return
+}
+
+// Unpointer returns T given *T or an alias thereof.
+// For all other types it is the identity function.
+// It does not look at underlying types.
+// The result may be an alias.
+//
+// Use this function to strip off the optional pointer on a receiver
+// in a field or method selection, without losing the named type
+// (which is needed to compute the method set).
+//
+// See also [typeparams.MustDeref], which removes one level of
+// indirection from the type, regardless of named types (analogous to
+// a LOAD instruction).
+func Unpointer(t types.Type) types.Type {
+	if ptr, ok := types.Unalias(t).(*types.Pointer); ok {
+		return ptr.Elem()
+	}
+	return t
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/toonew.go b/vendor/golang.org/x/tools/internal/typesinternal/toonew.go
new file mode 100644
index 0000000000..cc86487eaa
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/toonew.go
@@ -0,0 +1,89 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"go/types"
+
+	"golang.org/x/tools/internal/stdlib"
+	"golang.org/x/tools/internal/versions"
+)
+
+// TooNewStdSymbols computes the set of package-level symbols
+// exported by pkg that are not available at the specified version.
+// The result maps each symbol to its minimum version.
+//
+// The pkg is allowed to contain type errors.
+func TooNewStdSymbols(pkg *types.Package, version string) map[types.Object]string {
+	disallowed := make(map[types.Object]string)
+
+	// Pass 1: package-level symbols.
+	symbols := stdlib.PackageSymbols[pkg.Path()]
+	for _, sym := range symbols {
+		symver := sym.Version.String()
+		if versions.Before(version, symver) {
+			switch sym.Kind {
+			case stdlib.Func, stdlib.Var, stdlib.Const, stdlib.Type:
+				disallowed[pkg.Scope().Lookup(sym.Name)] = symver
+			}
+		}
+	}
+
+	// Pass 2: fields and methods.
+	//
+	// We allow fields and methods if their associated type is
+	// disallowed, as otherwise we would report false positives
+	// for compatibility shims. Consider:
+	//
+	//   //go:build go1.22
+	//   type T struct { F std.Real } // correct new API
+	//
+	//   //go:build !go1.22
+	//   type T struct { F fake } // shim
+	//   type fake struct { ... }
+	//   func (fake) M () {}
+	//
+	// These alternative declarations of T use either the std.Real
+	// type, introduced in go1.22, or a fake type, for the field
+	// F. (The fakery could be arbitrarily deep, involving more
+	// nested fields and methods than are shown here.) Clients
+	// that use the compatibility shim T will compile with any
+	// version of go, whether older or newer than go1.22, but only
+	// the newer version will use the std.Real implementation.
+	//
+	// Now consider a reference to method M in new(T).F.M() in a
+	// module that requires a minimum of go1.21. The analysis may
+	// occur using a version of Go higher than 1.21, selecting the
+	// first version of T, so the method M is Real.M. This would
+	// spuriously cause the analyzer to report a reference to a
+	// too-new symbol even though this expression compiles just
+	// fine (with the fake implementation) using go1.21.
+	for _, sym := range symbols {
+		symVersion := sym.Version.String()
+		if !versions.Before(version, symVersion) {
+			continue // allowed
+		}
+
+		var obj types.Object
+		switch sym.Kind {
+		case stdlib.Field:
+			typename, name := sym.SplitField()
+			if t := pkg.Scope().Lookup(typename); t != nil && disallowed[t] == "" {
+				obj, _, _ = types.LookupFieldOrMethod(t.Type(), false, pkg, name)
+			}
+
+		case stdlib.Method:
+			ptr, recvname, name := sym.SplitMethod()
+			if t := pkg.Scope().Lookup(recvname); t != nil && disallowed[t] == "" {
+				obj, _, _ = types.LookupFieldOrMethod(t.Type(), ptr, pkg, name)
+			}
+		}
+		if obj != nil {
+			disallowed[obj] = symVersion
+		}
+	}
+
+	return disallowed
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/types.go b/vendor/golang.org/x/tools/internal/typesinternal/types.go
new file mode 100644
index 0000000000..51001666ef
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/types.go
@@ -0,0 +1,197 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package typesinternal provides helpful operators for dealing with
+// go/types:
+//
+//   - operators for querying typed syntax trees (e.g. [Imports], [IsFunctionNamed]);
+//   - functions for converting types to strings or syntax (e.g. [TypeExpr], FileQualifier]);
+//   - helpers for working with the [go/types] API (e.g. [NewTypesInfo]);
+//   - access to internal go/types APIs that are not yet
+//     exported (e.g. [SetUsesCgo], [ErrorCodeStartEnd], [VarKind]); and
+//   - common algorithms related to types (e.g. [TooNewStdSymbols]).
+//
+// See also:
+//   - [golang.org/x/tools/internal/astutil], for operations on untyped syntax;
+//   - [golang.org/x/tools/internal/analysisinernal], for helpers for analyzers;
+//   - [golang.org/x/tools/internal/refactor], for operators to compute text edits.
+package typesinternal
+
+import (
+	"go/ast"
+	"go/token"
+	"go/types"
+	"reflect"
+
+	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/aliases"
+)
+
+func SetUsesCgo(conf *types.Config) bool {
+	v := reflect.ValueOf(conf).Elem()
+
+	f := v.FieldByName("go115UsesCgo")
+	if !f.IsValid() {
+		f = v.FieldByName("UsesCgo")
+		if !f.IsValid() {
+			return false
+		}
+	}
+
+	*(*bool)(f.Addr().UnsafePointer()) = true
+
+	return true
+}
+
+// ErrorCodeStartEnd extracts additional information from types.Error values
+// generated by Go version 1.16 and later: the error code, start position, and
+// end position. If all positions are valid, start <= err.Pos <= end.
+//
+// If the data could not be read, the final result parameter will be false.
+//
+// TODO(adonovan): eliminate start/end when proposal #71803 is accepted.
+func ErrorCodeStartEnd(err types.Error) (code ErrorCode, start, end token.Pos, ok bool) {
+	var data [3]int
+	// By coincidence all of these fields are ints, which simplifies things.
+	v := reflect.ValueOf(err)
+	for i, name := range []string{"go116code", "go116start", "go116end"} {
+		f := v.FieldByName(name)
+		if !f.IsValid() {
+			return 0, 0, 0, false
+		}
+		data[i] = int(f.Int())
+	}
+	return ErrorCode(data[0]), token.Pos(data[1]), token.Pos(data[2]), true
+}
+
+// NameRelativeTo returns a types.Qualifier that qualifies members of
+// all packages other than pkg, using only the package name.
+// (By contrast, [types.RelativeTo] uses the complete package path,
+// which is often excessive.)
+//
+// If pkg is nil, it is equivalent to [*types.Package.Name].
+//
+// TODO(adonovan): all uses of this with TypeString should be
+// eliminated when https://go.dev/issues/75604 is resolved.
+func NameRelativeTo(pkg *types.Package) types.Qualifier {
+	return func(other *types.Package) string {
+		if pkg != nil && pkg == other {
+			return "" // same package; unqualified
+		}
+		return other.Name()
+	}
+}
+
+// TypeNameFor returns the type name symbol for the specified type, if
+// it is a [*types.Alias], [*types.Named], [*types.TypeParam], or a
+// [*types.Basic] representing a type.
+//
+// For all other types, and for Basic types representing a builtin,
+// constant, or nil, it returns nil. Be careful not to convert the
+// resulting nil pointer to a [types.Object]!
+//
+// If t is the type of a constant, it may be an "untyped" type, which
+// has no TypeName. To access the name of such types (e.g. "untyped
+// int"), use [types.Basic.Name].
+func TypeNameFor(t types.Type) *types.TypeName {
+	switch t := t.(type) {
+	case *types.Alias:
+		return t.Obj()
+	case *types.Named:
+		return t.Obj()
+	case *types.TypeParam:
+		return t.Obj()
+	case *types.Basic:
+		// See issues #71886 and #66890 for some history.
+		if tname, ok := types.Universe.Lookup(t.Name()).(*types.TypeName); ok {
+			return tname
+		}
+	}
+	return nil
+}
+
+// A NamedOrAlias is a [types.Type] that is named (as
+// defined by the spec) and capable of bearing type parameters: it
+// abstracts aliases ([types.Alias]) and defined types
+// ([types.Named]).
+//
+// Every type declared by an explicit "type" declaration is a
+// NamedOrAlias. (Built-in type symbols may additionally
+// have type [types.Basic], which is not a NamedOrAlias,
+// though the spec regards them as "named"; see [TypeNameFor].)
+//
+// NamedOrAlias cannot expose the Origin method, because
+// [types.Alias.Origin] and [types.Named.Origin] have different
+// (covariant) result types; use [Origin] instead.
+type NamedOrAlias interface {
+	types.Type
+	Obj() *types.TypeName
+	TypeArgs() *types.TypeList
+	TypeParams() *types.TypeParamList
+	SetTypeParams(tparams []*types.TypeParam)
+}
+
+var (
+	_ NamedOrAlias = (*types.Alias)(nil)
+	_ NamedOrAlias = (*types.Named)(nil)
+)
+
+// Origin returns the generic type of the Named or Alias type t if it
+// is instantiated, otherwise it returns t.
+func Origin(t NamedOrAlias) NamedOrAlias {
+	switch t := t.(type) {
+	case *types.Alias:
+		return aliases.Origin(t)
+	case *types.Named:
+		return t.Origin()
+	}
+	return t
+}
+
+// IsPackageLevel reports whether obj is a package-level symbol.
+func IsPackageLevel(obj types.Object) bool {
+	return obj.Pkg() != nil && obj.Parent() == obj.Pkg().Scope()
+}
+
+// NewTypesInfo returns a *types.Info with all maps populated.
+func NewTypesInfo() *types.Info {
+	return &types.Info{
+		Types:        map[ast.Expr]types.TypeAndValue{},
+		Instances:    map[*ast.Ident]types.Instance{},
+		Defs:         map[*ast.Ident]types.Object{},
+		Uses:         map[*ast.Ident]types.Object{},
+		Implicits:    map[ast.Node]types.Object{},
+		Selections:   map[*ast.SelectorExpr]*types.Selection{},
+		Scopes:       map[ast.Node]*types.Scope{},
+		FileVersions: map[*ast.File]string{},
+	}
+}
+
+// EnclosingScope returns the innermost block logically enclosing the cursor.
+func EnclosingScope(info *types.Info, cur inspector.Cursor) *types.Scope {
+	for cur := range cur.Enclosing() {
+		n := cur.Node()
+		// A function's Scope is associated with its FuncType.
+		switch f := n.(type) {
+		case *ast.FuncDecl:
+			n = f.Type
+		case *ast.FuncLit:
+			n = f.Type
+		}
+		if b := info.Scopes[n]; b != nil {
+			return b
+		}
+	}
+	panic("no Scope for *ast.File")
+}
+
+// Imports reports whether path is imported by pkg.
+func Imports(pkg *types.Package, path string) bool {
+	for _, imp := range pkg.Imports() {
+		if imp.Path() == path {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/varkind.go b/vendor/golang.org/x/tools/internal/typesinternal/varkind.go
new file mode 100644
index 0000000000..26499cdd2e
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/varkind.go
@@ -0,0 +1,23 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.25
+
+package typesinternal
+
+import "go/types"
+
+type VarKind = types.VarKind
+
+const (
+	PackageVar = types.PackageVar
+	LocalVar   = types.LocalVar
+	RecvVar    = types.RecvVar
+	ParamVar   = types.ParamVar
+	ResultVar  = types.ResultVar
+	FieldVar   = types.FieldVar
+)
+
+func GetVarKind(v *types.Var) VarKind       { return v.Kind() }
+func SetVarKind(v *types.Var, kind VarKind) { v.SetKind(kind) }
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go b/vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go
new file mode 100644
index 0000000000..17b1804b4e
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go
@@ -0,0 +1,39 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.25
+
+package typesinternal
+
+import "go/types"
+
+type VarKind uint8
+
+const (
+	_          VarKind = iota // (not meaningful)
+	PackageVar                // a package-level variable
+	LocalVar                  // a local variable
+	RecvVar                   // a method receiver variable
+	ParamVar                  // a function parameter variable
+	ResultVar                 // a function result variable
+	FieldVar                  // a struct field
+)
+
+func (kind VarKind) String() string {
+	return [...]string{
+		0:          "VarKind(0)",
+		PackageVar: "PackageVar",
+		LocalVar:   "LocalVar",
+		RecvVar:    "RecvVar",
+		ParamVar:   "ParamVar",
+		ResultVar:  "ResultVar",
+		FieldVar:   "FieldVar",
+	}[kind]
+}
+
+// GetVarKind returns an invalid VarKind.
+func GetVarKind(v *types.Var) VarKind { return 0 }
+
+// SetVarKind has no effect.
+func SetVarKind(v *types.Var, kind VarKind) {}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go b/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go
new file mode 100644
index 0000000000..d612a71029
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go
@@ -0,0 +1,381 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"fmt"
+	"go/ast"
+	"go/token"
+	"go/types"
+	"strings"
+)
+
+// ZeroString returns the string representation of the zero value for any type t.
+// The boolean result indicates whether the type is or contains an invalid type
+// or a non-basic (constraint) interface type.
+//
+// Even for invalid input types, ZeroString may return a partially correct
+// string representation. The caller should use the returned isValid boolean
+// to determine the validity of the expression.
+//
+// When assigning to a wider type (such as 'any'), it's the caller's
+// responsibility to handle any necessary type conversions.
+//
+// This string can be used on the right-hand side of an assignment where the
+// left-hand side has that explicit type.
+// References to named types are qualified by an appropriate (optional)
+// qualifier function.
+// Exception: This does not apply to tuples. Their string representation is
+// informational only and cannot be used in an assignment.
+//
+// See [ZeroExpr] for a variant that returns an [ast.Expr].
+func ZeroString(t types.Type, qual types.Qualifier) (_ string, isValid bool) {
+	switch t := t.(type) {
+	case *types.Basic:
+		switch {
+		case t.Info()&types.IsBoolean != 0:
+			return "false", true
+		case t.Info()&types.IsNumeric != 0:
+			return "0", true
+		case t.Info()&types.IsString != 0:
+			return `""`, true
+		case t.Kind() == types.UnsafePointer:
+			fallthrough
+		case t.Kind() == types.UntypedNil:
+			return "nil", true
+		case t.Kind() == types.Invalid:
+			return "invalid", false
+		default:
+			panic(fmt.Sprintf("ZeroString for unexpected type %v", t))
+		}
+
+	case *types.Pointer, *types.Slice, *types.Chan, *types.Map, *types.Signature:
+		return "nil", true
+
+	case *types.Interface:
+		if !t.IsMethodSet() {
+			return "invalid", false
+		}
+		return "nil", true
+
+	case *types.Named:
+		switch under := t.Underlying().(type) {
+		case *types.Struct, *types.Array:
+			return types.TypeString(t, qual) + "{}", true
+		default:
+			return ZeroString(under, qual)
+		}
+
+	case *types.Alias:
+		switch t.Underlying().(type) {
+		case *types.Struct, *types.Array:
+			return types.TypeString(t, qual) + "{}", true
+		default:
+			// A type parameter can have alias but alias type's underlying type
+			// can never be a type parameter.
+			// Use types.Unalias to preserve the info of type parameter instead
+			// of call Underlying() going right through and get the underlying
+			// type of the type parameter which is always an interface.
+			return ZeroString(types.Unalias(t), qual)
+		}
+
+	case *types.Array, *types.Struct:
+		return types.TypeString(t, qual) + "{}", true
+
+	case *types.TypeParam:
+		// Assumes func new is not shadowed.
+		return "*new(" + types.TypeString(t, qual) + ")", true
+
+	case *types.Tuple:
+		// Tuples are not normal values.
+		// We are currently format as "(t[0], ..., t[n])". Could be something else.
+		isValid := true
+		components := make([]string, t.Len())
+		for i := 0; i < t.Len(); i++ {
+			comp, ok := ZeroString(t.At(i).Type(), qual)
+
+			components[i] = comp
+			isValid = isValid && ok
+		}
+		return "(" + strings.Join(components, ", ") + ")", isValid
+
+	case *types.Union:
+		// Variables of these types cannot be created, so it makes
+		// no sense to ask for their zero value.
+		panic(fmt.Sprintf("invalid type for a variable: %v", t))
+
+	default:
+		panic(t) // unreachable.
+	}
+}
+
+// ZeroExpr returns the ast.Expr representation of the zero value for any type t.
+// The boolean result indicates whether the type is or contains an invalid type
+// or a non-basic (constraint) interface type.
+//
+// Even for invalid input types, ZeroExpr may return a partially correct ast.Expr
+// representation. The caller should use the returned isValid boolean to determine
+// the validity of the expression.
+//
+// This function is designed for types suitable for variables and should not be
+// used with Tuple or Union types.References to named types are qualified by an
+// appropriate (optional) qualifier function.
+//
+// See [ZeroString] for a variant that returns a string.
+func ZeroExpr(t types.Type, qual types.Qualifier) (_ ast.Expr, isValid bool) {
+	switch t := t.(type) {
+	case *types.Basic:
+		switch {
+		case t.Info()&types.IsBoolean != 0:
+			return &ast.Ident{Name: "false"}, true
+		case t.Info()&types.IsNumeric != 0:
+			return &ast.BasicLit{Kind: token.INT, Value: "0"}, true
+		case t.Info()&types.IsString != 0:
+			return &ast.BasicLit{Kind: token.STRING, Value: `""`}, true
+		case t.Kind() == types.UnsafePointer:
+			fallthrough
+		case t.Kind() == types.UntypedNil:
+			return ast.NewIdent("nil"), true
+		case t.Kind() == types.Invalid:
+			return &ast.BasicLit{Kind: token.STRING, Value: `"invalid"`}, false
+		default:
+			panic(fmt.Sprintf("ZeroExpr for unexpected type %v", t))
+		}
+
+	case *types.Pointer, *types.Slice, *types.Chan, *types.Map, *types.Signature:
+		return ast.NewIdent("nil"), true
+
+	case *types.Interface:
+		if !t.IsMethodSet() {
+			return &ast.BasicLit{Kind: token.STRING, Value: `"invalid"`}, false
+		}
+		return ast.NewIdent("nil"), true
+
+	case *types.Named:
+		switch under := t.Underlying().(type) {
+		case *types.Struct, *types.Array:
+			return &ast.CompositeLit{
+				Type: TypeExpr(t, qual),
+			}, true
+		default:
+			return ZeroExpr(under, qual)
+		}
+
+	case *types.Alias:
+		switch t.Underlying().(type) {
+		case *types.Struct, *types.Array:
+			return &ast.CompositeLit{
+				Type: TypeExpr(t, qual),
+			}, true
+		default:
+			return ZeroExpr(types.Unalias(t), qual)
+		}
+
+	case *types.Array, *types.Struct:
+		return &ast.CompositeLit{
+			Type: TypeExpr(t, qual),
+		}, true
+
+	case *types.TypeParam:
+		return &ast.StarExpr{ // *new(T)
+			X: &ast.CallExpr{
+				// Assumes func new is not shadowed.
+				Fun: ast.NewIdent("new"),
+				Args: []ast.Expr{
+					ast.NewIdent(t.Obj().Name()),
+				},
+			},
+		}, true
+
+	case *types.Tuple:
+		// Unlike ZeroString, there is no ast.Expr can express tuple by
+		// "(t[0], ..., t[n])".
+		panic(fmt.Sprintf("invalid type for a variable: %v", t))
+
+	case *types.Union:
+		// Variables of these types cannot be created, so it makes
+		// no sense to ask for their zero value.
+		panic(fmt.Sprintf("invalid type for a variable: %v", t))
+
+	default:
+		panic(t) // unreachable.
+	}
+}
+
+// TypeExpr returns syntax for the specified type. References to named types
+// are qualified by an appropriate (optional) qualifier function.
+// It may panic for types such as Tuple or Union.
+//
+// See also https://go.dev/issues/75604, which will provide a robust
+// Type-to-valid-Go-syntax formatter.
+func TypeExpr(t types.Type, qual types.Qualifier) ast.Expr {
+	switch t := t.(type) {
+	case *types.Basic:
+		switch t.Kind() {
+		case types.UnsafePointer:
+			return &ast.SelectorExpr{X: ast.NewIdent(qual(types.NewPackage("unsafe", "unsafe"))), Sel: ast.NewIdent("Pointer")}
+		default:
+			return ast.NewIdent(t.Name())
+		}
+
+	case *types.Pointer:
+		return &ast.UnaryExpr{
+			Op: token.MUL,
+			X:  TypeExpr(t.Elem(), qual),
+		}
+
+	case *types.Array:
+		return &ast.ArrayType{
+			Len: &ast.BasicLit{
+				Kind:  token.INT,
+				Value: fmt.Sprintf("%d", t.Len()),
+			},
+			Elt: TypeExpr(t.Elem(), qual),
+		}
+
+	case *types.Slice:
+		return &ast.ArrayType{
+			Elt: TypeExpr(t.Elem(), qual),
+		}
+
+	case *types.Map:
+		return &ast.MapType{
+			Key:   TypeExpr(t.Key(), qual),
+			Value: TypeExpr(t.Elem(), qual),
+		}
+
+	case *types.Chan:
+		dir := ast.ChanDir(t.Dir())
+		if t.Dir() == types.SendRecv {
+			dir = ast.SEND | ast.RECV
+		}
+		return &ast.ChanType{
+			Dir:   dir,
+			Value: TypeExpr(t.Elem(), qual),
+		}
+
+	case *types.Signature:
+		var params []*ast.Field
+		for v := range t.Params().Variables() {
+			params = append(params, &ast.Field{
+				Type: TypeExpr(v.Type(), qual),
+				Names: []*ast.Ident{
+					{
+						Name: v.Name(),
+					},
+				},
+			})
+		}
+		if t.Variadic() {
+			last := params[len(params)-1]
+			last.Type = &ast.Ellipsis{Elt: last.Type.(*ast.ArrayType).Elt}
+		}
+		var returns []*ast.Field
+		for v := range t.Results().Variables() {
+			returns = append(returns, &ast.Field{
+				Type: TypeExpr(v.Type(), qual),
+			})
+		}
+		return &ast.FuncType{
+			Params: &ast.FieldList{
+				List: params,
+			},
+			Results: &ast.FieldList{
+				List: returns,
+			},
+		}
+
+	case *types.TypeParam:
+		pkgName := qual(t.Obj().Pkg())
+		if pkgName == "" || t.Obj().Pkg() == nil {
+			return ast.NewIdent(t.Obj().Name())
+		}
+		return &ast.SelectorExpr{
+			X:   ast.NewIdent(pkgName),
+			Sel: ast.NewIdent(t.Obj().Name()),
+		}
+
+	// types.TypeParam also implements interface NamedOrAlias. To differentiate,
+	// case TypeParam need to be present before case NamedOrAlias.
+	// TODO(hxjiang): remove this comment once TypeArgs() is added to interface
+	// NamedOrAlias.
+	case NamedOrAlias:
+		var expr ast.Expr = ast.NewIdent(t.Obj().Name())
+		if pkgName := qual(t.Obj().Pkg()); pkgName != "." && pkgName != "" {
+			expr = &ast.SelectorExpr{
+				X:   ast.NewIdent(pkgName),
+				Sel: expr.(*ast.Ident),
+			}
+		}
+
+		// TODO(hxjiang): call t.TypeArgs after adding method TypeArgs() to
+		// typesinternal.NamedOrAlias.
+		if hasTypeArgs, ok := t.(interface{ TypeArgs() *types.TypeList }); ok {
+			if typeArgs := hasTypeArgs.TypeArgs(); typeArgs != nil && typeArgs.Len() > 0 {
+				var indices []ast.Expr
+				for t0 := range typeArgs.Types() {
+					indices = append(indices, TypeExpr(t0, qual))
+				}
+				expr = &ast.IndexListExpr{
+					X:       expr,
+					Indices: indices,
+				}
+			}
+		}
+
+		return expr
+
+	case *types.Struct:
+		return ast.NewIdent(t.String())
+
+	case *types.Interface:
+		return ast.NewIdent(t.String())
+
+	case *types.Union:
+		if t.Len() == 0 {
+			panic("Union type should have at least one term")
+		}
+		// Same as go/ast, the return expression will put last term in the
+		// Y field at topmost level of BinaryExpr.
+		// For union of type "float32 | float64 | int64", the structure looks
+		// similar to:
+		// {
+		// 	X: {
+		// 		X: float32,
+		// 		Op: |
+		// 		Y: float64,
+		// 	}
+		// 	Op: |,
+		// 	Y: int64,
+		// }
+		var union ast.Expr
+		for i := range t.Len() {
+			term := t.Term(i)
+			termExpr := TypeExpr(term.Type(), qual)
+			if term.Tilde() {
+				termExpr = &ast.UnaryExpr{
+					Op: token.TILDE,
+					X:  termExpr,
+				}
+			}
+			if i == 0 {
+				union = termExpr
+			} else {
+				union = &ast.BinaryExpr{
+					X:  union,
+					Op: token.OR,
+					Y:  termExpr,
+				}
+			}
+		}
+		return union
+
+	case *types.Tuple:
+		panic("invalid input type types.Tuple")
+
+	default:
+		panic("unreachable")
+	}
+}
diff --git a/vendor/golang.org/x/tools/internal/versions/features.go b/vendor/golang.org/x/tools/internal/versions/features.go
new file mode 100644
index 0000000000..cdd36c388a
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/features.go
@@ -0,0 +1,48 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package versions
+
+// This file contains predicates for working with file versions to
+// decide when a tool should consider a language feature enabled.
+
+// named constants, to avoid misspelling
+const (
+	Go1_17 = "go1.17"
+	Go1_18 = "go1.18"
+	Go1_19 = "go1.19"
+	Go1_20 = "go1.20"
+	Go1_21 = "go1.21"
+	Go1_22 = "go1.22"
+	Go1_23 = "go1.23"
+	Go1_24 = "go1.24"
+	Go1_25 = "go1.25"
+	Go1_26 = "go1.26"
+)
+
+// Future is an invalid unknown Go version sometime in the future.
+// Do not use directly with Compare.
+const Future = ""
+
+// AtLeast reports whether the file version v comes after a Go release.
+//
+// Use this predicate to enable a behavior once a certain Go release
+// has happened (and stays enabled in the future).
+func AtLeast(v, release string) bool {
+	if v == Future {
+		return true // an unknown future version is always after y.
+	}
+	return Compare(Lang(v), Lang(release)) >= 0
+}
+
+// Before reports whether the file version v is strictly before a Go release.
+//
+// Use this predicate to disable a behavior once a certain Go release
+// has happened (and stays enabled in the future).
+func Before(v, release string) bool {
+	if v == Future {
+		return false // an unknown future version happens after y.
+	}
+	return Compare(Lang(v), Lang(release)) < 0
+}
diff --git a/vendor/golang.org/x/tools/internal/versions/gover.go b/vendor/golang.org/x/tools/internal/versions/gover.go
new file mode 100644
index 0000000000..bbabcd22e9
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/gover.go
@@ -0,0 +1,172 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This is a fork of internal/gover for use by x/tools until
+// go1.21 and earlier are no longer supported by x/tools.
+
+package versions
+
+import "strings"
+
+// A gover is a parsed Go gover: major[.Minor[.Patch]][kind[pre]]
+// The numbers are the original decimal strings to avoid integer overflows
+// and since there is very little actual math. (Probably overflow doesn't matter in practice,
+// but at the time this code was written, there was an existing test that used
+// go1.99999999999, which does not fit in an int on 32-bit platforms.
+// The "big decimal" representation avoids the problem entirely.)
+type gover struct {
+	major string // decimal
+	minor string // decimal or ""
+	patch string // decimal or ""
+	kind  string // "", "alpha", "beta", "rc"
+	pre   string // decimal or ""
+}
+
+// compare returns -1, 0, or +1 depending on whether
+// x < y, x == y, or x > y, interpreted as toolchain versions.
+// The versions x and y must not begin with a "go" prefix: just "1.21" not "go1.21".
+// Malformed versions compare less than well-formed versions and equal to each other.
+// The language version "1.21" compares less than the release candidate and eventual releases "1.21rc1" and "1.21.0".
+func compare(x, y string) int {
+	vx := parse(x)
+	vy := parse(y)
+
+	if c := cmpInt(vx.major, vy.major); c != 0 {
+		return c
+	}
+	if c := cmpInt(vx.minor, vy.minor); c != 0 {
+		return c
+	}
+	if c := cmpInt(vx.patch, vy.patch); c != 0 {
+		return c
+	}
+	if c := strings.Compare(vx.kind, vy.kind); c != 0 { // "" < alpha < beta < rc
+		return c
+	}
+	if c := cmpInt(vx.pre, vy.pre); c != 0 {
+		return c
+	}
+	return 0
+}
+
+// lang returns the Go language version. For example, lang("1.2.3") == "1.2".
+func lang(x string) string {
+	v := parse(x)
+	if v.minor == "" || v.major == "1" && v.minor == "0" {
+		return v.major
+	}
+	return v.major + "." + v.minor
+}
+
+// isValid reports whether the version x is valid.
+func isValid(x string) bool {
+	return parse(x) != gover{}
+}
+
+// parse parses the Go version string x into a version.
+// It returns the zero version if x is malformed.
+func parse(x string) gover {
+	var v gover
+
+	// Parse major version.
+	var ok bool
+	v.major, x, ok = cutInt(x)
+	if !ok {
+		return gover{}
+	}
+	if x == "" {
+		// Interpret "1" as "1.0.0".
+		v.minor = "0"
+		v.patch = "0"
+		return v
+	}
+
+	// Parse . before minor version.
+	if x[0] != '.' {
+		return gover{}
+	}
+
+	// Parse minor version.
+	v.minor, x, ok = cutInt(x[1:])
+	if !ok {
+		return gover{}
+	}
+	if x == "" {
+		// Patch missing is same as "0" for older versions.
+		// Starting in Go 1.21, patch missing is different from explicit .0.
+		if cmpInt(v.minor, "21") < 0 {
+			v.patch = "0"
+		}
+		return v
+	}
+
+	// Parse patch if present.
+	if x[0] == '.' {
+		v.patch, x, ok = cutInt(x[1:])
+		if !ok || x != "" {
+			// Note that we are disallowing prereleases (alpha, beta, rc) for patch releases here (x != "").
+			// Allowing them would be a bit confusing because we already have:
+			//	1.21 < 1.21rc1
+			// But a prerelease of a patch would have the opposite effect:
+			//	1.21.3rc1 < 1.21.3
+			// We've never needed them before, so let's not start now.
+			return gover{}
+		}
+		return v
+	}
+
+	// Parse prerelease.
+	i := 0
+	for i < len(x) && (x[i] < '0' || '9' < x[i]) {
+		if x[i] < 'a' || 'z' < x[i] {
+			return gover{}
+		}
+		i++
+	}
+	if i == 0 {
+		return gover{}
+	}
+	v.kind, x = x[:i], x[i:]
+	if x == "" {
+		return v
+	}
+	v.pre, x, ok = cutInt(x)
+	if !ok || x != "" {
+		return gover{}
+	}
+
+	return v
+}
+
+// cutInt scans the leading decimal number at the start of x to an integer
+// and returns that value and the rest of the string.
+func cutInt(x string) (n, rest string, ok bool) {
+	i := 0
+	for i < len(x) && '0' <= x[i] && x[i] <= '9' {
+		i++
+	}
+	if i == 0 || x[0] == '0' && i != 1 { // no digits or unnecessary leading zero
+		return "", "", false
+	}
+	return x[:i], x[i:], true
+}
+
+// cmpInt returns cmp.Compare(x, y) interpreting x and y as decimal numbers.
+// (Copied from golang.org/x/mod/semver's compareInt.)
+func cmpInt(x, y string) int {
+	if x == y {
+		return 0
+	}
+	if len(x) < len(y) {
+		return -1
+	}
+	if len(x) > len(y) {
+		return +1
+	}
+	if x < y {
+		return -1
+	} else {
+		return +1
+	}
+}
diff --git a/vendor/golang.org/x/tools/internal/versions/types.go b/vendor/golang.org/x/tools/internal/versions/types.go
new file mode 100644
index 0000000000..0fc10ce4eb
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/types.go
@@ -0,0 +1,33 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package versions
+
+import (
+	"go/ast"
+	"go/types"
+)
+
+// FileVersion returns a file's Go version.
+// The reported version is an unknown Future version if a
+// version cannot be determined.
+func FileVersion(info *types.Info, file *ast.File) string {
+	// In tools built with Go >= 1.22, the Go version of a file
+	// follow a cascades of sources:
+	// 1) types.Info.FileVersion, which follows the cascade:
+	//   1.a) file version (ast.File.GoVersion),
+	//   1.b) the package version (types.Config.GoVersion), or
+	// 2) is some unknown Future version.
+	//
+	// File versions require a valid package version to be provided to types
+	// in Config.GoVersion. Config.GoVersion is either from the package's module
+	// or the toolchain (go run). This value should be provided by go/packages
+	// or unitchecker.Config.GoVersion.
+	if v := info.FileVersions[file]; IsValid(v) {
+		return v
+	}
+	// Note: we could instead return runtime.Version() [if valid].
+	// This would act as a max version on what a tool can support.
+	return Future
+}
diff --git a/vendor/golang.org/x/tools/internal/versions/versions.go b/vendor/golang.org/x/tools/internal/versions/versions.go
new file mode 100644
index 0000000000..8d1f7453db
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/versions.go
@@ -0,0 +1,57 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package versions
+
+import (
+	"strings"
+)
+
+// Note: If we use build tags to use go/versions when go >=1.22,
+// we run into go.dev/issue/53737. Under some operations users would see an
+// import of "go/versions" even if they would not compile the file.
+// For example, during `go get -u ./...` (go.dev/issue/64490) we do not try to include
+// For this reason, this library just a clone of go/versions for the moment.
+
+// Lang returns the Go language version for version x.
+// If x is not a valid version, Lang returns the empty string.
+// For example:
+//
+//	Lang("go1.21rc2") = "go1.21"
+//	Lang("go1.21.2") = "go1.21"
+//	Lang("go1.21") = "go1.21"
+//	Lang("go1") = "go1"
+//	Lang("bad") = ""
+//	Lang("1.21") = ""
+func Lang(x string) string {
+	v := lang(stripGo(x))
+	if v == "" {
+		return ""
+	}
+	return x[:2+len(v)] // "go"+v without allocation
+}
+
+// Compare returns -1, 0, or +1 depending on whether
+// x < y, x == y, or x > y, interpreted as Go versions.
+// The versions x and y must begin with a "go" prefix: "go1.21" not "1.21".
+// Invalid versions, including the empty string, compare less than
+// valid versions and equal to each other.
+// The language version "go1.21" compares less than the
+// release candidate and eventual releases "go1.21rc1" and "go1.21.0".
+// Custom toolchain suffixes are ignored during comparison:
+// "go1.21.0" and "go1.21.0-bigcorp" are equal.
+func Compare(x, y string) int { return compare(stripGo(x), stripGo(y)) }
+
+// IsValid reports whether the version x is valid.
+func IsValid(x string) bool { return isValid(stripGo(x)) }
+
+// stripGo converts from a "go1.21" version to a "1.21" version.
+// If v does not start with "go", stripGo returns the empty string (a known invalid version).
+func stripGo(v string) string {
+	v, _, _ = strings.Cut(v, "-") // strip -bigcorp suffix.
+	if len(v) < 2 || v[:2] != "go" {
+		return ""
+	}
+	return v[2:]
+}
diff --git a/vendor/google.golang.org/grpc/CONTRIBUTING.md b/vendor/google.golang.org/grpc/CONTRIBUTING.md
index 1de0ce6669..2079de7b0e 100644
--- a/vendor/google.golang.org/grpc/CONTRIBUTING.md
+++ b/vendor/google.golang.org/grpc/CONTRIBUTING.md
@@ -33,17 +33,21 @@ guidelines, there may be valid reasons to do so, but it should be rare.
 
 ## Guidelines for Pull Requests
 
-How to get your contributions merged smoothly and quickly:
+Please read the following carefully to ensure your contributions can be merged
+smoothly and quickly.
+
+### PR Contents
 
 - Create **small PRs** that are narrowly focused on **addressing a single
   concern**. We often receive PRs that attempt to fix several things at the same
   time, and if one part of the PR has a problem, that will hold up the entire
   PR.
 
-- For **speculative changes**, consider opening an issue and discussing it
-  first. If you are suggesting a behavioral or API change, consider starting
-  with a [gRFC proposal](https://github.com/grpc/proposal). Many new features
-  that are not bug fixes will require cross-language agreement.
+- If your change does not address an **open issue** with an **agreed
+  resolution**, consider opening an issue and discussing it first. If you are
+  suggesting a behavioral or API change, consider starting with a [gRFC
+  proposal](https://github.com/grpc/proposal). Many new features that are not
+  bug fixes will require cross-language agreement.
 
 - If you want to fix **formatting or style**, consider whether your changes are
   an obvious improvement or might be considered a personal preference. If a
@@ -56,16 +60,6 @@ How to get your contributions merged smoothly and quickly:
   often written as "iff". Please do not make spelling correction changes unless
   you are certain they are misspellings.
 
-- Provide a good **PR description** as a record of **what** change is being made
-  and **why** it was made. Link to a GitHub issue if it exists.
-
-- Maintain a **clean commit history** and use **meaningful commit messages**.
-  PRs with messy commit histories are difficult to review and won't be merged.
-  Before sending your PR, ensure your changes are based on top of the latest
-  `upstream/master` commits, and avoid rebasing in the middle of a code review.
-  You should **never use `git push -f`** unless absolutely necessary during a
-  review, as it can interfere with GitHub's tracking of comments.
-
 - **All tests need to be passing** before your change can be merged. We
   recommend you run tests locally before creating your PR to catch breakages
   early on:
@@ -81,15 +75,80 @@ How to get your contributions merged smoothly and quickly:
   GitHub, which will trigger a GitHub Actions run that you can use to verify
   everything is passing.
 
-- If you are adding a new file, make sure it has the **copyright message**
+- Note that there are two GitHub actions checks that need not be green:
+
+  1. We test the freshness of the generated proto code we maintain via the
+     `vet-proto` check. If the source proto files are updated, but our repo is
+     not updated, an optional checker will fail. This will be fixed by our team
+     in a separate PR and will not prevent the merge of your PR.
+
+  2. We run a checker that will fail if there is any change in dependencies of
+     an exported package via the `dependencies` check. If new dependencies are
+     added that are not appropriate, we may not accept your PR (see below).
+
+- If you are adding a **new file**, make sure it has the **copyright message**
   template at the top as a comment. You can copy the message from an existing
   file and update the year.
 
 - The grpc package should only depend on standard Go packages and a small number
   of exceptions. **If your contribution introduces new dependencies**, you will
-  need a discussion with gRPC-Go maintainers. A GitHub action check will run on
-  every PR, and will flag any transitive dependency changes from any public
-  package.
+  need a discussion with gRPC-Go maintainers.
+
+### PR Descriptions
+
+- **PR titles** should start with the name of the component being addressed, or
+  the type of change. Examples: transport, client, server, round_robin, xds,
+  cleanup, deps.
+
+- Read and follow the **guidelines for PR titles and descriptions** here:
+  https://google.github.io/eng-practices/review/developer/cl-descriptions.html
+
+  *particularly* the sections "First Line" and "Body is Informative".
+
+  Note: your PR description will be used as the git commit message in a
+  squash-and-merge if your PR is approved. We may make changes to this as
+  necessary.
+
+- **Does this PR relate to an open issue?** On the first line, please use the
+  tag `Fixes #` to ensure the issue is closed when the PR is merged. Or
+  use `Updates #` if the PR is related to an open issue, but does not fix
+  it. Consider filing an issue if one does not already exist.
+
+- PR descriptions *must* conclude with **release notes** as follows:
+
+  ```
+  RELEASE NOTES:
+  * : 
+  ```
+
+  This need not match the PR title.
+
+  The summary must:
+
+  * be something that gRPC users will understand.
+
+  * clearly explain the feature being added, the issue being fixed, or the
+    behavior being changed, etc. If fixing a bug, be clear about how the bug
+    can be triggered by an end-user.
+
+  * begin with a capital letter and use complete sentences.
+
+  * be as short as possible to describe the change being made.
+
+  If a PR is *not* end-user visible -- e.g. a cleanup, testing change, or
+  GitHub-related, use `RELEASE NOTES: n/a`.
+
+### PR Process
+
+- Please **self-review** your code changes before sending your PR. This will
+  prevent simple, obvious errors from causing delays.
+
+- Maintain a **clean commit history** and use **meaningful commit messages**.
+  PRs with messy commit histories are difficult to review and won't be merged.
+  Before sending your PR, ensure your changes are based on top of the latest
+  `upstream/master` commits, and avoid rebasing in the middle of a code review.
+  You should **never use `git push -f`** unless absolutely necessary during a
+  review, as it can interfere with GitHub's tracking of comments.
 
 - Unless your PR is trivial, you should **expect reviewer comments** that you
   will need to address before merging. We'll label the PR as `Status: Requires
@@ -98,5 +157,3 @@ How to get your contributions merged smoothly and quickly:
   `stale`, and we will automatically close it after 7 days if we don't hear back
   from you. Please feel free to ping issues or bugs if you do not get a response
   within a week.
-
-- Exceptions to the rules can be made if there's a compelling reason to do so.
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
index ea8899818c..b4bc3a2bf3 100644
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
+++ b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
@@ -16,55 +16,124 @@
  *
  */
 
-// Package pickfirst contains the pick_first load balancing policy.
+// Package pickfirst contains the pick_first load balancing policy which
+// is the universal leaf policy.
 package pickfirst
 
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	rand "math/rand/v2"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
 
 	"google.golang.org/grpc/balancer"
 	"google.golang.org/grpc/balancer/pickfirst/internal"
 	"google.golang.org/grpc/connectivity"
+	expstats "google.golang.org/grpc/experimental/stats"
 	"google.golang.org/grpc/grpclog"
-	"google.golang.org/grpc/internal/envconfig"
 	internalgrpclog "google.golang.org/grpc/internal/grpclog"
 	"google.golang.org/grpc/internal/pretty"
 	"google.golang.org/grpc/resolver"
 	"google.golang.org/grpc/serviceconfig"
-
-	_ "google.golang.org/grpc/balancer/pickfirst/pickfirstleaf" // For automatically registering the new pickfirst if required.
 )
 
 func init() {
-	if envconfig.NewPickFirstEnabled {
-		return
-	}
 	balancer.Register(pickfirstBuilder{})
 }
 
-var logger = grpclog.Component("pick-first-lb")
+// Name is the name of the pick_first balancer.
+const Name = "pick_first"
+
+// enableHealthListenerKeyType is a unique key type used in resolver
+// attributes to indicate whether the health listener usage is enabled.
+type enableHealthListenerKeyType struct{}
+
+var (
+	logger               = grpclog.Component("pick-first-leaf-lb")
+	disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:        "grpc.lb.pick_first.disconnections",
+		Description: "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
+		Unit:        "{disconnection}",
+		Labels:      []string{"grpc.target"},
+		Default:     false,
+	})
+	connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:        "grpc.lb.pick_first.connection_attempts_succeeded",
+		Description: "EXPERIMENTAL. Number of successful connection attempts.",
+		Unit:        "{attempt}",
+		Labels:      []string{"grpc.target"},
+		Default:     false,
+	})
+	connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:        "grpc.lb.pick_first.connection_attempts_failed",
+		Description: "EXPERIMENTAL. Number of failed connection attempts.",
+		Unit:        "{attempt}",
+		Labels:      []string{"grpc.target"},
+		Default:     false,
+	})
+)
 
 const (
-	// Name is the name of the pick_first balancer.
-	Name      = "pick_first"
-	logPrefix = "[pick-first-lb %p] "
+	// TODO: change to pick-first when this becomes the default pick_first policy.
+	logPrefix = "[pick-first-leaf-lb %p] "
+	// connectionDelayInterval is the time to wait for during the happy eyeballs
+	// pass before starting the next connection attempt.
+	connectionDelayInterval = 250 * time.Millisecond
+)
+
+type ipAddrFamily int
+
+const (
+	// ipAddrFamilyUnknown represents strings that can't be parsed as an IP
+	// address.
+	ipAddrFamilyUnknown ipAddrFamily = iota
+	ipAddrFamilyV4
+	ipAddrFamilyV6
 )
 
 type pickfirstBuilder struct{}
 
-func (pickfirstBuilder) Build(cc balancer.ClientConn, _ balancer.BuildOptions) balancer.Balancer {
-	b := &pickfirstBalancer{cc: cc}
+func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions) balancer.Balancer {
+	b := &pickfirstBalancer{
+		cc:              cc,
+		target:          bo.Target.String(),
+		metricsRecorder: cc.MetricsRecorder(),
+
+		subConns:              resolver.NewAddressMapV2[*scData](),
+		state:                 connectivity.Connecting,
+		cancelConnectionTimer: func() {},
+	}
 	b.logger = internalgrpclog.NewPrefixLogger(logger, fmt.Sprintf(logPrefix, b))
 	return b
 }
 
-func (pickfirstBuilder) Name() string {
+func (b pickfirstBuilder) Name() string {
 	return Name
 }
 
+func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
+	var cfg pfConfig
+	if err := json.Unmarshal(js, &cfg); err != nil {
+		return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
+	}
+	return cfg, nil
+}
+
+// EnableHealthListener updates the state to configure pickfirst for using a
+// generic health listener.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+func EnableHealthListener(state resolver.State) resolver.State {
+	state.Attributes = state.Attributes.WithValue(enableHealthListenerKeyType{}, true)
+	return state
+}
+
 type pfConfig struct {
 	serviceconfig.LoadBalancingConfig `json:"-"`
 
@@ -74,90 +143,129 @@ type pfConfig struct {
 	ShuffleAddressList bool `json:"shuffleAddressList"`
 }
 
-func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
-	var cfg pfConfig
-	if err := json.Unmarshal(js, &cfg); err != nil {
-		return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
+// scData keeps track of the current state of the subConn.
+// It is not safe for concurrent access.
+type scData struct {
+	// The following fields are initialized at build time and read-only after
+	// that.
+	subConn balancer.SubConn
+	addr    resolver.Address
+
+	rawConnectivityState connectivity.State
+	// The effective connectivity state based on raw connectivity, health state
+	// and after following sticky TransientFailure behaviour defined in A62.
+	effectiveState              connectivity.State
+	lastErr                     error
+	connectionFailedInFirstPass bool
+}
+
+func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) {
+	sd := &scData{
+		rawConnectivityState: connectivity.Idle,
+		effectiveState:       connectivity.Idle,
+		addr:                 addr,
 	}
-	return cfg, nil
+	sc, err := b.cc.NewSubConn([]resolver.Address{addr}, balancer.NewSubConnOptions{
+		StateListener: func(state balancer.SubConnState) {
+			b.updateSubConnState(sd, state)
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	sd.subConn = sc
+	return sd, nil
 }
 
 type pickfirstBalancer struct {
-	logger  *internalgrpclog.PrefixLogger
-	state   connectivity.State
-	cc      balancer.ClientConn
-	subConn balancer.SubConn
+	// The following fields are initialized at build time and read-only after
+	// that and therefore do not need to be guarded by a mutex.
+	logger          *internalgrpclog.PrefixLogger
+	cc              balancer.ClientConn
+	target          string
+	metricsRecorder expstats.MetricsRecorder // guaranteed to be non nil
+
+	// The mutex is used to ensure synchronization of updates triggered
+	// from the idle picker and the already serialized resolver,
+	// SubConn state updates.
+	mu sync.Mutex
+	// State reported to the channel based on SubConn states and resolver
+	// updates.
+	state connectivity.State
+	// scData for active subonns mapped by address.
+	subConns              *resolver.AddressMapV2[*scData]
+	addressList           addressList
+	firstPass             bool
+	numTF                 int
+	cancelConnectionTimer func()
+	healthCheckingEnabled bool
 }
 
+// ResolverError is called by the ClientConn when the name resolver produces
+// an error or when pickfirst determined the resolver update to be invalid.
 func (b *pickfirstBalancer) ResolverError(err error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.resolverErrorLocked(err)
+}
+
+func (b *pickfirstBalancer) resolverErrorLocked(err error) {
 	if b.logger.V(2) {
 		b.logger.Infof("Received error from the name resolver: %v", err)
 	}
-	if b.subConn == nil {
-		b.state = connectivity.TransientFailure
-	}
 
-	if b.state != connectivity.TransientFailure {
-		// The picker will not change since the balancer does not currently
-		// report an error.
+	// The picker will not change since the balancer does not currently
+	// report an error. If the balancer hasn't received a single good resolver
+	// update yet, transition to TRANSIENT_FAILURE.
+	if b.state != connectivity.TransientFailure && b.addressList.size() > 0 {
+		if b.logger.V(2) {
+			b.logger.Infof("Ignoring resolver error because balancer is using a previous good update.")
+		}
 		return
 	}
-	b.cc.UpdateState(balancer.State{
+
+	b.updateBalancerState(balancer.State{
 		ConnectivityState: connectivity.TransientFailure,
 		Picker:            &picker{err: fmt.Errorf("name resolver error: %v", err)},
 	})
 }
 
-// Shuffler is an interface for shuffling an address list.
-type Shuffler interface {
-	ShuffleAddressListForTesting(n int, swap func(i, j int))
-}
-
-// ShuffleAddressListForTesting pseudo-randomizes the order of addresses.  n
-// is the number of elements.  swap swaps the elements with indexes i and j.
-func ShuffleAddressListForTesting(n int, swap func(i, j int)) { rand.Shuffle(n, swap) }
-
 func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState) error {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.cancelConnectionTimer()
 	if len(state.ResolverState.Addresses) == 0 && len(state.ResolverState.Endpoints) == 0 {
-		// The resolver reported an empty address list. Treat it like an error by
-		// calling b.ResolverError.
-		if b.subConn != nil {
-			// Shut down the old subConn. All addresses were removed, so it is
-			// no longer valid.
-			b.subConn.Shutdown()
-			b.subConn = nil
-		}
-		b.ResolverError(errors.New("produced zero addresses"))
+		// Cleanup state pertaining to the previous resolver state.
+		// Treat an empty address list like an error by calling b.ResolverError.
+		b.closeSubConnsLocked()
+		b.addressList.updateAddrs(nil)
+		b.resolverErrorLocked(errors.New("produced zero addresses"))
 		return balancer.ErrBadResolverState
 	}
-	// We don't have to guard this block with the env var because ParseConfig
-	// already does so.
+	b.healthCheckingEnabled = state.ResolverState.Attributes.Value(enableHealthListenerKeyType{}) != nil
 	cfg, ok := state.BalancerConfig.(pfConfig)
 	if state.BalancerConfig != nil && !ok {
-		return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v", state.BalancerConfig, state.BalancerConfig)
+		return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v: %w", state.BalancerConfig, state.BalancerConfig, balancer.ErrBadResolverState)
 	}
 
 	if b.logger.V(2) {
 		b.logger.Infof("Received new config %s, resolver state %s", pretty.ToJSON(cfg), pretty.ToJSON(state.ResolverState))
 	}
 
-	var addrs []resolver.Address
+	var newAddrs []resolver.Address
 	if endpoints := state.ResolverState.Endpoints; len(endpoints) != 0 {
-		// Perform the optional shuffling described in gRFC A62. The shuffling will
-		// change the order of endpoints but not touch the order of the addresses
-		// within each endpoint. - A61
+		// Perform the optional shuffling described in gRFC A62. The shuffling
+		// will change the order of endpoints but not touch the order of the
+		// addresses within each endpoint. - A61
 		if cfg.ShuffleAddressList {
 			endpoints = append([]resolver.Endpoint{}, endpoints...)
 			internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
 		}
 
-		// "Flatten the list by concatenating the ordered list of addresses for each
-		// of the endpoints, in order." - A61
+		// "Flatten the list by concatenating the ordered list of addresses for
+		// each of the endpoints, in order." - A61
 		for _, endpoint := range endpoints {
-			// "In the flattened list, interleave addresses from the two address
-			// families, as per RFC-8304 section 4." - A61
-			// TODO: support the above language.
-			addrs = append(addrs, endpoint.Addresses...)
+			newAddrs = append(newAddrs, endpoint.Addresses...)
 		}
 	} else {
 		// Endpoints not set, process addresses until we migrate resolver
@@ -166,42 +274,53 @@ func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState
 		// target do not forward the corresponding correct endpoints down/split
 		// endpoints properly. Once all balancers correctly forward endpoints
 		// down, can delete this else conditional.
-		addrs = state.ResolverState.Addresses
+		newAddrs = state.ResolverState.Addresses
 		if cfg.ShuffleAddressList {
-			addrs = append([]resolver.Address{}, addrs...)
-			rand.Shuffle(len(addrs), func(i, j int) { addrs[i], addrs[j] = addrs[j], addrs[i] })
+			newAddrs = append([]resolver.Address{}, newAddrs...)
+			internal.RandShuffle(len(newAddrs), func(i, j int) { newAddrs[i], newAddrs[j] = newAddrs[j], newAddrs[i] })
 		}
 	}
 
-	if b.subConn != nil {
-		b.cc.UpdateAddresses(b.subConn, addrs)
+	// If an address appears in multiple endpoints or in the same endpoint
+	// multiple times, we keep it only once. We will create only one SubConn
+	// for the address because an AddressMap is used to store SubConns.
+	// Not de-duplicating would result in attempting to connect to the same
+	// SubConn multiple times in the same pass. We don't want this.
+	newAddrs = deDupAddresses(newAddrs)
+	newAddrs = interleaveAddresses(newAddrs)
+
+	prevAddr := b.addressList.currentAddress()
+	prevSCData, found := b.subConns.Get(prevAddr)
+	prevAddrsCount := b.addressList.size()
+	isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
+	b.addressList.updateAddrs(newAddrs)
+
+	// If the previous ready SubConn exists in new address list,
+	// keep this connection and don't create new SubConns.
+	if isPrevRawConnectivityStateReady && b.addressList.seekTo(prevAddr) {
 		return nil
 	}
 
-	var subConn balancer.SubConn
-	subConn, err := b.cc.NewSubConn(addrs, balancer.NewSubConnOptions{
-		StateListener: func(state balancer.SubConnState) {
-			b.updateSubConnState(subConn, state)
-		},
-	})
-	if err != nil {
-		if b.logger.V(2) {
-			b.logger.Infof("Failed to create new SubConn: %v", err)
-		}
-		b.state = connectivity.TransientFailure
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: connectivity.TransientFailure,
-			Picker:            &picker{err: fmt.Errorf("error creating connection: %v", err)},
+	b.reconcileSubConnsLocked(newAddrs)
+	// If it's the first resolver update or the balancer was already READY
+	// (but the new address list does not contain the ready SubConn) or
+	// CONNECTING, enter CONNECTING.
+	// We may be in TRANSIENT_FAILURE due to a previous empty address list,
+	// we should still enter CONNECTING because the sticky TF behaviour
+	//  mentioned in A62 applies only when the TRANSIENT_FAILURE is reported
+	// due to connectivity failures.
+	if isPrevRawConnectivityStateReady || b.state == connectivity.Connecting || prevAddrsCount == 0 {
+		// Start connection attempt at first address.
+		b.forceUpdateConcludedStateLocked(balancer.State{
+			ConnectivityState: connectivity.Connecting,
+			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
 		})
-		return balancer.ErrBadResolverState
+		b.startFirstPassLocked()
+	} else if b.state == connectivity.TransientFailure {
+		// If we're in TRANSIENT_FAILURE, we stay in TRANSIENT_FAILURE until
+		// we're READY. See A62.
+		b.startFirstPassLocked()
 	}
-	b.subConn = subConn
-	b.state = connectivity.Idle
-	b.cc.UpdateState(balancer.State{
-		ConnectivityState: connectivity.Connecting,
-		Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-	})
-	b.subConn.Connect()
 	return nil
 }
 
@@ -211,63 +330,484 @@ func (b *pickfirstBalancer) UpdateSubConnState(subConn balancer.SubConn, state b
 	b.logger.Errorf("UpdateSubConnState(%v, %+v) called unexpectedly", subConn, state)
 }
 
-func (b *pickfirstBalancer) updateSubConnState(subConn balancer.SubConn, state balancer.SubConnState) {
-	if b.logger.V(2) {
-		b.logger.Infof("Received SubConn state update: %p, %+v", subConn, state)
+func (b *pickfirstBalancer) Close() {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.closeSubConnsLocked()
+	b.cancelConnectionTimer()
+	b.state = connectivity.Shutdown
+}
+
+// ExitIdle moves the balancer out of idle state. It can be called concurrently
+// by the idlePicker and clientConn so access to variables should be
+// synchronized.
+func (b *pickfirstBalancer) ExitIdle() {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.state == connectivity.Idle {
+		// Move the balancer into CONNECTING state immediately. This is done to
+		// avoid staying in IDLE if a resolver update arrives before the first
+		// SubConn reports CONNECTING.
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Connecting,
+			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
+		})
+		b.startFirstPassLocked()
+	}
+}
+
+func (b *pickfirstBalancer) startFirstPassLocked() {
+	b.firstPass = true
+	b.numTF = 0
+	// Reset the connection attempt record for existing SubConns.
+	for _, sd := range b.subConns.Values() {
+		sd.connectionFailedInFirstPass = false
+	}
+	b.requestConnectionLocked()
+}
+
+func (b *pickfirstBalancer) closeSubConnsLocked() {
+	for _, sd := range b.subConns.Values() {
+		sd.subConn.Shutdown()
+	}
+	b.subConns = resolver.NewAddressMapV2[*scData]()
+}
+
+// deDupAddresses ensures that each address appears only once in the slice.
+func deDupAddresses(addrs []resolver.Address) []resolver.Address {
+	seenAddrs := resolver.NewAddressMapV2[bool]()
+	retAddrs := []resolver.Address{}
+
+	for _, addr := range addrs {
+		if _, ok := seenAddrs.Get(addr); ok {
+			continue
+		}
+		seenAddrs.Set(addr, true)
+		retAddrs = append(retAddrs, addr)
+	}
+	return retAddrs
+}
+
+// interleaveAddresses interleaves addresses of both families (IPv4 and IPv6)
+// as per RFC-8305 section 4.
+// Whichever address family is first in the list is followed by an address of
+// the other address family; that is, if the first address in the list is IPv6,
+// then the first IPv4 address should be moved up in the list to be second in
+// the list. It doesn't support configuring "First Address Family Count", i.e.
+// there will always be a single member of the first address family at the
+// beginning of the interleaved list.
+// Addresses that are neither IPv4 nor IPv6 are treated as part of a third
+// "unknown" family for interleaving.
+// See: https://datatracker.ietf.org/doc/html/rfc8305#autoid-6
+func interleaveAddresses(addrs []resolver.Address) []resolver.Address {
+	familyAddrsMap := map[ipAddrFamily][]resolver.Address{}
+	interleavingOrder := []ipAddrFamily{}
+	for _, addr := range addrs {
+		family := addressFamily(addr.Addr)
+		if _, found := familyAddrsMap[family]; !found {
+			interleavingOrder = append(interleavingOrder, family)
+		}
+		familyAddrsMap[family] = append(familyAddrsMap[family], addr)
+	}
+
+	interleavedAddrs := make([]resolver.Address, 0, len(addrs))
+
+	for curFamilyIdx := 0; len(interleavedAddrs) < len(addrs); curFamilyIdx = (curFamilyIdx + 1) % len(interleavingOrder) {
+		// Some IP types may have fewer addresses than others, so we look for
+		// the next type that has a remaining member to add to the interleaved
+		// list.
+		family := interleavingOrder[curFamilyIdx]
+		remainingMembers := familyAddrsMap[family]
+		if len(remainingMembers) > 0 {
+			interleavedAddrs = append(interleavedAddrs, remainingMembers[0])
+			familyAddrsMap[family] = remainingMembers[1:]
+		}
+	}
+
+	return interleavedAddrs
+}
+
+// addressFamily returns the ipAddrFamily after parsing the address string.
+// If the address isn't of the format "ip-address:port", it returns
+// ipAddrFamilyUnknown. The address may be valid even if it's not an IP when
+// using a resolver like passthrough where the address may be a hostname in
+// some format that the dialer can resolve.
+func addressFamily(address string) ipAddrFamily {
+	// Parse the IP after removing the port.
+	host, _, err := net.SplitHostPort(address)
+	if err != nil {
+		return ipAddrFamilyUnknown
+	}
+	ip, err := netip.ParseAddr(host)
+	if err != nil {
+		return ipAddrFamilyUnknown
+	}
+	switch {
+	case ip.Is4() || ip.Is4In6():
+		return ipAddrFamilyV4
+	case ip.Is6():
+		return ipAddrFamilyV6
+	default:
+		return ipAddrFamilyUnknown
+	}
+}
+
+// reconcileSubConnsLocked updates the active subchannels based on a new address
+// list from the resolver. It does this by:
+//   - closing subchannels: any existing subchannels associated with addresses
+//     that are no longer in the updated list are shut down.
+//   - removing subchannels: entries for these closed subchannels are removed
+//     from the subchannel map.
+//
+// This ensures that the subchannel map accurately reflects the current set of
+// addresses received from the name resolver.
+func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
+	newAddrsMap := resolver.NewAddressMapV2[bool]()
+	for _, addr := range newAddrs {
+		newAddrsMap.Set(addr, true)
+	}
+
+	for _, oldAddr := range b.subConns.Keys() {
+		if _, ok := newAddrsMap.Get(oldAddr); ok {
+			continue
+		}
+		val, _ := b.subConns.Get(oldAddr)
+		val.subConn.Shutdown()
+		b.subConns.Delete(oldAddr)
+	}
+}
+
+// shutdownRemainingLocked shuts down remaining subConns. Called when a subConn
+// becomes ready, which means that all other subConn must be shutdown.
+func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
+	b.cancelConnectionTimer()
+	for _, sd := range b.subConns.Values() {
+		if sd.subConn != selected.subConn {
+			sd.subConn.Shutdown()
+		}
+	}
+	b.subConns = resolver.NewAddressMapV2[*scData]()
+	b.subConns.Set(selected.addr, selected)
+}
+
+// requestConnectionLocked starts connecting on the subchannel corresponding to
+// the current address. If no subchannel exists, one is created. If the current
+// subchannel is in TransientFailure, a connection to the next address is
+// attempted until a subchannel is found.
+func (b *pickfirstBalancer) requestConnectionLocked() {
+	if !b.addressList.isValid() {
+		return
+	}
+	var lastErr error
+	for valid := true; valid; valid = b.addressList.increment() {
+		curAddr := b.addressList.currentAddress()
+		sd, ok := b.subConns.Get(curAddr)
+		if !ok {
+			var err error
+			// We want to assign the new scData to sd from the outer scope,
+			// hence we can't use := below.
+			sd, err = b.newSCData(curAddr)
+			if err != nil {
+				// This should never happen, unless the clientConn is being shut
+				// down.
+				if b.logger.V(2) {
+					b.logger.Infof("Failed to create a subConn for address %v: %v", curAddr.String(), err)
+				}
+				// Do nothing, the LB policy will be closed soon.
+				return
+			}
+			b.subConns.Set(curAddr, sd)
+		}
+
+		switch sd.rawConnectivityState {
+		case connectivity.Idle:
+			sd.subConn.Connect()
+			b.scheduleNextConnectionLocked()
+			return
+		case connectivity.TransientFailure:
+			// The SubConn is being re-used and failed during a previous pass
+			// over the addressList. It has not completed backoff yet.
+			// Mark it as having failed and try the next address.
+			sd.connectionFailedInFirstPass = true
+			lastErr = sd.lastErr
+			continue
+		case connectivity.Connecting:
+			// Wait for the connection attempt to complete or the timer to fire
+			// before attempting the next address.
+			b.scheduleNextConnectionLocked()
+			return
+		default:
+			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
+			return
+
+		}
+	}
+
+	// All the remaining addresses in the list are in TRANSIENT_FAILURE, end the
+	// first pass if possible.
+	b.endFirstPassIfPossibleLocked(lastErr)
+}
+
+func (b *pickfirstBalancer) scheduleNextConnectionLocked() {
+	b.cancelConnectionTimer()
+	if !b.addressList.hasNext() {
+		return
 	}
-	if b.subConn != subConn {
+	curAddr := b.addressList.currentAddress()
+	cancelled := false // Access to this is protected by the balancer's mutex.
+	closeFn := internal.TimeAfterFunc(connectionDelayInterval, func() {
+		b.mu.Lock()
+		defer b.mu.Unlock()
+		// If the scheduled task is cancelled while acquiring the mutex, return.
+		if cancelled {
+			return
+		}
 		if b.logger.V(2) {
-			b.logger.Infof("Ignored state change because subConn is not recognized")
+			b.logger.Infof("Happy Eyeballs timer expired while waiting for connection to %q.", curAddr.Addr)
+		}
+		if b.addressList.increment() {
+			b.requestConnectionLocked()
 		}
+	})
+	// Access to the cancellation callback held by the balancer is guarded by
+	// the balancer's mutex, so it's safe to set the boolean from the callback.
+	b.cancelConnectionTimer = sync.OnceFunc(func() {
+		cancelled = true
+		closeFn()
+	})
+}
+
+func (b *pickfirstBalancer) updateSubConnState(sd *scData, newState balancer.SubConnState) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	oldState := sd.rawConnectivityState
+	sd.rawConnectivityState = newState.ConnectivityState
+	// Previously relevant SubConns can still callback with state updates.
+	// To prevent pickers from returning these obsolete SubConns, this logic
+	// is included to check if the current list of active SubConns includes this
+	// SubConn.
+	if !b.isActiveSCData(sd) {
 		return
 	}
-	if state.ConnectivityState == connectivity.Shutdown {
-		b.subConn = nil
+	if newState.ConnectivityState == connectivity.Shutdown {
+		sd.effectiveState = connectivity.Shutdown
 		return
 	}
 
-	switch state.ConnectivityState {
-	case connectivity.Ready:
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
-			Picker:            &picker{result: balancer.PickResult{SubConn: subConn}},
-		})
-	case connectivity.Connecting:
-		if b.state == connectivity.TransientFailure {
-			// We stay in TransientFailure until we are Ready. See A62.
+	// Record a connection attempt when exiting CONNECTING.
+	if newState.ConnectivityState == connectivity.TransientFailure {
+		sd.connectionFailedInFirstPass = true
+		connectionAttemptsFailedMetric.Record(b.metricsRecorder, 1, b.target)
+	}
+
+	if newState.ConnectivityState == connectivity.Ready {
+		connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
+		b.shutdownRemainingLocked(sd)
+		if !b.addressList.seekTo(sd.addr) {
+			// This should not fail as we should have only one SubConn after
+			// entering READY. The SubConn should be present in the addressList.
+			b.logger.Errorf("Address %q not found address list in %v", sd.addr, b.addressList.addresses)
 			return
 		}
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
+		if !b.healthCheckingEnabled {
+			if b.logger.V(2) {
+				b.logger.Infof("SubConn %p reported connectivity state READY and the health listener is disabled. Transitioning SubConn to READY.", sd.subConn)
+			}
+
+			sd.effectiveState = connectivity.Ready
+			b.updateBalancerState(balancer.State{
+				ConnectivityState: connectivity.Ready,
+				Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
+			})
+			return
+		}
+		if b.logger.V(2) {
+			b.logger.Infof("SubConn %p reported connectivity state READY. Registering health listener.", sd.subConn)
+		}
+		// Send a CONNECTING update to take the SubConn out of sticky-TF if
+		// required.
+		sd.effectiveState = connectivity.Connecting
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Connecting,
 			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
 		})
+		sd.subConn.RegisterHealthListener(func(scs balancer.SubConnState) {
+			b.updateSubConnHealthState(sd, scs)
+		})
+		return
+	}
+
+	// If the LB policy is READY, and it receives a subchannel state change,
+	// it means that the READY subchannel has failed.
+	// A SubConn can also transition from CONNECTING directly to IDLE when
+	// a transport is successfully created, but the connection fails
+	// before the SubConn can send the notification for READY. We treat
+	// this as a successful connection and transition to IDLE.
+	// TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
+	// part of the if condition below once the issue is fixed.
+	if oldState == connectivity.Ready || (oldState == connectivity.Connecting && newState.ConnectivityState == connectivity.Idle) {
+		// Once a transport fails, the balancer enters IDLE and starts from
+		// the first address when the picker is used.
+		b.shutdownRemainingLocked(sd)
+		sd.effectiveState = newState.ConnectivityState
+		// READY SubConn interspliced in between CONNECTING and IDLE, need to
+		// account for that.
+		if oldState == connectivity.Connecting {
+			// A known issue (https://github.com/grpc/grpc-go/issues/7862)
+			// causes a race that prevents the READY state change notification.
+			// This works around it.
+			connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
+		}
+		disconnectionsMetric.Record(b.metricsRecorder, 1, b.target)
+		b.addressList.reset()
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Idle,
+			Picker:            &idlePicker{exitIdle: sync.OnceFunc(b.ExitIdle)},
+		})
+		return
+	}
+
+	if b.firstPass {
+		switch newState.ConnectivityState {
+		case connectivity.Connecting:
+			// The effective state can be in either IDLE, CONNECTING or
+			// TRANSIENT_FAILURE. If it's  TRANSIENT_FAILURE, stay in
+			// TRANSIENT_FAILURE until it's READY. See A62.
+			if sd.effectiveState != connectivity.TransientFailure {
+				sd.effectiveState = connectivity.Connecting
+				b.updateBalancerState(balancer.State{
+					ConnectivityState: connectivity.Connecting,
+					Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
+				})
+			}
+		case connectivity.TransientFailure:
+			sd.lastErr = newState.ConnectionError
+			sd.effectiveState = connectivity.TransientFailure
+			// Since we're re-using common SubConns while handling resolver
+			// updates, we could receive an out of turn TRANSIENT_FAILURE from
+			// a pass over the previous address list. Happy Eyeballs will also
+			// cause out of order updates to arrive.
+
+			if curAddr := b.addressList.currentAddress(); equalAddressIgnoringBalAttributes(&curAddr, &sd.addr) {
+				b.cancelConnectionTimer()
+				if b.addressList.increment() {
+					b.requestConnectionLocked()
+					return
+				}
+			}
+
+			// End the first pass if we've seen a TRANSIENT_FAILURE from all
+			// SubConns once.
+			b.endFirstPassIfPossibleLocked(newState.ConnectionError)
+		}
+		return
+	}
+
+	// We have finished the first pass, keep re-connecting failing SubConns.
+	switch newState.ConnectivityState {
+	case connectivity.TransientFailure:
+		b.numTF = (b.numTF + 1) % b.subConns.Len()
+		sd.lastErr = newState.ConnectionError
+		if b.numTF%b.subConns.Len() == 0 {
+			b.updateBalancerState(balancer.State{
+				ConnectivityState: connectivity.TransientFailure,
+				Picker:            &picker{err: newState.ConnectionError},
+			})
+		}
+		// We don't need to request re-resolution since the SubConn already
+		// does that before reporting TRANSIENT_FAILURE.
+		// TODO: #7534 - Move re-resolution requests from SubConn into
+		// pick_first.
 	case connectivity.Idle:
-		if b.state == connectivity.TransientFailure {
-			// We stay in TransientFailure until we are Ready. Also kick the
-			// subConn out of Idle into Connecting. See A62.
-			b.subConn.Connect()
+		sd.subConn.Connect()
+	}
+}
+
+// endFirstPassIfPossibleLocked ends the first happy-eyeballs pass if all the
+// addresses are tried and their SubConns have reported a failure.
+func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
+	// An optimization to avoid iterating over the entire SubConn map.
+	if b.addressList.isValid() {
+		return
+	}
+	// Connect() has been called on all the SubConns. The first pass can be
+	// ended if all the SubConns have reported a failure.
+	for _, sd := range b.subConns.Values() {
+		if !sd.connectionFailedInFirstPass {
 			return
 		}
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
-			Picker:            &idlePicker{subConn: subConn},
+	}
+	b.firstPass = false
+	b.updateBalancerState(balancer.State{
+		ConnectivityState: connectivity.TransientFailure,
+		Picker:            &picker{err: lastErr},
+	})
+	// Start re-connecting all the SubConns that are already in IDLE.
+	for _, sd := range b.subConns.Values() {
+		if sd.rawConnectivityState == connectivity.Idle {
+			sd.subConn.Connect()
+		}
+	}
+}
+
+func (b *pickfirstBalancer) isActiveSCData(sd *scData) bool {
+	activeSD, found := b.subConns.Get(sd.addr)
+	return found && activeSD == sd
+}
+
+func (b *pickfirstBalancer) updateSubConnHealthState(sd *scData, state balancer.SubConnState) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	// Previously relevant SubConns can still callback with state updates.
+	// To prevent pickers from returning these obsolete SubConns, this logic
+	// is included to check if the current list of active SubConns includes
+	// this SubConn.
+	if !b.isActiveSCData(sd) {
+		return
+	}
+	sd.effectiveState = state.ConnectivityState
+	switch state.ConnectivityState {
+	case connectivity.Ready:
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Ready,
+			Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
 		})
 	case connectivity.TransientFailure:
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
-			Picker:            &picker{err: state.ConnectionError},
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.TransientFailure,
+			Picker:            &picker{err: fmt.Errorf("pickfirst: health check failure: %v", state.ConnectionError)},
+		})
+	case connectivity.Connecting:
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Connecting,
+			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
 		})
+	default:
+		b.logger.Errorf("Got unexpected health update for SubConn %p: %v", state)
 	}
-	b.state = state.ConnectivityState
 }
 
-func (b *pickfirstBalancer) Close() {
+// updateBalancerState stores the state reported to the channel and calls
+// ClientConn.UpdateState(). As an optimization, it avoids sending duplicate
+// updates to the channel.
+func (b *pickfirstBalancer) updateBalancerState(newState balancer.State) {
+	// In case of TransientFailures allow the picker to be updated to update
+	// the connectivity error, in all other cases don't send duplicate state
+	// updates.
+	if newState.ConnectivityState == b.state && b.state != connectivity.TransientFailure {
+		return
+	}
+	b.forceUpdateConcludedStateLocked(newState)
 }
 
-func (b *pickfirstBalancer) ExitIdle() {
-	if b.subConn != nil && b.state == connectivity.Idle {
-		b.subConn.Connect()
-	}
+// forceUpdateConcludedStateLocked stores the state reported to the channel and
+// calls ClientConn.UpdateState().
+// A separate function is defined to force update the ClientConn state since the
+// channel doesn't correctly assume that LB policies start in CONNECTING and
+// relies on LB policy to send an initial CONNECTING update.
+func (b *pickfirstBalancer) forceUpdateConcludedStateLocked(newState balancer.State) {
+	b.state = newState.ConnectivityState
+	b.cc.UpdateState(newState)
 }
 
 type picker struct {
@@ -282,10 +822,87 @@ func (p *picker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
 // idlePicker is used when the SubConn is IDLE and kicks the SubConn into
 // CONNECTING when Pick is called.
 type idlePicker struct {
-	subConn balancer.SubConn
+	exitIdle func()
 }
 
 func (i *idlePicker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
-	i.subConn.Connect()
+	i.exitIdle()
 	return balancer.PickResult{}, balancer.ErrNoSubConnAvailable
 }
+
+// addressList manages sequentially iterating over addresses present in a list
+// of endpoints. It provides a 1 dimensional view of the addresses present in
+// the endpoints.
+// This type is not safe for concurrent access.
+type addressList struct {
+	addresses []resolver.Address
+	idx       int
+}
+
+func (al *addressList) isValid() bool {
+	return al.idx < len(al.addresses)
+}
+
+func (al *addressList) size() int {
+	return len(al.addresses)
+}
+
+// increment moves to the next index in the address list.
+// This method returns false if it went off the list, true otherwise.
+func (al *addressList) increment() bool {
+	if !al.isValid() {
+		return false
+	}
+	al.idx++
+	return al.idx < len(al.addresses)
+}
+
+// currentAddress returns the current address pointed to in the addressList.
+// If the list is in an invalid state, it returns an empty address instead.
+func (al *addressList) currentAddress() resolver.Address {
+	if !al.isValid() {
+		return resolver.Address{}
+	}
+	return al.addresses[al.idx]
+}
+
+func (al *addressList) reset() {
+	al.idx = 0
+}
+
+func (al *addressList) updateAddrs(addrs []resolver.Address) {
+	al.addresses = addrs
+	al.reset()
+}
+
+// seekTo returns false if the needle was not found and the current index was
+// left unchanged.
+func (al *addressList) seekTo(needle resolver.Address) bool {
+	for ai, addr := range al.addresses {
+		if !equalAddressIgnoringBalAttributes(&addr, &needle) {
+			continue
+		}
+		al.idx = ai
+		return true
+	}
+	return false
+}
+
+// hasNext returns whether incrementing the addressList will result in moving
+// past the end of the list. If the list has already moved past the end, it
+// returns false.
+func (al *addressList) hasNext() bool {
+	if !al.isValid() {
+		return false
+	}
+	return al.idx+1 < len(al.addresses)
+}
+
+// equalAddressIgnoringBalAttributes returns true is a and b are considered
+// equal. This is different from the Equal method on the resolver.Address type
+// which considers all fields to determine equality. Here, we only consider
+// fields that are meaningful to the SubConn.
+func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
+	return a.Addr == b.Addr && a.ServerName == b.ServerName &&
+		a.Attributes.Equal(b.Attributes)
+}
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
deleted file mode 100644
index 67f315a0db..0000000000
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
+++ /dev/null
@@ -1,906 +0,0 @@
-/*
- *
- * Copyright 2024 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-// Package pickfirstleaf contains the pick_first load balancing policy which
-// will be the universal leaf policy after dualstack changes are implemented.
-//
-// # Experimental
-//
-// Notice: This package is EXPERIMENTAL and may be changed or removed in a
-// later release.
-package pickfirstleaf
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-	"time"
-
-	"google.golang.org/grpc/balancer"
-	"google.golang.org/grpc/balancer/pickfirst/internal"
-	"google.golang.org/grpc/connectivity"
-	expstats "google.golang.org/grpc/experimental/stats"
-	"google.golang.org/grpc/grpclog"
-	"google.golang.org/grpc/internal/envconfig"
-	internalgrpclog "google.golang.org/grpc/internal/grpclog"
-	"google.golang.org/grpc/internal/pretty"
-	"google.golang.org/grpc/resolver"
-	"google.golang.org/grpc/serviceconfig"
-)
-
-func init() {
-	if envconfig.NewPickFirstEnabled {
-		// Register as the default pick_first balancer.
-		Name = "pick_first"
-	}
-	balancer.Register(pickfirstBuilder{})
-}
-
-// enableHealthListenerKeyType is a unique key type used in resolver
-// attributes to indicate whether the health listener usage is enabled.
-type enableHealthListenerKeyType struct{}
-
-var (
-	logger = grpclog.Component("pick-first-leaf-lb")
-	// Name is the name of the pick_first_leaf balancer.
-	// It is changed to "pick_first" in init() if this balancer is to be
-	// registered as the default pickfirst.
-	Name                 = "pick_first_leaf"
-	disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
-		Name:        "grpc.lb.pick_first.disconnections",
-		Description: "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
-		Unit:        "{disconnection}",
-		Labels:      []string{"grpc.target"},
-		Default:     false,
-	})
-	connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
-		Name:        "grpc.lb.pick_first.connection_attempts_succeeded",
-		Description: "EXPERIMENTAL. Number of successful connection attempts.",
-		Unit:        "{attempt}",
-		Labels:      []string{"grpc.target"},
-		Default:     false,
-	})
-	connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
-		Name:        "grpc.lb.pick_first.connection_attempts_failed",
-		Description: "EXPERIMENTAL. Number of failed connection attempts.",
-		Unit:        "{attempt}",
-		Labels:      []string{"grpc.target"},
-		Default:     false,
-	})
-)
-
-const (
-	// TODO: change to pick-first when this becomes the default pick_first policy.
-	logPrefix = "[pick-first-leaf-lb %p] "
-	// connectionDelayInterval is the time to wait for during the happy eyeballs
-	// pass before starting the next connection attempt.
-	connectionDelayInterval = 250 * time.Millisecond
-)
-
-type ipAddrFamily int
-
-const (
-	// ipAddrFamilyUnknown represents strings that can't be parsed as an IP
-	// address.
-	ipAddrFamilyUnknown ipAddrFamily = iota
-	ipAddrFamilyV4
-	ipAddrFamilyV6
-)
-
-type pickfirstBuilder struct{}
-
-func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions) balancer.Balancer {
-	b := &pickfirstBalancer{
-		cc:              cc,
-		target:          bo.Target.String(),
-		metricsRecorder: cc.MetricsRecorder(),
-
-		subConns:              resolver.NewAddressMapV2[*scData](),
-		state:                 connectivity.Connecting,
-		cancelConnectionTimer: func() {},
-	}
-	b.logger = internalgrpclog.NewPrefixLogger(logger, fmt.Sprintf(logPrefix, b))
-	return b
-}
-
-func (b pickfirstBuilder) Name() string {
-	return Name
-}
-
-func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
-	var cfg pfConfig
-	if err := json.Unmarshal(js, &cfg); err != nil {
-		return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
-	}
-	return cfg, nil
-}
-
-// EnableHealthListener updates the state to configure pickfirst for using a
-// generic health listener.
-func EnableHealthListener(state resolver.State) resolver.State {
-	state.Attributes = state.Attributes.WithValue(enableHealthListenerKeyType{}, true)
-	return state
-}
-
-type pfConfig struct {
-	serviceconfig.LoadBalancingConfig `json:"-"`
-
-	// If set to true, instructs the LB policy to shuffle the order of the list
-	// of endpoints received from the name resolver before attempting to
-	// connect to them.
-	ShuffleAddressList bool `json:"shuffleAddressList"`
-}
-
-// scData keeps track of the current state of the subConn.
-// It is not safe for concurrent access.
-type scData struct {
-	// The following fields are initialized at build time and read-only after
-	// that.
-	subConn balancer.SubConn
-	addr    resolver.Address
-
-	rawConnectivityState connectivity.State
-	// The effective connectivity state based on raw connectivity, health state
-	// and after following sticky TransientFailure behaviour defined in A62.
-	effectiveState              connectivity.State
-	lastErr                     error
-	connectionFailedInFirstPass bool
-}
-
-func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) {
-	sd := &scData{
-		rawConnectivityState: connectivity.Idle,
-		effectiveState:       connectivity.Idle,
-		addr:                 addr,
-	}
-	sc, err := b.cc.NewSubConn([]resolver.Address{addr}, balancer.NewSubConnOptions{
-		StateListener: func(state balancer.SubConnState) {
-			b.updateSubConnState(sd, state)
-		},
-	})
-	if err != nil {
-		return nil, err
-	}
-	sd.subConn = sc
-	return sd, nil
-}
-
-type pickfirstBalancer struct {
-	// The following fields are initialized at build time and read-only after
-	// that and therefore do not need to be guarded by a mutex.
-	logger          *internalgrpclog.PrefixLogger
-	cc              balancer.ClientConn
-	target          string
-	metricsRecorder expstats.MetricsRecorder // guaranteed to be non nil
-
-	// The mutex is used to ensure synchronization of updates triggered
-	// from the idle picker and the already serialized resolver,
-	// SubConn state updates.
-	mu sync.Mutex
-	// State reported to the channel based on SubConn states and resolver
-	// updates.
-	state connectivity.State
-	// scData for active subonns mapped by address.
-	subConns              *resolver.AddressMapV2[*scData]
-	addressList           addressList
-	firstPass             bool
-	numTF                 int
-	cancelConnectionTimer func()
-	healthCheckingEnabled bool
-}
-
-// ResolverError is called by the ClientConn when the name resolver produces
-// an error or when pickfirst determined the resolver update to be invalid.
-func (b *pickfirstBalancer) ResolverError(err error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.resolverErrorLocked(err)
-}
-
-func (b *pickfirstBalancer) resolverErrorLocked(err error) {
-	if b.logger.V(2) {
-		b.logger.Infof("Received error from the name resolver: %v", err)
-	}
-
-	// The picker will not change since the balancer does not currently
-	// report an error. If the balancer hasn't received a single good resolver
-	// update yet, transition to TRANSIENT_FAILURE.
-	if b.state != connectivity.TransientFailure && b.addressList.size() > 0 {
-		if b.logger.V(2) {
-			b.logger.Infof("Ignoring resolver error because balancer is using a previous good update.")
-		}
-		return
-	}
-
-	b.updateBalancerState(balancer.State{
-		ConnectivityState: connectivity.TransientFailure,
-		Picker:            &picker{err: fmt.Errorf("name resolver error: %v", err)},
-	})
-}
-
-func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.cancelConnectionTimer()
-	if len(state.ResolverState.Addresses) == 0 && len(state.ResolverState.Endpoints) == 0 {
-		// Cleanup state pertaining to the previous resolver state.
-		// Treat an empty address list like an error by calling b.ResolverError.
-		b.closeSubConnsLocked()
-		b.addressList.updateAddrs(nil)
-		b.resolverErrorLocked(errors.New("produced zero addresses"))
-		return balancer.ErrBadResolverState
-	}
-	b.healthCheckingEnabled = state.ResolverState.Attributes.Value(enableHealthListenerKeyType{}) != nil
-	cfg, ok := state.BalancerConfig.(pfConfig)
-	if state.BalancerConfig != nil && !ok {
-		return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v: %w", state.BalancerConfig, state.BalancerConfig, balancer.ErrBadResolverState)
-	}
-
-	if b.logger.V(2) {
-		b.logger.Infof("Received new config %s, resolver state %s", pretty.ToJSON(cfg), pretty.ToJSON(state.ResolverState))
-	}
-
-	var newAddrs []resolver.Address
-	if endpoints := state.ResolverState.Endpoints; len(endpoints) != 0 {
-		// Perform the optional shuffling described in gRFC A62. The shuffling
-		// will change the order of endpoints but not touch the order of the
-		// addresses within each endpoint. - A61
-		if cfg.ShuffleAddressList {
-			endpoints = append([]resolver.Endpoint{}, endpoints...)
-			internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
-		}
-
-		// "Flatten the list by concatenating the ordered list of addresses for
-		// each of the endpoints, in order." - A61
-		for _, endpoint := range endpoints {
-			newAddrs = append(newAddrs, endpoint.Addresses...)
-		}
-	} else {
-		// Endpoints not set, process addresses until we migrate resolver
-		// emissions fully to Endpoints. The top channel does wrap emitted
-		// addresses with endpoints, however some balancers such as weighted
-		// target do not forward the corresponding correct endpoints down/split
-		// endpoints properly. Once all balancers correctly forward endpoints
-		// down, can delete this else conditional.
-		newAddrs = state.ResolverState.Addresses
-		if cfg.ShuffleAddressList {
-			newAddrs = append([]resolver.Address{}, newAddrs...)
-			internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
-		}
-	}
-
-	// If an address appears in multiple endpoints or in the same endpoint
-	// multiple times, we keep it only once. We will create only one SubConn
-	// for the address because an AddressMap is used to store SubConns.
-	// Not de-duplicating would result in attempting to connect to the same
-	// SubConn multiple times in the same pass. We don't want this.
-	newAddrs = deDupAddresses(newAddrs)
-	newAddrs = interleaveAddresses(newAddrs)
-
-	prevAddr := b.addressList.currentAddress()
-	prevSCData, found := b.subConns.Get(prevAddr)
-	prevAddrsCount := b.addressList.size()
-	isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
-	b.addressList.updateAddrs(newAddrs)
-
-	// If the previous ready SubConn exists in new address list,
-	// keep this connection and don't create new SubConns.
-	if isPrevRawConnectivityStateReady && b.addressList.seekTo(prevAddr) {
-		return nil
-	}
-
-	b.reconcileSubConnsLocked(newAddrs)
-	// If it's the first resolver update or the balancer was already READY
-	// (but the new address list does not contain the ready SubConn) or
-	// CONNECTING, enter CONNECTING.
-	// We may be in TRANSIENT_FAILURE due to a previous empty address list,
-	// we should still enter CONNECTING because the sticky TF behaviour
-	//  mentioned in A62 applies only when the TRANSIENT_FAILURE is reported
-	// due to connectivity failures.
-	if isPrevRawConnectivityStateReady || b.state == connectivity.Connecting || prevAddrsCount == 0 {
-		// Start connection attempt at first address.
-		b.forceUpdateConcludedStateLocked(balancer.State{
-			ConnectivityState: connectivity.Connecting,
-			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-		})
-		b.startFirstPassLocked()
-	} else if b.state == connectivity.TransientFailure {
-		// If we're in TRANSIENT_FAILURE, we stay in TRANSIENT_FAILURE until
-		// we're READY. See A62.
-		b.startFirstPassLocked()
-	}
-	return nil
-}
-
-// UpdateSubConnState is unused as a StateListener is always registered when
-// creating SubConns.
-func (b *pickfirstBalancer) UpdateSubConnState(subConn balancer.SubConn, state balancer.SubConnState) {
-	b.logger.Errorf("UpdateSubConnState(%v, %+v) called unexpectedly", subConn, state)
-}
-
-func (b *pickfirstBalancer) Close() {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.closeSubConnsLocked()
-	b.cancelConnectionTimer()
-	b.state = connectivity.Shutdown
-}
-
-// ExitIdle moves the balancer out of idle state. It can be called concurrently
-// by the idlePicker and clientConn so access to variables should be
-// synchronized.
-func (b *pickfirstBalancer) ExitIdle() {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.state == connectivity.Idle {
-		b.startFirstPassLocked()
-	}
-}
-
-func (b *pickfirstBalancer) startFirstPassLocked() {
-	b.firstPass = true
-	b.numTF = 0
-	// Reset the connection attempt record for existing SubConns.
-	for _, sd := range b.subConns.Values() {
-		sd.connectionFailedInFirstPass = false
-	}
-	b.requestConnectionLocked()
-}
-
-func (b *pickfirstBalancer) closeSubConnsLocked() {
-	for _, sd := range b.subConns.Values() {
-		sd.subConn.Shutdown()
-	}
-	b.subConns = resolver.NewAddressMapV2[*scData]()
-}
-
-// deDupAddresses ensures that each address appears only once in the slice.
-func deDupAddresses(addrs []resolver.Address) []resolver.Address {
-	seenAddrs := resolver.NewAddressMapV2[*scData]()
-	retAddrs := []resolver.Address{}
-
-	for _, addr := range addrs {
-		if _, ok := seenAddrs.Get(addr); ok {
-			continue
-		}
-		retAddrs = append(retAddrs, addr)
-	}
-	return retAddrs
-}
-
-// interleaveAddresses interleaves addresses of both families (IPv4 and IPv6)
-// as per RFC-8305 section 4.
-// Whichever address family is first in the list is followed by an address of
-// the other address family; that is, if the first address in the list is IPv6,
-// then the first IPv4 address should be moved up in the list to be second in
-// the list. It doesn't support configuring "First Address Family Count", i.e.
-// there will always be a single member of the first address family at the
-// beginning of the interleaved list.
-// Addresses that are neither IPv4 nor IPv6 are treated as part of a third
-// "unknown" family for interleaving.
-// See: https://datatracker.ietf.org/doc/html/rfc8305#autoid-6
-func interleaveAddresses(addrs []resolver.Address) []resolver.Address {
-	familyAddrsMap := map[ipAddrFamily][]resolver.Address{}
-	interleavingOrder := []ipAddrFamily{}
-	for _, addr := range addrs {
-		family := addressFamily(addr.Addr)
-		if _, found := familyAddrsMap[family]; !found {
-			interleavingOrder = append(interleavingOrder, family)
-		}
-		familyAddrsMap[family] = append(familyAddrsMap[family], addr)
-	}
-
-	interleavedAddrs := make([]resolver.Address, 0, len(addrs))
-
-	for curFamilyIdx := 0; len(interleavedAddrs) < len(addrs); curFamilyIdx = (curFamilyIdx + 1) % len(interleavingOrder) {
-		// Some IP types may have fewer addresses than others, so we look for
-		// the next type that has a remaining member to add to the interleaved
-		// list.
-		family := interleavingOrder[curFamilyIdx]
-		remainingMembers := familyAddrsMap[family]
-		if len(remainingMembers) > 0 {
-			interleavedAddrs = append(interleavedAddrs, remainingMembers[0])
-			familyAddrsMap[family] = remainingMembers[1:]
-		}
-	}
-
-	return interleavedAddrs
-}
-
-// addressFamily returns the ipAddrFamily after parsing the address string.
-// If the address isn't of the format "ip-address:port", it returns
-// ipAddrFamilyUnknown. The address may be valid even if it's not an IP when
-// using a resolver like passthrough where the address may be a hostname in
-// some format that the dialer can resolve.
-func addressFamily(address string) ipAddrFamily {
-	// Parse the IP after removing the port.
-	host, _, err := net.SplitHostPort(address)
-	if err != nil {
-		return ipAddrFamilyUnknown
-	}
-	ip, err := netip.ParseAddr(host)
-	if err != nil {
-		return ipAddrFamilyUnknown
-	}
-	switch {
-	case ip.Is4() || ip.Is4In6():
-		return ipAddrFamilyV4
-	case ip.Is6():
-		return ipAddrFamilyV6
-	default:
-		return ipAddrFamilyUnknown
-	}
-}
-
-// reconcileSubConnsLocked updates the active subchannels based on a new address
-// list from the resolver. It does this by:
-//   - closing subchannels: any existing subchannels associated with addresses
-//     that are no longer in the updated list are shut down.
-//   - removing subchannels: entries for these closed subchannels are removed
-//     from the subchannel map.
-//
-// This ensures that the subchannel map accurately reflects the current set of
-// addresses received from the name resolver.
-func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
-	newAddrsMap := resolver.NewAddressMapV2[bool]()
-	for _, addr := range newAddrs {
-		newAddrsMap.Set(addr, true)
-	}
-
-	for _, oldAddr := range b.subConns.Keys() {
-		if _, ok := newAddrsMap.Get(oldAddr); ok {
-			continue
-		}
-		val, _ := b.subConns.Get(oldAddr)
-		val.subConn.Shutdown()
-		b.subConns.Delete(oldAddr)
-	}
-}
-
-// shutdownRemainingLocked shuts down remaining subConns. Called when a subConn
-// becomes ready, which means that all other subConn must be shutdown.
-func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
-	b.cancelConnectionTimer()
-	for _, sd := range b.subConns.Values() {
-		if sd.subConn != selected.subConn {
-			sd.subConn.Shutdown()
-		}
-	}
-	b.subConns = resolver.NewAddressMapV2[*scData]()
-	b.subConns.Set(selected.addr, selected)
-}
-
-// requestConnectionLocked starts connecting on the subchannel corresponding to
-// the current address. If no subchannel exists, one is created. If the current
-// subchannel is in TransientFailure, a connection to the next address is
-// attempted until a subchannel is found.
-func (b *pickfirstBalancer) requestConnectionLocked() {
-	if !b.addressList.isValid() {
-		return
-	}
-	var lastErr error
-	for valid := true; valid; valid = b.addressList.increment() {
-		curAddr := b.addressList.currentAddress()
-		sd, ok := b.subConns.Get(curAddr)
-		if !ok {
-			var err error
-			// We want to assign the new scData to sd from the outer scope,
-			// hence we can't use := below.
-			sd, err = b.newSCData(curAddr)
-			if err != nil {
-				// This should never happen, unless the clientConn is being shut
-				// down.
-				if b.logger.V(2) {
-					b.logger.Infof("Failed to create a subConn for address %v: %v", curAddr.String(), err)
-				}
-				// Do nothing, the LB policy will be closed soon.
-				return
-			}
-			b.subConns.Set(curAddr, sd)
-		}
-
-		switch sd.rawConnectivityState {
-		case connectivity.Idle:
-			sd.subConn.Connect()
-			b.scheduleNextConnectionLocked()
-			return
-		case connectivity.TransientFailure:
-			// The SubConn is being re-used and failed during a previous pass
-			// over the addressList. It has not completed backoff yet.
-			// Mark it as having failed and try the next address.
-			sd.connectionFailedInFirstPass = true
-			lastErr = sd.lastErr
-			continue
-		case connectivity.Connecting:
-			// Wait for the connection attempt to complete or the timer to fire
-			// before attempting the next address.
-			b.scheduleNextConnectionLocked()
-			return
-		default:
-			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
-			return
-
-		}
-	}
-
-	// All the remaining addresses in the list are in TRANSIENT_FAILURE, end the
-	// first pass if possible.
-	b.endFirstPassIfPossibleLocked(lastErr)
-}
-
-func (b *pickfirstBalancer) scheduleNextConnectionLocked() {
-	b.cancelConnectionTimer()
-	if !b.addressList.hasNext() {
-		return
-	}
-	curAddr := b.addressList.currentAddress()
-	cancelled := false // Access to this is protected by the balancer's mutex.
-	closeFn := internal.TimeAfterFunc(connectionDelayInterval, func() {
-		b.mu.Lock()
-		defer b.mu.Unlock()
-		// If the scheduled task is cancelled while acquiring the mutex, return.
-		if cancelled {
-			return
-		}
-		if b.logger.V(2) {
-			b.logger.Infof("Happy Eyeballs timer expired while waiting for connection to %q.", curAddr.Addr)
-		}
-		if b.addressList.increment() {
-			b.requestConnectionLocked()
-		}
-	})
-	// Access to the cancellation callback held by the balancer is guarded by
-	// the balancer's mutex, so it's safe to set the boolean from the callback.
-	b.cancelConnectionTimer = sync.OnceFunc(func() {
-		cancelled = true
-		closeFn()
-	})
-}
-
-func (b *pickfirstBalancer) updateSubConnState(sd *scData, newState balancer.SubConnState) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	oldState := sd.rawConnectivityState
-	sd.rawConnectivityState = newState.ConnectivityState
-	// Previously relevant SubConns can still callback with state updates.
-	// To prevent pickers from returning these obsolete SubConns, this logic
-	// is included to check if the current list of active SubConns includes this
-	// SubConn.
-	if !b.isActiveSCData(sd) {
-		return
-	}
-	if newState.ConnectivityState == connectivity.Shutdown {
-		sd.effectiveState = connectivity.Shutdown
-		return
-	}
-
-	// Record a connection attempt when exiting CONNECTING.
-	if newState.ConnectivityState == connectivity.TransientFailure {
-		sd.connectionFailedInFirstPass = true
-		connectionAttemptsFailedMetric.Record(b.metricsRecorder, 1, b.target)
-	}
-
-	if newState.ConnectivityState == connectivity.Ready {
-		connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
-		b.shutdownRemainingLocked(sd)
-		if !b.addressList.seekTo(sd.addr) {
-			// This should not fail as we should have only one SubConn after
-			// entering READY. The SubConn should be present in the addressList.
-			b.logger.Errorf("Address %q not found address list in  %v", sd.addr, b.addressList.addresses)
-			return
-		}
-		if !b.healthCheckingEnabled {
-			if b.logger.V(2) {
-				b.logger.Infof("SubConn %p reported connectivity state READY and the health listener is disabled. Transitioning SubConn to READY.", sd.subConn)
-			}
-
-			sd.effectiveState = connectivity.Ready
-			b.updateBalancerState(balancer.State{
-				ConnectivityState: connectivity.Ready,
-				Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
-			})
-			return
-		}
-		if b.logger.V(2) {
-			b.logger.Infof("SubConn %p reported connectivity state READY. Registering health listener.", sd.subConn)
-		}
-		// Send a CONNECTING update to take the SubConn out of sticky-TF if
-		// required.
-		sd.effectiveState = connectivity.Connecting
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Connecting,
-			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-		})
-		sd.subConn.RegisterHealthListener(func(scs balancer.SubConnState) {
-			b.updateSubConnHealthState(sd, scs)
-		})
-		return
-	}
-
-	// If the LB policy is READY, and it receives a subchannel state change,
-	// it means that the READY subchannel has failed.
-	// A SubConn can also transition from CONNECTING directly to IDLE when
-	// a transport is successfully created, but the connection fails
-	// before the SubConn can send the notification for READY. We treat
-	// this as a successful connection and transition to IDLE.
-	// TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
-	// part of the if condition below once the issue is fixed.
-	if oldState == connectivity.Ready || (oldState == connectivity.Connecting && newState.ConnectivityState == connectivity.Idle) {
-		// Once a transport fails, the balancer enters IDLE and starts from
-		// the first address when the picker is used.
-		b.shutdownRemainingLocked(sd)
-		sd.effectiveState = newState.ConnectivityState
-		// READY SubConn interspliced in between CONNECTING and IDLE, need to
-		// account for that.
-		if oldState == connectivity.Connecting {
-			// A known issue (https://github.com/grpc/grpc-go/issues/7862)
-			// causes a race that prevents the READY state change notification.
-			// This works around it.
-			connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
-		}
-		disconnectionsMetric.Record(b.metricsRecorder, 1, b.target)
-		b.addressList.reset()
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Idle,
-			Picker:            &idlePicker{exitIdle: sync.OnceFunc(b.ExitIdle)},
-		})
-		return
-	}
-
-	if b.firstPass {
-		switch newState.ConnectivityState {
-		case connectivity.Connecting:
-			// The effective state can be in either IDLE, CONNECTING or
-			// TRANSIENT_FAILURE. If it's  TRANSIENT_FAILURE, stay in
-			// TRANSIENT_FAILURE until it's READY. See A62.
-			if sd.effectiveState != connectivity.TransientFailure {
-				sd.effectiveState = connectivity.Connecting
-				b.updateBalancerState(balancer.State{
-					ConnectivityState: connectivity.Connecting,
-					Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-				})
-			}
-		case connectivity.TransientFailure:
-			sd.lastErr = newState.ConnectionError
-			sd.effectiveState = connectivity.TransientFailure
-			// Since we're re-using common SubConns while handling resolver
-			// updates, we could receive an out of turn TRANSIENT_FAILURE from
-			// a pass over the previous address list. Happy Eyeballs will also
-			// cause out of order updates to arrive.
-
-			if curAddr := b.addressList.currentAddress(); equalAddressIgnoringBalAttributes(&curAddr, &sd.addr) {
-				b.cancelConnectionTimer()
-				if b.addressList.increment() {
-					b.requestConnectionLocked()
-					return
-				}
-			}
-
-			// End the first pass if we've seen a TRANSIENT_FAILURE from all
-			// SubConns once.
-			b.endFirstPassIfPossibleLocked(newState.ConnectionError)
-		}
-		return
-	}
-
-	// We have finished the first pass, keep re-connecting failing SubConns.
-	switch newState.ConnectivityState {
-	case connectivity.TransientFailure:
-		b.numTF = (b.numTF + 1) % b.subConns.Len()
-		sd.lastErr = newState.ConnectionError
-		if b.numTF%b.subConns.Len() == 0 {
-			b.updateBalancerState(balancer.State{
-				ConnectivityState: connectivity.TransientFailure,
-				Picker:            &picker{err: newState.ConnectionError},
-			})
-		}
-		// We don't need to request re-resolution since the SubConn already
-		// does that before reporting TRANSIENT_FAILURE.
-		// TODO: #7534 - Move re-resolution requests from SubConn into
-		// pick_first.
-	case connectivity.Idle:
-		sd.subConn.Connect()
-	}
-}
-
-// endFirstPassIfPossibleLocked ends the first happy-eyeballs pass if all the
-// addresses are tried and their SubConns have reported a failure.
-func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
-	// An optimization to avoid iterating over the entire SubConn map.
-	if b.addressList.isValid() {
-		return
-	}
-	// Connect() has been called on all the SubConns. The first pass can be
-	// ended if all the SubConns have reported a failure.
-	for _, sd := range b.subConns.Values() {
-		if !sd.connectionFailedInFirstPass {
-			return
-		}
-	}
-	b.firstPass = false
-	b.updateBalancerState(balancer.State{
-		ConnectivityState: connectivity.TransientFailure,
-		Picker:            &picker{err: lastErr},
-	})
-	// Start re-connecting all the SubConns that are already in IDLE.
-	for _, sd := range b.subConns.Values() {
-		if sd.rawConnectivityState == connectivity.Idle {
-			sd.subConn.Connect()
-		}
-	}
-}
-
-func (b *pickfirstBalancer) isActiveSCData(sd *scData) bool {
-	activeSD, found := b.subConns.Get(sd.addr)
-	return found && activeSD == sd
-}
-
-func (b *pickfirstBalancer) updateSubConnHealthState(sd *scData, state balancer.SubConnState) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	// Previously relevant SubConns can still callback with state updates.
-	// To prevent pickers from returning these obsolete SubConns, this logic
-	// is included to check if the current list of active SubConns includes
-	// this SubConn.
-	if !b.isActiveSCData(sd) {
-		return
-	}
-	sd.effectiveState = state.ConnectivityState
-	switch state.ConnectivityState {
-	case connectivity.Ready:
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Ready,
-			Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
-		})
-	case connectivity.TransientFailure:
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.TransientFailure,
-			Picker:            &picker{err: fmt.Errorf("pickfirst: health check failure: %v", state.ConnectionError)},
-		})
-	case connectivity.Connecting:
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Connecting,
-			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-		})
-	default:
-		b.logger.Errorf("Got unexpected health update for SubConn %p: %v", state)
-	}
-}
-
-// updateBalancerState stores the state reported to the channel and calls
-// ClientConn.UpdateState(). As an optimization, it avoids sending duplicate
-// updates to the channel.
-func (b *pickfirstBalancer) updateBalancerState(newState balancer.State) {
-	// In case of TransientFailures allow the picker to be updated to update
-	// the connectivity error, in all other cases don't send duplicate state
-	// updates.
-	if newState.ConnectivityState == b.state && b.state != connectivity.TransientFailure {
-		return
-	}
-	b.forceUpdateConcludedStateLocked(newState)
-}
-
-// forceUpdateConcludedStateLocked stores the state reported to the channel and
-// calls ClientConn.UpdateState().
-// A separate function is defined to force update the ClientConn state since the
-// channel doesn't correctly assume that LB policies start in CONNECTING and
-// relies on LB policy to send an initial CONNECTING update.
-func (b *pickfirstBalancer) forceUpdateConcludedStateLocked(newState balancer.State) {
-	b.state = newState.ConnectivityState
-	b.cc.UpdateState(newState)
-}
-
-type picker struct {
-	result balancer.PickResult
-	err    error
-}
-
-func (p *picker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
-	return p.result, p.err
-}
-
-// idlePicker is used when the SubConn is IDLE and kicks the SubConn into
-// CONNECTING when Pick is called.
-type idlePicker struct {
-	exitIdle func()
-}
-
-func (i *idlePicker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
-	i.exitIdle()
-	return balancer.PickResult{}, balancer.ErrNoSubConnAvailable
-}
-
-// addressList manages sequentially iterating over addresses present in a list
-// of endpoints. It provides a 1 dimensional view of the addresses present in
-// the endpoints.
-// This type is not safe for concurrent access.
-type addressList struct {
-	addresses []resolver.Address
-	idx       int
-}
-
-func (al *addressList) isValid() bool {
-	return al.idx < len(al.addresses)
-}
-
-func (al *addressList) size() int {
-	return len(al.addresses)
-}
-
-// increment moves to the next index in the address list.
-// This method returns false if it went off the list, true otherwise.
-func (al *addressList) increment() bool {
-	if !al.isValid() {
-		return false
-	}
-	al.idx++
-	return al.idx < len(al.addresses)
-}
-
-// currentAddress returns the current address pointed to in the addressList.
-// If the list is in an invalid state, it returns an empty address instead.
-func (al *addressList) currentAddress() resolver.Address {
-	if !al.isValid() {
-		return resolver.Address{}
-	}
-	return al.addresses[al.idx]
-}
-
-func (al *addressList) reset() {
-	al.idx = 0
-}
-
-func (al *addressList) updateAddrs(addrs []resolver.Address) {
-	al.addresses = addrs
-	al.reset()
-}
-
-// seekTo returns false if the needle was not found and the current index was
-// left unchanged.
-func (al *addressList) seekTo(needle resolver.Address) bool {
-	for ai, addr := range al.addresses {
-		if !equalAddressIgnoringBalAttributes(&addr, &needle) {
-			continue
-		}
-		al.idx = ai
-		return true
-	}
-	return false
-}
-
-// hasNext returns whether incrementing the addressList will result in moving
-// past the end of the list. If the list has already moved past the end, it
-// returns false.
-func (al *addressList) hasNext() bool {
-	if !al.isValid() {
-		return false
-	}
-	return al.idx+1 < len(al.addresses)
-}
-
-// equalAddressIgnoringBalAttributes returns true is a and b are considered
-// equal. This is different from the Equal method on the resolver.Address type
-// which considers all fields to determine equality. Here, we only consider
-// fields that are meaningful to the SubConn.
-func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
-	return a.Addr == b.Addr && a.ServerName == b.ServerName &&
-		a.Attributes.Equal(b.Attributes)
-}
diff --git a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
index 22045bf394..22e6e32679 100644
--- a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
+++ b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
@@ -26,7 +26,7 @@ import (
 
 	"google.golang.org/grpc/balancer"
 	"google.golang.org/grpc/balancer/endpointsharding"
-	"google.golang.org/grpc/balancer/pickfirst/pickfirstleaf"
+	"google.golang.org/grpc/balancer/pickfirst"
 	"google.golang.org/grpc/grpclog"
 	internalgrpclog "google.golang.org/grpc/internal/grpclog"
 )
@@ -47,7 +47,7 @@ func (bb builder) Name() string {
 }
 
 func (bb builder) Build(cc balancer.ClientConn, opts balancer.BuildOptions) balancer.Balancer {
-	childBuilder := balancer.Get(pickfirstleaf.Name).Build
+	childBuilder := balancer.Get(pickfirst.Name).Build
 	bal := &rrBalancer{
 		cc:       cc,
 		Balancer: endpointsharding.NewBalancer(cc, opts, childBuilder, endpointsharding.Options{}),
@@ -67,6 +67,6 @@ func (b *rrBalancer) UpdateClientConnState(ccs balancer.ClientConnState) error {
 	return b.Balancer.UpdateClientConnState(balancer.ClientConnState{
 		// Enable the health listener in pickfirst children for client side health
 		// checks and outlier detection, if configured.
-		ResolverState: pickfirstleaf.EnableHealthListener(ccs.ResolverState),
+		ResolverState: pickfirst.EnableHealthListener(ccs.ResolverState),
 	})
 }
diff --git a/vendor/google.golang.org/grpc/balancer_wrapper.go b/vendor/google.golang.org/grpc/balancer_wrapper.go
index 948a21ef68..2c760e623f 100644
--- a/vendor/google.golang.org/grpc/balancer_wrapper.go
+++ b/vendor/google.golang.org/grpc/balancer_wrapper.go
@@ -450,13 +450,14 @@ func (acbw *acBalancerWrapper) healthListenerRegFn() func(context.Context, func(
 	if acbw.ccb.cc.dopts.disableHealthCheck {
 		return noOpRegisterHealthListenerFn
 	}
+	cfg := acbw.ac.cc.healthCheckConfig()
+	if cfg == nil {
+		return noOpRegisterHealthListenerFn
+	}
 	regHealthLisFn := internal.RegisterClientHealthCheckListener
 	if regHealthLisFn == nil {
 		// The health package is not imported.
-		return noOpRegisterHealthListenerFn
-	}
-	cfg := acbw.ac.cc.healthCheckConfig()
-	if cfg == nil {
+		channelz.Error(logger, acbw.ac.channelz, "Health check is requested but health package is not imported.")
 		return noOpRegisterHealthListenerFn
 	}
 	return func(ctx context.Context, listener func(balancer.SubConnState)) func() {
diff --git a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
index b1364a0325..42c61cf9fe 100644
--- a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
+++ b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
@@ -18,7 +18,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/binlog/v1/binarylog.proto
 
diff --git a/vendor/google.golang.org/grpc/clientconn.go b/vendor/google.golang.org/grpc/clientconn.go
index 3f762285db..b767d3e33e 100644
--- a/vendor/google.golang.org/grpc/clientconn.go
+++ b/vendor/google.golang.org/grpc/clientconn.go
@@ -35,16 +35,19 @@ import (
 	"google.golang.org/grpc/balancer/pickfirst"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/connectivity"
+	"google.golang.org/grpc/credentials"
+	expstats "google.golang.org/grpc/experimental/stats"
 	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/channelz"
 	"google.golang.org/grpc/internal/grpcsync"
 	"google.golang.org/grpc/internal/idle"
 	iresolver "google.golang.org/grpc/internal/resolver"
-	"google.golang.org/grpc/internal/stats"
+	istats "google.golang.org/grpc/internal/stats"
 	"google.golang.org/grpc/internal/transport"
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/resolver"
 	"google.golang.org/grpc/serviceconfig"
+	"google.golang.org/grpc/stats"
 	"google.golang.org/grpc/status"
 
 	_ "google.golang.org/grpc/balancer/roundrobin"           // To register roundrobin.
@@ -97,6 +100,41 @@ var (
 	errTransportCredentialsMissing = errors.New("grpc: the credentials require transport level security (use grpc.WithTransportCredentials() to set)")
 )
 
+var (
+	disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.disconnections",
+		Description:    "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
+		Unit:           "{disconnection}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality", "grpc.disconnect_error"},
+		Default:        false,
+	})
+	connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.connection_attempts_succeeded",
+		Description:    "EXPERIMENTAL. Number of successful connection attempts.",
+		Unit:           "{attempt}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality"},
+		Default:        false,
+	})
+	connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.connection_attempts_failed",
+		Description:    "EXPERIMENTAL. Number of failed connection attempts.",
+		Unit:           "{attempt}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality"},
+		Default:        false,
+	})
+	openConnectionsMetric = expstats.RegisterInt64UpDownCount(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.open_connections",
+		Description:    "EXPERIMENTAL. Number of open connections.",
+		Unit:           "{attempt}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.security_level", "grpc.lb.locality"},
+		Default:        false,
+	})
+)
+
 const (
 	defaultClientMaxReceiveMessageSize = 1024 * 1024 * 4
 	defaultClientMaxSendMessageSize    = math.MaxInt32
@@ -210,7 +248,8 @@ func NewClient(target string, opts ...DialOption) (conn *ClientConn, err error)
 	cc.csMgr = newConnectivityStateManager(cc.ctx, cc.channelz)
 	cc.pickerWrapper = newPickerWrapper()
 
-	cc.metricsRecorderList = stats.NewMetricsRecorderList(cc.dopts.copts.StatsHandlers)
+	cc.metricsRecorderList = istats.NewMetricsRecorderList(cc.dopts.copts.StatsHandlers)
+	cc.statsHandler = istats.NewCombinedHandler(cc.dopts.copts.StatsHandlers...)
 
 	cc.initIdleStateLocked() // Safe to call without the lock, since nothing else has a reference to cc.
 	cc.idlenessMgr = idle.NewManager((*idler)(cc), cc.dopts.idleTimeout)
@@ -260,9 +299,10 @@ func DialContext(ctx context.Context, target string, opts ...DialOption) (conn *
 	}()
 
 	// This creates the name resolver, load balancer, etc.
-	if err := cc.idlenessMgr.ExitIdleMode(); err != nil {
-		return nil, err
+	if err := cc.exitIdleMode(); err != nil {
+		return nil, fmt.Errorf("failed to exit idle mode: %w", err)
 	}
+	cc.idlenessMgr.UnsafeSetNotIdle()
 
 	// Return now for non-blocking dials.
 	if !cc.dopts.block {
@@ -330,7 +370,7 @@ func (cc *ClientConn) addTraceEvent(msg string) {
 			Severity: channelz.CtInfo,
 		}
 	}
-	channelz.AddTraceEvent(logger, cc.channelz, 0, ted)
+	channelz.AddTraceEvent(logger, cc.channelz, 1, ted)
 }
 
 type idler ClientConn
@@ -339,14 +379,17 @@ func (i *idler) EnterIdleMode() {
 	(*ClientConn)(i).enterIdleMode()
 }
 
-func (i *idler) ExitIdleMode() error {
-	return (*ClientConn)(i).exitIdleMode()
+func (i *idler) ExitIdleMode() {
+	// Ignore the error returned from this method, because from the perspective
+	// of the caller (idleness manager), the channel would have always moved out
+	// of IDLE by the time this method returns.
+	(*ClientConn)(i).exitIdleMode()
 }
 
 // exitIdleMode moves the channel out of idle mode by recreating the name
 // resolver and load balancer.  This should never be called directly; use
 // cc.idlenessMgr.ExitIdleMode instead.
-func (cc *ClientConn) exitIdleMode() (err error) {
+func (cc *ClientConn) exitIdleMode() error {
 	cc.mu.Lock()
 	if cc.conns == nil {
 		cc.mu.Unlock()
@@ -354,11 +397,23 @@ func (cc *ClientConn) exitIdleMode() (err error) {
 	}
 	cc.mu.Unlock()
 
+	// Set state to CONNECTING before building the name resolver
+	// so the channel does not remain in IDLE.
+	cc.csMgr.updateState(connectivity.Connecting)
+
 	// This needs to be called without cc.mu because this builds a new resolver
 	// which might update state or report error inline, which would then need to
 	// acquire cc.mu.
 	if err := cc.resolverWrapper.start(); err != nil {
-		return err
+		// If resolver creation fails, treat it like an error reported by the
+		// resolver before any valid updates. Set channel's state to
+		// TransientFailure, and set an erroring picker with the resolver build
+		// error, which will returned as part of any subsequent RPCs.
+		logger.Warningf("Failed to start resolver: %v", err)
+		cc.csMgr.updateState(connectivity.TransientFailure)
+		cc.mu.Lock()
+		cc.updateResolverStateAndUnlock(resolver.State{}, err)
+		return fmt.Errorf("failed to start resolver: %w", err)
 	}
 
 	cc.addTraceEvent("exiting idle mode")
@@ -456,7 +511,7 @@ func (cc *ClientConn) validateTransportCredentials() error {
 func (cc *ClientConn) channelzRegistration(target string) {
 	parentChannel, _ := cc.dopts.channelzParent.(*channelz.Channel)
 	cc.channelz = channelz.RegisterChannel(parentChannel, target)
-	cc.addTraceEvent("created")
+	cc.addTraceEvent(fmt.Sprintf("created for target %q", target))
 }
 
 // chainUnaryClientInterceptors chains all unary client interceptors into one.
@@ -621,7 +676,8 @@ type ClientConn struct {
 	channelz            *channelz.Channel // Channelz object.
 	resolverBuilder     resolver.Builder  // See initParsedTargetAndResolverBuilder().
 	idlenessMgr         *idle.Manager
-	metricsRecorderList *stats.MetricsRecorderList
+	metricsRecorderList *istats.MetricsRecorderList
+	statsHandler        stats.Handler
 
 	// The following provide their own synchronization, and therefore don't
 	// require cc.mu to be held to access them.
@@ -678,10 +734,8 @@ func (cc *ClientConn) GetState() connectivity.State {
 // Notice: This API is EXPERIMENTAL and may be changed or removed in a later
 // release.
 func (cc *ClientConn) Connect() {
-	if err := cc.idlenessMgr.ExitIdleMode(); err != nil {
-		cc.addTraceEvent(err.Error())
-		return
-	}
+	cc.idlenessMgr.ExitIdleMode()
+
 	// If the ClientConn was not in idle mode, we need to call ExitIdle on the
 	// LB policy so that connections can be created.
 	cc.mu.Lock()
@@ -732,8 +786,8 @@ func init() {
 	internal.EnterIdleModeForTesting = func(cc *ClientConn) {
 		cc.idlenessMgr.EnterIdleModeForTesting()
 	}
-	internal.ExitIdleModeForTesting = func(cc *ClientConn) error {
-		return cc.idlenessMgr.ExitIdleMode()
+	internal.ExitIdleModeForTesting = func(cc *ClientConn) {
+		cc.idlenessMgr.ExitIdleMode()
 	}
 }
 
@@ -858,6 +912,7 @@ func (cc *ClientConn) newAddrConnLocked(addrs []resolver.Address, opts balancer.
 		channelz:     channelz.RegisterSubChannel(cc.channelz, ""),
 		resetBackoff: make(chan struct{}),
 	}
+	ac.updateTelemetryLabelsLocked()
 	ac.ctx, ac.cancel = context.WithCancel(cc.ctx)
 	// Start with our address set to the first address; this may be updated if
 	// we connect to different addresses.
@@ -974,7 +1029,7 @@ func (ac *addrConn) updateAddrs(addrs []resolver.Address) {
 	}
 
 	ac.addrs = addrs
-
+	ac.updateTelemetryLabelsLocked()
 	if ac.state == connectivity.Shutdown ||
 		ac.state == connectivity.TransientFailure ||
 		ac.state == connectivity.Idle {
@@ -1213,6 +1268,9 @@ type addrConn struct {
 	resetBackoff chan struct{}
 
 	channelz *channelz.SubChannel
+
+	localityLabel       string
+	backendServiceLabel string
 }
 
 // Note: this requires a lock on ac.mu.
@@ -1220,6 +1278,18 @@ func (ac *addrConn) updateConnectivityState(s connectivity.State, lastErr error)
 	if ac.state == s {
 		return
 	}
+
+	// If we are transitioning out of Ready, it means there is a disconnection.
+	// A SubConn can also transition from CONNECTING directly to IDLE when
+	// a transport is successfully created, but the connection fails
+	// before the SubConn can send the notification for READY. We treat
+	// this as a successful connection and transition to IDLE.
+	// TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
+	// part of the if condition below once the issue is fixed.
+	if ac.state == connectivity.Ready || (ac.state == connectivity.Connecting && s == connectivity.Idle) {
+		disconnectionsMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel, "unknown")
+		openConnectionsMetric.Record(ac.cc.metricsRecorderList, -1, ac.cc.target, ac.backendServiceLabel, ac.securityLevelLocked(), ac.localityLabel)
+	}
 	ac.state = s
 	ac.channelz.ChannelMetrics.State.Store(&s)
 	if lastErr == nil {
@@ -1277,6 +1347,15 @@ func (ac *addrConn) resetTransportAndUnlock() {
 	ac.mu.Unlock()
 
 	if err := ac.tryAllAddrs(acCtx, addrs, connectDeadline); err != nil {
+		if !errors.Is(err, context.Canceled) {
+			connectionAttemptsFailedMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel)
+		} else {
+			if logger.V(2) {
+				// This records cancelled connection attempts which can be later
+				// replaced by a metric.
+				logger.Infof("Context cancellation detected; not recording this as a failed connection attempt.")
+			}
+		}
 		// TODO: #7534 - Move re-resolution requests into the pick_first LB policy
 		// to ensure one resolution request per pass instead of per subconn failure.
 		ac.cc.resolveNow(resolver.ResolveNowOptions{})
@@ -1316,10 +1395,50 @@ func (ac *addrConn) resetTransportAndUnlock() {
 	}
 	// Success; reset backoff.
 	ac.mu.Lock()
+	connectionAttemptsSucceededMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel)
+	openConnectionsMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.securityLevelLocked(), ac.localityLabel)
 	ac.backoffIdx = 0
 	ac.mu.Unlock()
 }
 
+// updateTelemetryLabelsLocked calculates and caches the telemetry labels based on the
+// first address in addrConn.
+func (ac *addrConn) updateTelemetryLabelsLocked() {
+	labelsFunc, ok := internal.AddressToTelemetryLabels.(func(resolver.Address) map[string]string)
+	if !ok || len(ac.addrs) == 0 {
+		// Reset defaults
+		ac.localityLabel = ""
+		ac.backendServiceLabel = ""
+		return
+	}
+	labels := labelsFunc(ac.addrs[0])
+	ac.localityLabel = labels["grpc.lb.locality"]
+	ac.backendServiceLabel = labels["grpc.lb.backend_service"]
+}
+
+type securityLevelKey struct{}
+
+func (ac *addrConn) securityLevelLocked() string {
+	var secLevel string
+	// During disconnection, ac.transport is nil. Fall back to the security level
+	// stored in the current address during connection.
+	if ac.transport == nil {
+		secLevel, _ = ac.curAddr.Attributes.Value(securityLevelKey{}).(string)
+		return secLevel
+	}
+	authInfo := ac.transport.Peer().AuthInfo
+	if ci, ok := authInfo.(interface {
+		GetCommonAuthInfo() credentials.CommonAuthInfo
+	}); ok {
+		secLevel = ci.GetCommonAuthInfo().SecurityLevel.String()
+		// Store the security level in the current address' attributes so
+		// that it remains available for disconnection metrics after the
+		// transport is closed.
+		ac.curAddr.Attributes = ac.curAddr.Attributes.WithValue(securityLevelKey{}, secLevel)
+	}
+	return secLevel
+}
+
 // tryAllAddrs tries to create a connection to the addresses, and stop when at
 // the first successful one. It returns an error if no address was successfully
 // connected, or updates ac appropriately with the new transport.
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go
index c8e337cdda..06f6c6c70a 100644
--- a/vendor/google.golang.org/grpc/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/credentials/credentials.go
@@ -44,8 +44,7 @@ type PerRPCCredentials interface {
 	// A54). uri is the URI of the entry point for the request.  When supported
 	// by the underlying implementation, ctx can be used for timeout and
 	// cancellation. Additionally, RequestInfo data will be available via ctx
-	// to this call.  TODO(zhaoq): Define the set of the qualified keys instead
-	// of leaving it as an arbitrary string.
+	// to this call.
 	GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
 	// RequireTransportSecurity indicates whether the credentials requires
 	// transport security.
diff --git a/vendor/google.golang.org/grpc/encoding/encoding.go b/vendor/google.golang.org/grpc/encoding/encoding.go
index 11d0ae142c..dadd21e40f 100644
--- a/vendor/google.golang.org/grpc/encoding/encoding.go
+++ b/vendor/google.golang.org/grpc/encoding/encoding.go
@@ -27,8 +27,10 @@ package encoding
 
 import (
 	"io"
+	"slices"
 	"strings"
 
+	"google.golang.org/grpc/encoding/internal"
 	"google.golang.org/grpc/internal/grpcutil"
 )
 
@@ -36,6 +38,24 @@ import (
 // It is intended for grpc internal use only.
 const Identity = "identity"
 
+func init() {
+	internal.RegisterCompressorForTesting = func(c Compressor) func() {
+		name := c.Name()
+		curCompressor, found := registeredCompressor[name]
+		RegisterCompressor(c)
+		return func() {
+			if found {
+				registeredCompressor[name] = curCompressor
+				return
+			}
+			delete(registeredCompressor, name)
+			grpcutil.RegisteredCompressorNames = slices.DeleteFunc(grpcutil.RegisteredCompressorNames, func(s string) bool {
+				return s == name
+			})
+		}
+	}
+}
+
 // Compressor is used for compressing and decompressing when sending or
 // receiving messages.
 //
diff --git a/vendor/google.golang.org/grpc/encoding/internal/internal.go b/vendor/google.golang.org/grpc/encoding/internal/internal.go
new file mode 100644
index 0000000000..ee9acb4377
--- /dev/null
+++ b/vendor/google.golang.org/grpc/encoding/internal/internal.go
@@ -0,0 +1,28 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// Package internal contains code internal to the encoding package.
+package internal
+
+// RegisterCompressorForTesting registers a compressor in the global compressor
+// registry. It returns a cleanup function that should be called at the end
+// of the test to unregister the compressor.
+//
+// This prevents compressors registered in one test from appearing in the
+// encoding headers of subsequent tests.
+var RegisterCompressorForTesting any // func RegisterCompressor(c Compressor) func()
diff --git a/vendor/google.golang.org/grpc/encoding/proto/proto.go b/vendor/google.golang.org/grpc/encoding/proto/proto.go
index ceec319dd2..1ab874c7ad 100644
--- a/vendor/google.golang.org/grpc/encoding/proto/proto.go
+++ b/vendor/google.golang.org/grpc/encoding/proto/proto.go
@@ -46,9 +46,25 @@ func (c *codecV2) Marshal(v any) (data mem.BufferSlice, err error) {
 		return nil, fmt.Errorf("proto: failed to marshal, message is %T, want proto.Message", v)
 	}
 
+	// Important: if we remove this Size call then we cannot use
+	// UseCachedSize in MarshalOptions below.
 	size := proto.Size(vv)
+
+	// MarshalOptions with UseCachedSize allows reusing the result from the
+	// previous Size call. This is safe here because:
+	//
+	// 1. We just computed the size.
+	// 2. We assume the message is not being mutated concurrently.
+	//
+	// Important: If the proto.Size call above is removed, using UseCachedSize
+	// becomes unsafe and may lead to incorrect marshaling.
+	//
+	// For more details, see the doc of UseCachedSize:
+	// https://pkg.go.dev/google.golang.org/protobuf/proto#MarshalOptions
+	marshalOptions := proto.MarshalOptions{UseCachedSize: true}
+
 	if mem.IsBelowBufferPoolingThreshold(size) {
-		buf, err := proto.Marshal(vv)
+		buf, err := marshalOptions.Marshal(vv)
 		if err != nil {
 			return nil, err
 		}
@@ -56,7 +72,7 @@ func (c *codecV2) Marshal(v any) (data mem.BufferSlice, err error) {
 	} else {
 		pool := mem.DefaultBufferPool()
 		buf := pool.Get(size)
-		if _, err := (proto.MarshalOptions{}).MarshalAppend((*buf)[:0], vv); err != nil {
+		if _, err := marshalOptions.MarshalAppend((*buf)[:0], vv); err != nil {
 			pool.Put(buf)
 			return nil, err
 		}
diff --git a/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go b/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
index ad75313a18..472813f58f 100644
--- a/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
+++ b/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
@@ -75,6 +75,8 @@ const (
 	MetricTypeIntHisto
 	MetricTypeFloatHisto
 	MetricTypeIntGauge
+	MetricTypeIntUpDownCount
+	MetricTypeIntAsyncGauge
 )
 
 // Int64CountHandle is a typed handle for a int count metric. This handle
@@ -93,6 +95,23 @@ func (h *Int64CountHandle) Record(recorder MetricsRecorder, incr int64, labels .
 	recorder.RecordInt64Count(h, incr, labels...)
 }
 
+// Int64UpDownCountHandle is a typed handle for an int up-down counter metric.
+// This handle is passed at the recording point in order to know which metric
+// to record on.
+type Int64UpDownCountHandle MetricDescriptor
+
+// Descriptor returns the int64 up-down counter handle typecast to a pointer to a
+// MetricDescriptor.
+func (h *Int64UpDownCountHandle) Descriptor() *MetricDescriptor {
+	return (*MetricDescriptor)(h)
+}
+
+// Record records the int64 up-down counter value on the metrics recorder provided.
+// The value 'v' can be positive to increment or negative to decrement.
+func (h *Int64UpDownCountHandle) Record(recorder MetricsRecorder, v int64, labels ...string) {
+	recorder.RecordInt64UpDownCount(h, v, labels...)
+}
+
 // Float64CountHandle is a typed handle for a float count metric. This handle is
 // passed at the recording point in order to know which metric to record on.
 type Float64CountHandle MetricDescriptor
@@ -154,6 +173,30 @@ func (h *Int64GaugeHandle) Record(recorder MetricsRecorder, incr int64, labels .
 	recorder.RecordInt64Gauge(h, incr, labels...)
 }
 
+// AsyncMetric is a marker interface for asynchronous metric types.
+type AsyncMetric interface {
+	isAsync()
+	Descriptor() *MetricDescriptor
+}
+
+// Int64AsyncGaugeHandle is a typed handle for an int gauge metric. This handle is
+// passed at the recording point in order to know which metric to record on.
+type Int64AsyncGaugeHandle MetricDescriptor
+
+// isAsync implements the AsyncMetric interface.
+func (h *Int64AsyncGaugeHandle) isAsync() {}
+
+// Descriptor returns the int64 gauge handle typecast to a pointer to a
+// MetricDescriptor.
+func (h *Int64AsyncGaugeHandle) Descriptor() *MetricDescriptor {
+	return (*MetricDescriptor)(h)
+}
+
+// Record records the int64 gauge value on the metrics recorder provided.
+func (h *Int64AsyncGaugeHandle) Record(recorder AsyncMetricsRecorder, value int64, labels ...string) {
+	recorder.RecordInt64AsyncGauge(h, value, labels...)
+}
+
 // registeredMetrics are the registered metric descriptor names.
 var registeredMetrics = make(map[string]bool)
 
@@ -249,6 +292,35 @@ func RegisterInt64Gauge(descriptor MetricDescriptor) *Int64GaugeHandle {
 	return (*Int64GaugeHandle)(descPtr)
 }
 
+// RegisterInt64UpDownCount registers the metric description onto the global registry.
+// It returns a typed handle to use for recording data.
+//
+// NOTE: this function must only be called during initialization time (i.e. in
+// an init() function), and is not thread-safe. If multiple metrics are
+// registered with the same name, this function will panic.
+func RegisterInt64UpDownCount(descriptor MetricDescriptor) *Int64UpDownCountHandle {
+	registerMetric(descriptor.Name, descriptor.Default)
+	// Set the specific metric type for the up-down counter
+	descriptor.Type = MetricTypeIntUpDownCount
+	descPtr := &descriptor
+	metricsRegistry[descriptor.Name] = descPtr
+	return (*Int64UpDownCountHandle)(descPtr)
+}
+
+// RegisterInt64AsyncGauge registers the metric description onto the global registry.
+// It returns a typed handle to use for recording data.
+//
+// NOTE: this function must only be called during initialization time (i.e. in
+// an init() function), and is not thread-safe. If multiple metrics are
+// registered with the same name, this function will panic.
+func RegisterInt64AsyncGauge(descriptor MetricDescriptor) *Int64AsyncGaugeHandle {
+	registerMetric(descriptor.Name, descriptor.Default)
+	descriptor.Type = MetricTypeIntAsyncGauge
+	descPtr := &descriptor
+	metricsRegistry[descriptor.Name] = descPtr
+	return (*Int64AsyncGaugeHandle)(descPtr)
+}
+
 // snapshotMetricsRegistryForTesting snapshots the global data of the metrics
 // registry. Returns a cleanup function that sets the metrics registry to its
 // original state.
diff --git a/vendor/google.golang.org/grpc/experimental/stats/metrics.go b/vendor/google.golang.org/grpc/experimental/stats/metrics.go
index ee1423605a..d7d404cbe4 100644
--- a/vendor/google.golang.org/grpc/experimental/stats/metrics.go
+++ b/vendor/google.golang.org/grpc/experimental/stats/metrics.go
@@ -38,6 +38,16 @@ type MetricsRecorder interface {
 	// RecordInt64Gauge records the measurement alongside labels on the int
 	// gauge associated with the provided handle.
 	RecordInt64Gauge(handle *Int64GaugeHandle, incr int64, labels ...string)
+	// RecordInt64UpDownCounter records the measurement alongside labels on the int
+	// count associated with the provided handle.
+	RecordInt64UpDownCount(handle *Int64UpDownCountHandle, incr int64, labels ...string)
+}
+
+// AsyncMetricsRecorder records on asynchronous metrics derived from metric registry.
+type AsyncMetricsRecorder interface {
+	// RecordInt64AsyncGauge records the measurement alongside labels on the int
+	// count associated with the provided handle asynchronously
+	RecordInt64AsyncGauge(handle *Int64AsyncGaugeHandle, incr int64, labels ...string)
 }
 
 // Metrics is an experimental legacy alias of the now-stable stats.MetricSet.
diff --git a/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go b/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
index 22d263fb94..8f7d9f6bbe 100644
--- a/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
+++ b/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/health/v1/health.proto
 
diff --git a/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go b/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
index f2c01f296a..e99cd5c838 100644
--- a/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v5.27.1
 // source: grpc/health/v1/health.proto
 
diff --git a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
index ba25b89887..f38de74a49 100644
--- a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
+++ b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
@@ -67,6 +67,10 @@ type Balancer struct {
 	// balancerCurrent before the UpdateSubConnState is called on the
 	// balancerCurrent.
 	currentMu sync.Mutex
+
+	// activeGoroutines tracks all the goroutines that this balancer has started
+	// and that should be waited on when the balancer closes.
+	activeGoroutines sync.WaitGroup
 }
 
 // swap swaps out the current lb with the pending lb and updates the ClientConn.
@@ -76,7 +80,9 @@ func (gsb *Balancer) swap() {
 	cur := gsb.balancerCurrent
 	gsb.balancerCurrent = gsb.balancerPending
 	gsb.balancerPending = nil
+	gsb.activeGoroutines.Add(1)
 	go func() {
+		defer gsb.activeGoroutines.Done()
 		gsb.currentMu.Lock()
 		defer gsb.currentMu.Unlock()
 		cur.Close()
@@ -274,6 +280,7 @@ func (gsb *Balancer) Close() {
 
 	currentBalancerToClose.Close()
 	pendingBalancerToClose.Close()
+	gsb.activeGoroutines.Wait()
 }
 
 // balancerWrapper wraps a balancer.Balancer, and overrides some Balancer
@@ -324,7 +331,12 @@ func (bw *balancerWrapper) UpdateState(state balancer.State) {
 	defer bw.gsb.mu.Unlock()
 	bw.lastState = state
 
+	// If Close() acquires the mutex before UpdateState(), the balancer
+	// will already have been removed from the current or pending state when
+	// reaching this point.
 	if !bw.gsb.balancerCurrentOrPending(bw) {
+		// Returning here ensures that (*Balancer).swap() is not invoked after
+		// (*Balancer).Close() and therefore prevents "use after close".
 		return
 	}
 
diff --git a/vendor/google.golang.org/grpc/internal/buffer/unbounded.go b/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
index 11f91668ac..467392b8d4 100644
--- a/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
+++ b/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
@@ -83,6 +83,7 @@ func (b *Unbounded) Load() {
 		default:
 		}
 	} else if b.closing && !b.closed {
+		b.closed = true
 		close(b.c)
 	}
 }
diff --git a/vendor/google.golang.org/grpc/internal/channelz/trace.go b/vendor/google.golang.org/grpc/internal/channelz/trace.go
index 2bffe47776..3b7ba59662 100644
--- a/vendor/google.golang.org/grpc/internal/channelz/trace.go
+++ b/vendor/google.golang.org/grpc/internal/channelz/trace.go
@@ -194,7 +194,7 @@ func (r RefChannelType) String() string {
 // If channelz is not turned ON, this will simply log the event descriptions.
 func AddTraceEvent(l grpclog.DepthLoggerV2, e Entity, depth int, desc *TraceEvent) {
 	// Log only the trace description associated with the bottom most entity.
-	d := fmt.Sprintf("[%s]%s", e, desc.Desc)
+	d := fmt.Sprintf("[%s] %s", e, desc.Desc)
 	switch desc.Severity {
 	case CtUnknown, CtInfo:
 		l.InfoDepth(depth+1, d)
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
index 7e060f5ed1..6414ee4bbe 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
@@ -52,12 +52,6 @@ var (
 	// or "false".
 	EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", true)
 
-	// NewPickFirstEnabled is set if the new pickfirst leaf policy is to be used
-	// instead of the exiting pickfirst implementation. This can be disabled by
-	// setting the environment variable "GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST"
-	// to "false".
-	NewPickFirstEnabled = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST", true)
-
 	// XDSEndpointHashKeyBackwardCompat controls the parsing of the endpoint hash
 	// key from EDS LbEndpoint metadata. Endpoint hash keys can be disabled by
 	// setting "GRPC_XDS_ENDPOINT_HASH_KEY_BACKWARD_COMPAT" to "true". When the
@@ -75,6 +69,19 @@ var (
 	// ALTSHandshakerKeepaliveParams is set if we should add the
 	// KeepaliveParams when dial the ALTS handshaker service.
 	ALTSHandshakerKeepaliveParams = boolFromEnv("GRPC_EXPERIMENTAL_ALTS_HANDSHAKER_KEEPALIVE_PARAMS", false)
+
+	// EnableDefaultPortForProxyTarget controls whether the resolver adds a default port 443
+	// to a target address that lacks one. This flag only has an effect when all of
+	// the following conditions are met:
+	//   - A connect proxy is being used.
+	//   - Target resolution is disabled.
+	//   - The DNS resolver is being used.
+	EnableDefaultPortForProxyTarget = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET", true)
+
+	// XDSAuthorityRewrite indicates whether xDS authority rewriting is enabled.
+	// This feature is defined in gRFC A81 and is enabled by setting the
+	// environment variable GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE to "true".
+	XDSAuthorityRewrite = boolFromEnv("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false)
 )
 
 func boolFromEnv(envVar string, def bool) bool {
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/xds.go b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
index e87551552a..7685d08b54 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/xds.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
@@ -68,4 +68,15 @@ var (
 	// trust.  For more details, see:
 	// https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
 	XDSSPIFFEEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_MTLS_SPIFFE", false)
+
+	// XDSHTTPConnectEnabled is true if gRPC should parse custom Metadata
+	// configuring use of an HTTP CONNECT proxy via xDS from cluster resources.
+	// For more details, see:
+	// https://github.com/grpc/proposal/blob/master/A86-xds-http-connect.md
+	XDSHTTPConnectEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_HTTP_CONNECT", false)
+
+	// XDSBootstrapCallCredsEnabled controls if call credentials can be used in
+	// xDS bootstrap configuration via the `call_creds` field. For more details,
+	// see: https://github.com/grpc/proposal/blob/master/A97-xds-jwt-call-creds.md
+	XDSBootstrapCallCredsEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS", false)
 )
diff --git a/vendor/google.golang.org/grpc/internal/experimental.go b/vendor/google.golang.org/grpc/internal/experimental.go
index 7617be2158..c90cc51bdd 100644
--- a/vendor/google.golang.org/grpc/internal/experimental.go
+++ b/vendor/google.golang.org/grpc/internal/experimental.go
@@ -25,4 +25,8 @@ var (
 	// BufferPool is implemented by the grpc package and returns a server
 	// option to configure a shared buffer pool for a grpc.Server.
 	BufferPool any // func (grpc.SharedBufferPool) grpc.ServerOption
+
+	// AcceptCompressors is implemented by the grpc package and returns
+	// a call option that restricts the grpc-accept-encoding header for a call.
+	AcceptCompressors any // func(...string) grpc.CallOption
 )
diff --git a/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go b/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
index 8e8e861280..9b6d8a1fa3 100644
--- a/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
+++ b/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
@@ -80,25 +80,11 @@ func (cs *CallbackSerializer) ScheduleOr(f func(ctx context.Context), onFailure
 func (cs *CallbackSerializer) run(ctx context.Context) {
 	defer close(cs.done)
 
-	// TODO: when Go 1.21 is the oldest supported version, this loop and Close
-	// can be replaced with:
-	//
-	// context.AfterFunc(ctx, cs.callbacks.Close)
-	for ctx.Err() == nil {
-		select {
-		case <-ctx.Done():
-			// Do nothing here. Next iteration of the for loop will not happen,
-			// since ctx.Err() would be non-nil.
-		case cb := <-cs.callbacks.Get():
-			cs.callbacks.Load()
-			cb.(func(context.Context))(ctx)
-		}
-	}
-
-	// Close the buffer to prevent new callbacks from being added.
-	cs.callbacks.Close()
+	// Close the buffer when the context is canceled
+	// to prevent new callbacks from being added.
+	context.AfterFunc(ctx, cs.callbacks.Close)
 
-	// Run all pending callbacks.
+	// Run all callbacks.
 	for cb := range cs.callbacks.Get() {
 		cs.callbacks.Load()
 		cb.(func(context.Context))(ctx)
diff --git a/vendor/google.golang.org/grpc/internal/idle/idle.go b/vendor/google.golang.org/grpc/internal/idle/idle.go
index 2c13ee9dac..d3cd24f80b 100644
--- a/vendor/google.golang.org/grpc/internal/idle/idle.go
+++ b/vendor/google.golang.org/grpc/internal/idle/idle.go
@@ -21,7 +21,6 @@
 package idle
 
 import (
-	"fmt"
 	"math"
 	"sync"
 	"sync/atomic"
@@ -33,15 +32,15 @@ var timeAfterFunc = func(d time.Duration, f func()) *time.Timer {
 	return time.AfterFunc(d, f)
 }
 
-// Enforcer is the functionality provided by grpc.ClientConn to enter
-// and exit from idle mode.
-type Enforcer interface {
-	ExitIdleMode() error
+// ClientConn is the functionality provided by grpc.ClientConn to enter and exit
+// from idle mode.
+type ClientConn interface {
+	ExitIdleMode()
 	EnterIdleMode()
 }
 
-// Manager implements idleness detection and calls the configured Enforcer to
-// enter/exit idle mode when appropriate.  Must be created by NewManager.
+// Manager implements idleness detection and calls the ClientConn to enter/exit
+// idle mode when appropriate. Must be created by NewManager.
 type Manager struct {
 	// State accessed atomically.
 	lastCallEndTime           int64 // Unix timestamp in nanos; time when the most recent RPC completed.
@@ -51,8 +50,8 @@ type Manager struct {
 
 	// Can be accessed without atomics or mutex since these are set at creation
 	// time and read-only after that.
-	enforcer Enforcer // Functionality provided by grpc.ClientConn.
-	timeout  time.Duration
+	cc      ClientConn // Functionality provided by grpc.ClientConn.
+	timeout time.Duration
 
 	// idleMu is used to guarantee mutual exclusion in two scenarios:
 	// - Opposing intentions:
@@ -72,9 +71,9 @@ type Manager struct {
 
 // NewManager creates a new idleness manager implementation for the
 // given idle timeout.  It begins in idle mode.
-func NewManager(enforcer Enforcer, timeout time.Duration) *Manager {
+func NewManager(cc ClientConn, timeout time.Duration) *Manager {
 	return &Manager{
-		enforcer:         enforcer,
+		cc:               cc,
 		timeout:          timeout,
 		actuallyIdle:     true,
 		activeCallsCount: -math.MaxInt32,
@@ -127,7 +126,7 @@ func (m *Manager) handleIdleTimeout() {
 
 	// Now that we've checked that there has been no activity, attempt to enter
 	// idle mode, which is very likely to succeed.
-	if m.tryEnterIdleMode() {
+	if m.tryEnterIdleMode(true) {
 		// Successfully entered idle mode. No timer needed until we exit idle.
 		return
 	}
@@ -142,10 +141,13 @@ func (m *Manager) handleIdleTimeout() {
 // that, it performs a last minute check to ensure that no new RPC has come in,
 // making the channel active.
 //
+// checkActivity controls if a check for RPC activity, since the last time the
+// idle_timeout fired, is made.
+
 // Return value indicates whether or not the channel moved to idle mode.
 //
 // Holds idleMu which ensures mutual exclusion with exitIdleMode.
-func (m *Manager) tryEnterIdleMode() bool {
+func (m *Manager) tryEnterIdleMode(checkActivity bool) bool {
 	// Setting the activeCallsCount to -math.MaxInt32 indicates to OnCallBegin()
 	// that the channel is either in idle mode or is trying to get there.
 	if !atomic.CompareAndSwapInt32(&m.activeCallsCount, 0, -math.MaxInt32) {
@@ -166,7 +168,7 @@ func (m *Manager) tryEnterIdleMode() bool {
 		atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
 		return false
 	}
-	if atomic.LoadInt32(&m.activeSinceLastTimerCheck) == 1 {
+	if checkActivity && atomic.LoadInt32(&m.activeSinceLastTimerCheck) == 1 {
 		// A very short RPC could have come in (and also finished) after we
 		// checked for calls count and activity in handleIdleTimeout(), but
 		// before the CAS operation. So, we need to check for activity again.
@@ -177,44 +179,37 @@ func (m *Manager) tryEnterIdleMode() bool {
 	// No new RPCs have come in since we set the active calls count value to
 	// -math.MaxInt32. And since we have the lock, it is safe to enter idle mode
 	// unconditionally now.
-	m.enforcer.EnterIdleMode()
+	m.cc.EnterIdleMode()
 	m.actuallyIdle = true
 	return true
 }
 
 // EnterIdleModeForTesting instructs the channel to enter idle mode.
 func (m *Manager) EnterIdleModeForTesting() {
-	m.tryEnterIdleMode()
+	m.tryEnterIdleMode(false)
 }
 
 // OnCallBegin is invoked at the start of every RPC.
-func (m *Manager) OnCallBegin() error {
+func (m *Manager) OnCallBegin() {
 	if m.isClosed() {
-		return nil
+		return
 	}
 
 	if atomic.AddInt32(&m.activeCallsCount, 1) > 0 {
 		// Channel is not idle now. Set the activity bit and allow the call.
 		atomic.StoreInt32(&m.activeSinceLastTimerCheck, 1)
-		return nil
+		return
 	}
 
 	// Channel is either in idle mode or is in the process of moving to idle
 	// mode. Attempt to exit idle mode to allow this RPC.
-	if err := m.ExitIdleMode(); err != nil {
-		// Undo the increment to calls count, and return an error causing the
-		// RPC to fail.
-		atomic.AddInt32(&m.activeCallsCount, -1)
-		return err
-	}
-
+	m.ExitIdleMode()
 	atomic.StoreInt32(&m.activeSinceLastTimerCheck, 1)
-	return nil
 }
 
-// ExitIdleMode instructs m to call the enforcer's ExitIdleMode and update m's
+// ExitIdleMode instructs m to call the ClientConn's ExitIdleMode and update its
 // internal state.
-func (m *Manager) ExitIdleMode() error {
+func (m *Manager) ExitIdleMode() {
 	// Holds idleMu which ensures mutual exclusion with tryEnterIdleMode.
 	m.idleMu.Lock()
 	defer m.idleMu.Unlock()
@@ -231,12 +226,10 @@ func (m *Manager) ExitIdleMode() error {
 		//   m.ExitIdleMode.
 		//
 		// In any case, there is nothing to do here.
-		return nil
+		return
 	}
 
-	if err := m.enforcer.ExitIdleMode(); err != nil {
-		return fmt.Errorf("failed to exit idle mode: %w", err)
-	}
+	m.cc.ExitIdleMode()
 
 	// Undo the idle entry process. This also respects any new RPC attempts.
 	atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
@@ -244,7 +237,23 @@ func (m *Manager) ExitIdleMode() error {
 
 	// Start a new timer to fire after the configured idle timeout.
 	m.resetIdleTimerLocked(m.timeout)
-	return nil
+}
+
+// UnsafeSetNotIdle instructs the Manager to update its internal state to
+// reflect the reality that the channel is no longer in IDLE mode.
+//
+// N.B. This method is intended only for internal use by the gRPC client
+// when it exits IDLE mode **manually** from `Dial`. The callsite must ensure:
+//   - The channel was **actually in IDLE mode** immediately prior to the call.
+//   - There is **no concurrent activity** that could cause the channel to exit
+//     IDLE mode *naturally* at the same time.
+func (m *Manager) UnsafeSetNotIdle() {
+	m.idleMu.Lock()
+	defer m.idleMu.Unlock()
+
+	atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
+	m.actuallyIdle = false
+	m.resetIdleTimerLocked(m.timeout)
 }
 
 // OnCallEnd is invoked at the end of every RPC.
diff --git a/vendor/google.golang.org/grpc/internal/internal.go b/vendor/google.golang.org/grpc/internal/internal.go
index 2699223a27..27bef83d97 100644
--- a/vendor/google.golang.org/grpc/internal/internal.go
+++ b/vendor/google.golang.org/grpc/internal/internal.go
@@ -244,6 +244,10 @@ var (
 	// When set, the function will be called before the stream enters
 	// the blocking state.
 	NewStreamWaitingForResolver = func() {}
+
+	// AddressToTelemetryLabels is an xDS-provided function to extract telemetry
+	// labels from a resolver.Address. Callers must assert its type before calling.
+	AddressToTelemetryLabels any // func(addr resolver.Address) map[string]string
 )
 
 // HealthChecker defines the signature of the client-side LB channel health
diff --git a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
index 20b8fb098a..5bfa67b726 100644
--- a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
+++ b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
@@ -22,11 +22,13 @@ package delegatingresolver
 
 import (
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"sync"
 
 	"google.golang.org/grpc/grpclog"
+	"google.golang.org/grpc/internal/envconfig"
 	"google.golang.org/grpc/internal/proxyattributes"
 	"google.golang.org/grpc/internal/transport"
 	"google.golang.org/grpc/internal/transport/networktype"
@@ -40,6 +42,8 @@ var (
 	HTTPSProxyFromEnvironment = http.ProxyFromEnvironment
 )
 
+const defaultPort = "443"
+
 // delegatingResolver manages both target URI and proxy address resolution by
 // delegating these tasks to separate child resolvers. Essentially, it acts as
 // an intermediary between the gRPC ClientConn and the child resolvers.
@@ -107,10 +111,18 @@ func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOpti
 		targetResolver: nopResolver{},
 	}
 
+	addr := target.Endpoint()
 	var err error
-	r.proxyURL, err = proxyURLForTarget(target.Endpoint())
+	if target.URL.Scheme == "dns" && !targetResolutionEnabled && envconfig.EnableDefaultPortForProxyTarget {
+		addr, err = parseTarget(addr)
+		if err != nil {
+			return nil, fmt.Errorf("delegating_resolver: invalid target address %q: %v", target.Endpoint(), err)
+		}
+	}
+
+	r.proxyURL, err = proxyURLForTarget(addr)
 	if err != nil {
-		return nil, fmt.Errorf("delegating_resolver: failed to determine proxy URL for target %s: %v", target, err)
+		return nil, fmt.Errorf("delegating_resolver: failed to determine proxy URL for target %q: %v", target, err)
 	}
 
 	// proxy is not configured or proxy address excluded using `NO_PROXY` env
@@ -132,8 +144,8 @@ func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOpti
 	// bypass the target resolver and store the unresolved target address.
 	if target.URL.Scheme == "dns" && !targetResolutionEnabled {
 		r.targetResolverState = &resolver.State{
-			Addresses: []resolver.Address{{Addr: target.Endpoint()}},
-			Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: target.Endpoint()}}}},
+			Addresses: []resolver.Address{{Addr: addr}},
+			Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: addr}}}},
 		}
 		r.updateTargetResolverState(*r.targetResolverState)
 		return r, nil
@@ -202,6 +214,44 @@ func needsProxyResolver(state *resolver.State) bool {
 	return false
 }
 
+// parseTarget takes a target string and ensures it is a valid "host:port" target.
+//
+// It does the following:
+//  1. If the target already has a port (e.g., "host:port", "[ipv6]:port"),
+//     it is returned as is.
+//  2. If the host part is empty (e.g., ":80"), it defaults to "localhost",
+//     returning "localhost:80".
+//  3. If the target is missing a port (e.g., "host", "ipv6"), the defaultPort
+//     is added.
+//
+// An error is returned for empty targets or targets with a trailing colon
+// but no port (e.g., "host:").
+func parseTarget(target string) (string, error) {
+	if target == "" {
+		return "", fmt.Errorf("missing address")
+	}
+
+	host, port, err := net.SplitHostPort(target)
+	if err != nil {
+		// If SplitHostPort fails, it's likely because the port is missing.
+		// We append the default port and return the result.
+		return net.JoinHostPort(target, defaultPort), nil
+	}
+
+	// If SplitHostPort succeeds, we check for edge cases.
+	if port == "" {
+		// A success with an empty port means the target had a trailing colon,
+		// e.g., "host:", which is an error.
+		return "", fmt.Errorf("missing port after port-separator colon")
+	}
+	if host == "" {
+		// A success with an empty host means the target was like ":80".
+		// We default the host to "localhost".
+		host = "localhost"
+	}
+	return net.JoinHostPort(host, port), nil
+}
+
 func skipProxy(address resolver.Address) bool {
 	// Avoid proxy when network is not tcp.
 	networkType, ok := networktype.Get(address)
diff --git a/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go b/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
index 79044657be..d5f7e4d62d 100644
--- a/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
+++ b/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
@@ -64,6 +64,16 @@ func (l *MetricsRecorderList) RecordInt64Count(handle *estats.Int64CountHandle,
 	}
 }
 
+// RecordInt64UpDownCount records the measurement alongside labels on the int
+// count associated with the provided handle.
+func (l *MetricsRecorderList) RecordInt64UpDownCount(handle *estats.Int64UpDownCountHandle, incr int64, labels ...string) {
+	verifyLabels(handle.Descriptor(), labels...)
+
+	for _, metricRecorder := range l.metricsRecorders {
+		metricRecorder.RecordInt64UpDownCount(handle, incr, labels...)
+	}
+}
+
 // RecordFloat64Count records the measurement alongside labels on the float
 // count associated with the provided handle.
 func (l *MetricsRecorderList) RecordFloat64Count(handle *estats.Float64CountHandle, incr float64, labels ...string) {
diff --git a/vendor/google.golang.org/grpc/internal/stats/stats.go b/vendor/google.golang.org/grpc/internal/stats/stats.go
new file mode 100644
index 0000000000..49019b80d1
--- /dev/null
+++ b/vendor/google.golang.org/grpc/internal/stats/stats.go
@@ -0,0 +1,70 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package stats
+
+import (
+	"context"
+
+	"google.golang.org/grpc/stats"
+)
+
+type combinedHandler struct {
+	handlers []stats.Handler
+}
+
+// NewCombinedHandler combines multiple stats.Handlers into a single handler.
+//
+// It returns nil if no handlers are provided. If only one handler is
+// provided, it is returned directly without wrapping.
+func NewCombinedHandler(handlers ...stats.Handler) stats.Handler {
+	switch len(handlers) {
+	case 0:
+		return nil
+	case 1:
+		return handlers[0]
+	default:
+		return &combinedHandler{handlers: handlers}
+	}
+}
+
+func (ch *combinedHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
+	for _, h := range ch.handlers {
+		ctx = h.TagRPC(ctx, info)
+	}
+	return ctx
+}
+
+func (ch *combinedHandler) HandleRPC(ctx context.Context, stats stats.RPCStats) {
+	for _, h := range ch.handlers {
+		h.HandleRPC(ctx, stats)
+	}
+}
+
+func (ch *combinedHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context {
+	for _, h := range ch.handlers {
+		ctx = h.TagConn(ctx, info)
+	}
+	return ctx
+}
+
+func (ch *combinedHandler) HandleConn(ctx context.Context, stats stats.ConnStats) {
+	for _, h := range ch.handlers {
+		h.HandleConn(ctx, stats)
+	}
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/client_stream.go b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
index ccc0e017e5..980452519e 100644
--- a/vendor/google.golang.org/grpc/internal/transport/client_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
@@ -29,25 +29,27 @@ import (
 
 // ClientStream implements streaming functionality for a gRPC client.
 type ClientStream struct {
-	*Stream // Embed for common stream functionality.
+	Stream // Embed for common stream functionality.
 
 	ct       *http2Client
 	done     chan struct{} // closed at the end of stream to unblock writers.
 	doneFunc func()        // invoked at the end of stream.
 
-	headerChan       chan struct{} // closed to indicate the end of header metadata.
-	headerChanClosed uint32        // set when headerChan is closed. Used to avoid closing headerChan multiple times.
+	headerChan chan struct{} // closed to indicate the end of header metadata.
+	header     metadata.MD   // the received header metadata
+
+	status *status.Status // the status error received from the server
+
+	// Non-pointer fields are at the end to optimize GC allocations.
+
 	// headerValid indicates whether a valid header was received.  Only
 	// meaningful after headerChan is closed (always call waitOnHeader() before
 	// reading its value).
-	headerValid bool
-	header      metadata.MD // the received header metadata
-	noHeaders   bool        // set if the client never received headers (set only after the stream is done).
-
-	bytesReceived atomic.Bool // indicates whether any bytes have been received on this stream
-	unprocessed   atomic.Bool // set if the server sends a refused stream or GOAWAY including this stream
-
-	status *status.Status // the status error received from the server
+	headerValid      bool
+	noHeaders        bool        // set if the client never received headers (set only after the stream is done).
+	headerChanClosed uint32      // set when headerChan is closed. Used to avoid closing headerChan multiple times.
+	bytesReceived    atomic.Bool // indicates whether any bytes have been received on this stream
+	unprocessed      atomic.Bool // set if the server sends a refused stream or GOAWAY including this stream
 }
 
 // Read reads an n byte message from the input stream.
@@ -142,3 +144,11 @@ func (s *ClientStream) TrailersOnly() bool {
 func (s *ClientStream) Status() *status.Status {
 	return s.status
 }
+
+func (s *ClientStream) requestRead(n int) {
+	s.ct.adjustWindow(s, uint32(n))
+}
+
+func (s *ClientStream) updateWindow(n int) {
+	s.ct.updateWindow(s, uint32(n))
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
index a2831e5d01..2dcd1e63bd 100644
--- a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
+++ b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
@@ -496,6 +496,16 @@ const (
 	serverSide
 )
 
+// maxWriteBufSize is the maximum length (number of elements) the cached
+// writeBuf can grow to. The length depends on the number of buffers
+// contained within the BufferSlice produced by the codec, which is
+// generally small.
+//
+// If a writeBuf larger than this limit is required, it will be allocated
+// and freed after use, rather than being cached. This avoids holding
+// on to large amounts of memory.
+const maxWriteBufSize = 64
+
 // Loopy receives frames from the control buffer.
 // Each frame is handled individually; most of the work done by loopy goes
 // into handling data frames. Loopy maintains a queue of active streams, and each
@@ -530,6 +540,8 @@ type loopyWriter struct {
 
 	// Side-specific handlers
 	ssGoAwayHandler func(*goAway) (bool, error)
+
+	writeBuf [][]byte // cached slice to avoid heap allocations for calls to mem.Reader.Peek.
 }
 
 func newLoopyWriter(s side, fr *framer, cbuf *controlBuffer, bdpEst *bdpEstimator, conn net.Conn, logger *grpclog.PrefixLogger, goAwayHandler func(*goAway) (bool, error), bufferPool mem.BufferPool) *loopyWriter {
@@ -665,11 +677,10 @@ func (l *loopyWriter) incomingSettingsHandler(s *incomingSettings) error {
 
 func (l *loopyWriter) registerStreamHandler(h *registerStream) {
 	str := &outStream{
-		id:     h.streamID,
-		state:  empty,
-		itl:    &itemList{},
-		wq:     h.wq,
-		reader: mem.BufferSlice{}.Reader(),
+		id:    h.streamID,
+		state: empty,
+		itl:   &itemList{},
+		wq:    h.wq,
 	}
 	l.estdStreams[h.streamID] = str
 }
@@ -701,11 +712,10 @@ func (l *loopyWriter) headerHandler(h *headerFrame) error {
 	}
 	// Case 2: Client wants to originate stream.
 	str := &outStream{
-		id:     h.streamID,
-		state:  empty,
-		itl:    &itemList{},
-		wq:     h.wq,
-		reader: mem.BufferSlice{}.Reader(),
+		id:    h.streamID,
+		state: empty,
+		itl:   &itemList{},
+		wq:    h.wq,
 	}
 	return l.originateStream(str, h)
 }
@@ -948,11 +958,11 @@ func (l *loopyWriter) processData() (bool, error) {
 	if str == nil {
 		return true, nil
 	}
-	reader := str.reader
+	reader := &str.reader
 	dataItem := str.itl.peek().(*dataFrame) // Peek at the first data item this stream.
 	if !dataItem.processing {
 		dataItem.processing = true
-		str.reader.Reset(dataItem.data)
+		reader.Reset(dataItem.data)
 		dataItem.data.Free()
 	}
 	// A data item is represented by a dataFrame, since it later translates into
@@ -964,11 +974,11 @@ func (l *loopyWriter) processData() (bool, error) {
 
 	if len(dataItem.h) == 0 && reader.Remaining() == 0 { // Empty data frame
 		// Client sends out empty data frame with endStream = true
-		if err := l.framer.fr.WriteData(dataItem.streamID, dataItem.endStream, nil); err != nil {
+		if err := l.framer.writeData(dataItem.streamID, dataItem.endStream, nil); err != nil {
 			return false, err
 		}
 		str.itl.dequeue() // remove the empty data item from stream
-		_ = reader.Close()
+		reader.Close()
 		if str.itl.isEmpty() {
 			str.state = empty
 		} else if trailer, ok := str.itl.peek().(*headerFrame); ok { // the next item is trailers.
@@ -1001,25 +1011,20 @@ func (l *loopyWriter) processData() (bool, error) {
 	remainingBytes := len(dataItem.h) + reader.Remaining() - hSize - dSize
 	size := hSize + dSize
 
-	var buf *[]byte
-
-	if hSize != 0 && dSize == 0 {
-		buf = &dataItem.h
-	} else {
-		// Note: this is only necessary because the http2.Framer does not support
-		// partially writing a frame, so the sequence must be materialized into a buffer.
-		// TODO: Revisit once https://github.com/golang/go/issues/66655 is addressed.
-		pool := l.bufferPool
-		if pool == nil {
-			// Note that this is only supposed to be nil in tests. Otherwise, stream is
-			// always initialized with a BufferPool.
-			pool = mem.DefaultBufferPool()
+	l.writeBuf = l.writeBuf[:0]
+	if hSize > 0 {
+		l.writeBuf = append(l.writeBuf, dataItem.h[:hSize])
+	}
+	if dSize > 0 {
+		var err error
+		l.writeBuf, err = reader.Peek(dSize, l.writeBuf)
+		if err != nil {
+			// This must never happen since the reader must have at least dSize
+			// bytes.
+			// Log an error to fail tests.
+			l.logger.Errorf("unexpected error while reading Data frame payload: %v", err)
+			return false, err
 		}
-		buf = pool.Get(size)
-		defer pool.Put(buf)
-
-		copy((*buf)[:hSize], dataItem.h)
-		_, _ = reader.Read((*buf)[hSize:])
 	}
 
 	// Now that outgoing flow controls are checked we can replenish str's write quota
@@ -1032,7 +1037,14 @@ func (l *loopyWriter) processData() (bool, error) {
 	if dataItem.onEachWrite != nil {
 		dataItem.onEachWrite()
 	}
-	if err := l.framer.fr.WriteData(dataItem.streamID, endStream, (*buf)[:size]); err != nil {
+	err := l.framer.writeData(dataItem.streamID, endStream, l.writeBuf)
+	reader.Discard(dSize)
+	if cap(l.writeBuf) > maxWriteBufSize {
+		l.writeBuf = nil
+	} else {
+		clear(l.writeBuf)
+	}
+	if err != nil {
 		return false, err
 	}
 	str.bytesOutStanding += size
@@ -1040,7 +1052,7 @@ func (l *loopyWriter) processData() (bool, error) {
 	dataItem.h = dataItem.h[hSize:]
 
 	if remainingBytes == 0 { // All the data from that message was written out.
-		_ = reader.Close()
+		reader.Close()
 		str.itl.dequeue()
 	}
 	if str.itl.isEmpty() {
diff --git a/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go b/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
index dfc0f224ec..7cfbc9637b 100644
--- a/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
+++ b/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
@@ -28,7 +28,7 @@ import (
 // writeQuota is a soft limit on the amount of data a stream can
 // schedule before some of it is written out.
 type writeQuota struct {
-	quota int32
+	_ noCopy
 	// get waits on read from when quota goes less than or equal to zero.
 	// replenish writes on it when quota goes positive again.
 	ch chan struct{}
@@ -38,16 +38,17 @@ type writeQuota struct {
 	// It is implemented as a field so that it can be updated
 	// by tests.
 	replenish func(n int)
+	quota     int32
 }
 
-func newWriteQuota(sz int32, done <-chan struct{}) *writeQuota {
-	w := &writeQuota{
-		quota: sz,
-		ch:    make(chan struct{}, 1),
-		done:  done,
-	}
+// init allows a writeQuota to be initialized in-place, which is useful for
+// resetting a buffer or for avoiding a heap allocation when the buffer is
+// embedded in another struct.
+func (w *writeQuota) init(sz int32, done <-chan struct{}) {
+	w.quota = sz
+	w.ch = make(chan struct{}, 1)
+	w.done = done
 	w.replenish = w.realReplenish
-	return w
 }
 
 func (w *writeQuota) get(sz int32) error {
@@ -67,9 +68,9 @@ func (w *writeQuota) get(sz int32) error {
 
 func (w *writeQuota) realReplenish(n int) {
 	sz := int32(n)
-	a := atomic.AddInt32(&w.quota, sz)
-	b := a - sz
-	if b <= 0 && a > 0 {
+	newQuota := atomic.AddInt32(&w.quota, sz)
+	previousQuota := newQuota - sz
+	if previousQuota <= 0 && newQuota > 0 {
 		select {
 		case w.ch <- struct{}{}:
 		default:
diff --git a/vendor/google.golang.org/grpc/internal/transport/handler_server.go b/vendor/google.golang.org/grpc/internal/transport/handler_server.go
index d954a64c38..7ab3422b8a 100644
--- a/vendor/google.golang.org/grpc/internal/transport/handler_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/handler_server.go
@@ -50,7 +50,7 @@ import (
 // NewServerHandlerTransport returns a ServerTransport handling gRPC from
 // inside an http.Handler, or writes an HTTP error to w and returns an error.
 // It requires that the http Server supports HTTP/2.
-func NewServerHandlerTransport(w http.ResponseWriter, r *http.Request, stats []stats.Handler, bufferPool mem.BufferPool) (ServerTransport, error) {
+func NewServerHandlerTransport(w http.ResponseWriter, r *http.Request, stats stats.Handler, bufferPool mem.BufferPool) (ServerTransport, error) {
 	if r.Method != http.MethodPost {
 		w.Header().Set("Allow", http.MethodPost)
 		msg := fmt.Sprintf("invalid gRPC request method %q", r.Method)
@@ -170,7 +170,7 @@ type serverHandlerTransport struct {
 	// TODO make sure this is consistent across handler_server and http2_server
 	contentSubtype string
 
-	stats  []stats.Handler
+	stats  stats.Handler
 	logger *grpclog.PrefixLogger
 
 	bufferPool mem.BufferPool
@@ -274,15 +274,13 @@ func (ht *serverHandlerTransport) writeStatus(s *ServerStream, st *status.Status
 		}
 	})
 
-	if err == nil { // transport has not been closed
+	if err == nil && ht.stats != nil { // transport has not been closed
 		// Note: The trailer fields are compressed with hpack after this call returns.
 		// No WireLength field is set here.
 		s.hdrMu.Lock()
-		for _, sh := range ht.stats {
-			sh.HandleRPC(s.Context(), &stats.OutTrailer{
-				Trailer: s.trailer.Copy(),
-			})
-		}
+		ht.stats.HandleRPC(s.Context(), &stats.OutTrailer{
+			Trailer: s.trailer.Copy(),
+		})
 		s.hdrMu.Unlock()
 	}
 	ht.Close(errors.New("finished writing status"))
@@ -374,19 +372,23 @@ func (ht *serverHandlerTransport) writeHeader(s *ServerStream, md metadata.MD) e
 		ht.rw.(http.Flusher).Flush()
 	})
 
-	if err == nil {
-		for _, sh := range ht.stats {
-			// Note: The header fields are compressed with hpack after this call returns.
-			// No WireLength field is set here.
-			sh.HandleRPC(s.Context(), &stats.OutHeader{
-				Header:      md.Copy(),
-				Compression: s.sendCompress,
-			})
-		}
+	if err == nil && ht.stats != nil {
+		// Note: The header fields are compressed with hpack after this call returns.
+		// No WireLength field is set here.
+		ht.stats.HandleRPC(s.Context(), &stats.OutHeader{
+			Header:      md.Copy(),
+			Compression: s.sendCompress,
+		})
 	}
 	return err
 }
 
+func (ht *serverHandlerTransport) adjustWindow(*ServerStream, uint32) {
+}
+
+func (ht *serverHandlerTransport) updateWindow(*ServerStream, uint32) {
+}
+
 func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream func(*ServerStream)) {
 	// With this transport type there will be exactly 1 stream: this HTTP request.
 	var cancel context.CancelFunc
@@ -411,11 +413,9 @@ func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream
 	ctx = metadata.NewIncomingContext(ctx, ht.headerMD)
 	req := ht.req
 	s := &ServerStream{
-		Stream: &Stream{
+		Stream: Stream{
 			id:             0, // irrelevant
 			ctx:            ctx,
-			requestRead:    func(int) {},
-			buf:            newRecvBuffer(),
 			method:         req.URL.Path,
 			recvCompress:   req.Header.Get("grpc-encoding"),
 			contentSubtype: ht.contentSubtype,
@@ -424,9 +424,11 @@ func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream
 		st:               ht,
 		headerWireLength: 0, // won't have access to header wire length until golang/go#18997.
 	}
-	s.trReader = &transportReader{
-		reader:        &recvBufferReader{ctx: s.ctx, ctxDone: s.ctx.Done(), recv: s.buf},
-		windowHandler: func(int) {},
+	s.Stream.buf.init()
+	s.readRequester = s
+	s.trReader = transportReader{
+		reader:        recvBufferReader{ctx: s.ctx, ctxDone: s.ctx.Done(), recv: &s.buf},
+		windowHandler: s,
 	}
 
 	// readerDone is closed when the Body.Read-ing goroutine exits.
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_client.go b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
index 5467fe9715..38ca031af6 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_client.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
@@ -44,6 +44,7 @@ import (
 	"google.golang.org/grpc/internal/grpcutil"
 	imetadata "google.golang.org/grpc/internal/metadata"
 	"google.golang.org/grpc/internal/proxyattributes"
+	istats "google.golang.org/grpc/internal/stats"
 	istatus "google.golang.org/grpc/internal/status"
 	isyscall "google.golang.org/grpc/internal/syscall"
 	"google.golang.org/grpc/internal/transport/networktype"
@@ -105,7 +106,7 @@ type http2Client struct {
 	kp               keepalive.ClientParameters
 	keepaliveEnabled bool
 
-	statsHandlers []stats.Handler
+	statsHandler stats.Handler
 
 	initialWindowSize int32
 
@@ -335,14 +336,14 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 		writerDone:            make(chan struct{}),
 		goAway:                make(chan struct{}),
 		keepaliveDone:         make(chan struct{}),
-		framer:                newFramer(conn, writeBufSize, readBufSize, opts.SharedWriteBuffer, maxHeaderListSize),
+		framer:                newFramer(conn, writeBufSize, readBufSize, opts.SharedWriteBuffer, maxHeaderListSize, opts.BufferPool),
 		fc:                    &trInFlow{limit: uint32(icwz)},
 		scheme:                scheme,
 		activeStreams:         make(map[uint32]*ClientStream),
 		isSecure:              isSecure,
 		perRPCCreds:           perRPCCreds,
 		kp:                    kp,
-		statsHandlers:         opts.StatsHandlers,
+		statsHandler:          istats.NewCombinedHandler(opts.StatsHandlers...),
 		initialWindowSize:     initialWindowSize,
 		nextID:                1,
 		maxConcurrentStreams:  defaultMaxStreamsClient,
@@ -369,7 +370,7 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 		})
 	t.logger = prefixLoggerForClientTransport(t)
 	// Add peer information to the http2client context.
-	t.ctx = peer.NewContext(t.ctx, t.getPeer())
+	t.ctx = peer.NewContext(t.ctx, t.Peer())
 
 	if md, ok := addr.Metadata.(*metadata.MD); ok {
 		t.md = *md
@@ -386,15 +387,14 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 			updateFlowControl: t.updateFlowControl,
 		}
 	}
-	for _, sh := range t.statsHandlers {
-		t.ctx = sh.TagConn(t.ctx, &stats.ConnTagInfo{
+	if t.statsHandler != nil {
+		t.ctx = t.statsHandler.TagConn(t.ctx, &stats.ConnTagInfo{
 			RemoteAddr: t.remoteAddr,
 			LocalAddr:  t.localAddr,
 		})
-		connBegin := &stats.ConnBegin{
+		t.statsHandler.HandleConn(t.ctx, &stats.ConnBegin{
 			Client: true,
-		}
-		sh.HandleConn(t.ctx, connBegin)
+		})
 	}
 	if t.keepaliveEnabled {
 		t.kpDormancyCond = sync.NewCond(&t.mu)
@@ -481,10 +481,9 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 func (t *http2Client) newStream(ctx context.Context, callHdr *CallHdr) *ClientStream {
 	// TODO(zhaoq): Handle uint32 overflow of Stream.id.
 	s := &ClientStream{
-		Stream: &Stream{
+		Stream: Stream{
 			method:         callHdr.Method,
 			sendCompress:   callHdr.SendCompress,
-			buf:            newRecvBuffer(),
 			contentSubtype: callHdr.ContentSubtype,
 		},
 		ct:         t,
@@ -492,31 +491,26 @@ func (t *http2Client) newStream(ctx context.Context, callHdr *CallHdr) *ClientSt
 		headerChan: make(chan struct{}),
 		doneFunc:   callHdr.DoneFunc,
 	}
-	s.wq = newWriteQuota(defaultWriteQuota, s.done)
-	s.requestRead = func(n int) {
-		t.adjustWindow(s, uint32(n))
-	}
+	s.Stream.buf.init()
+	s.Stream.wq.init(defaultWriteQuota, s.done)
+	s.readRequester = s
 	// The client side stream context should have exactly the same life cycle with the user provided context.
 	// That means, s.ctx should be read-only. And s.ctx is done iff ctx is done.
 	// So we use the original context here instead of creating a copy.
 	s.ctx = ctx
-	s.trReader = &transportReader{
-		reader: &recvBufferReader{
-			ctx:     s.ctx,
-			ctxDone: s.ctx.Done(),
-			recv:    s.buf,
-			closeStream: func(err error) {
-				s.Close(err)
-			},
-		},
-		windowHandler: func(n int) {
-			t.updateWindow(s, uint32(n))
+	s.trReader = transportReader{
+		reader: recvBufferReader{
+			ctx:          s.ctx,
+			ctxDone:      s.ctx.Done(),
+			recv:         &s.buf,
+			clientStream: s,
 		},
+		windowHandler: s,
 	}
 	return s
 }
 
-func (t *http2Client) getPeer() *peer.Peer {
+func (t *http2Client) Peer() *peer.Peer {
 	return &peer.Peer{
 		Addr:      t.remoteAddr,
 		AuthInfo:  t.authInfo, // Can be nil
@@ -556,6 +550,22 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 	// Make the slice of certain predictable size to reduce allocations made by append.
 	hfLen := 7 // :method, :scheme, :path, :authority, content-type, user-agent, te
 	hfLen += len(authData) + len(callAuthData)
+	registeredCompressors := t.registeredCompressors
+	if callHdr.AcceptedCompressors != nil {
+		registeredCompressors = *callHdr.AcceptedCompressors
+	}
+	if callHdr.PreviousAttempts > 0 {
+		hfLen++
+	}
+	if callHdr.SendCompress != "" {
+		hfLen++
+	}
+	if registeredCompressors != "" {
+		hfLen++
+	}
+	if _, ok := ctx.Deadline(); ok {
+		hfLen++
+	}
 	headerFields := make([]hpack.HeaderField, 0, hfLen)
 	headerFields = append(headerFields, hpack.HeaderField{Name: ":method", Value: "POST"})
 	headerFields = append(headerFields, hpack.HeaderField{Name: ":scheme", Value: t.scheme})
@@ -568,7 +578,6 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 		headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-previous-rpc-attempts", Value: strconv.Itoa(callHdr.PreviousAttempts)})
 	}
 
-	registeredCompressors := t.registeredCompressors
 	if callHdr.SendCompress != "" {
 		headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-encoding", Value: callHdr.SendCompress})
 		// Include the outgoing compressor name when compressor is not registered
@@ -736,7 +745,7 @@ func (e NewStreamError) Error() string {
 // NewStream creates a stream and registers it into the transport as "active"
 // streams.  All non-nil errors returned will be *NewStreamError.
 func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientStream, error) {
-	ctx = peer.NewContext(ctx, t.getPeer())
+	ctx = peer.NewContext(ctx, t.Peer())
 
 	// ServerName field of the resolver returned address takes precedence over
 	// Host field of CallHdr to determine the :authority header. This is because,
@@ -811,7 +820,7 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 			return nil
 		},
 		onOrphaned: cleanup,
-		wq:         s.wq,
+		wq:         &s.wq,
 	}
 	firstTry := true
 	var ch chan struct{}
@@ -842,7 +851,7 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 		transportDrainRequired = t.nextID > MaxStreamID
 
 		s.id = hdr.streamID
-		s.fc = &inFlow{limit: uint32(t.initialWindowSize)}
+		s.fc = inFlow{limit: uint32(t.initialWindowSize)}
 		t.activeStreams[s.id] = s
 		t.mu.Unlock()
 
@@ -893,27 +902,23 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 			return nil, &NewStreamError{Err: ErrConnClosing, AllowTransparentRetry: true}
 		}
 	}
-	if len(t.statsHandlers) != 0 {
+	if t.statsHandler != nil {
 		header, ok := metadata.FromOutgoingContext(ctx)
 		if ok {
 			header.Set("user-agent", t.userAgent)
 		} else {
 			header = metadata.Pairs("user-agent", t.userAgent)
 		}
-		for _, sh := range t.statsHandlers {
-			// Note: The header fields are compressed with hpack after this call returns.
-			// No WireLength field is set here.
-			// Note: Creating a new stats object to prevent pollution.
-			outHeader := &stats.OutHeader{
-				Client:      true,
-				FullMethod:  callHdr.Method,
-				RemoteAddr:  t.remoteAddr,
-				LocalAddr:   t.localAddr,
-				Compression: callHdr.SendCompress,
-				Header:      header,
-			}
-			sh.HandleRPC(s.ctx, outHeader)
-		}
+		// Note: The header fields are compressed with hpack after this call returns.
+		// No WireLength field is set here.
+		t.statsHandler.HandleRPC(s.ctx, &stats.OutHeader{
+			Client:      true,
+			FullMethod:  callHdr.Method,
+			RemoteAddr:  t.remoteAddr,
+			LocalAddr:   t.localAddr,
+			Compression: callHdr.SendCompress,
+			Header:      header,
+		})
 	}
 	if transportDrainRequired {
 		if t.logger.V(logLevel) {
@@ -990,6 +995,9 @@ func (t *http2Client) closeStream(s *ClientStream, err error, rst bool, rstCode
 // accessed anymore.
 func (t *http2Client) Close(err error) {
 	t.conn.SetWriteDeadline(time.Now().Add(time.Second * 10))
+	// For background on the deadline value chosen here, see
+	// https://github.com/grpc/grpc-go/issues/8425#issuecomment-3057938248 .
+	t.conn.SetReadDeadline(time.Now().Add(time.Second))
 	t.mu.Lock()
 	// Make sure we only close once.
 	if t.state == closing {
@@ -1051,11 +1059,10 @@ func (t *http2Client) Close(err error) {
 	for _, s := range streams {
 		t.closeStream(s, err, false, http2.ErrCodeNo, st, nil, false)
 	}
-	for _, sh := range t.statsHandlers {
-		connEnd := &stats.ConnEnd{
+	if t.statsHandler != nil {
+		t.statsHandler.HandleConn(t.ctx, &stats.ConnEnd{
 			Client: true,
-		}
-		sh.HandleConn(t.ctx, connEnd)
+		})
 	}
 }
 
@@ -1166,7 +1173,7 @@ func (t *http2Client) updateFlowControl(n uint32) {
 	})
 }
 
-func (t *http2Client) handleData(f *http2.DataFrame) {
+func (t *http2Client) handleData(f *parsedDataFrame) {
 	size := f.Header().Length
 	var sendBDPPing bool
 	if t.bdpEst != nil {
@@ -1210,22 +1217,15 @@ func (t *http2Client) handleData(f *http2.DataFrame) {
 			t.closeStream(s, io.EOF, true, http2.ErrCodeFlowControl, status.New(codes.Internal, err.Error()), nil, false)
 			return
 		}
+		dataLen := f.data.Len()
 		if f.Header().Flags.Has(http2.FlagDataPadded) {
-			if w := s.fc.onRead(size - uint32(len(f.Data()))); w > 0 {
+			if w := s.fc.onRead(size - uint32(dataLen)); w > 0 {
 				t.controlBuf.put(&outgoingWindowUpdate{s.id, w})
 			}
 		}
-		// TODO(bradfitz, zhaoq): A copy is required here because there is no
-		// guarantee f.Data() is consumed before the arrival of next frame.
-		// Can this copy be eliminated?
-		if len(f.Data()) > 0 {
-			pool := t.bufferPool
-			if pool == nil {
-				// Note that this is only supposed to be nil in tests. Otherwise, stream is
-				// always initialized with a BufferPool.
-				pool = mem.DefaultBufferPool()
-			}
-			s.write(recvMsg{buffer: mem.Copy(f.Data(), pool)})
+		if dataLen > 0 {
+			f.data.Ref()
+			s.write(recvMsg{buffer: f.data})
 		}
 	}
 	// The server has closed the stream without sending trailers.  Record that
@@ -1465,17 +1465,14 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		contentTypeErr = "malformed header: missing HTTP content-type"
 		grpcMessage    string
 		recvCompress   string
-		httpStatusCode *int
 		httpStatusErr  string
-		rawStatusCode  = codes.Unknown
+		// the code from the grpc-status header, if present
+		grpcStatusCode = codes.Unknown
 		// headerError is set if an error is encountered while parsing the headers
 		headerError string
+		httpStatus  string
 	)
 
-	if initialHeader {
-		httpStatusErr = "malformed header: missing HTTP status"
-	}
-
 	for _, hf := range frame.Fields {
 		switch hf.Name {
 		case "content-type":
@@ -1491,35 +1488,15 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		case "grpc-status":
 			code, err := strconv.ParseInt(hf.Value, 10, 32)
 			if err != nil {
-				se := status.New(codes.Internal, fmt.Sprintf("transport: malformed grpc-status: %v", err))
+				se := status.New(codes.Unknown, fmt.Sprintf("transport: malformed grpc-status: %v", err))
 				t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
 				return
 			}
-			rawStatusCode = codes.Code(uint32(code))
+			grpcStatusCode = codes.Code(uint32(code))
 		case "grpc-message":
 			grpcMessage = decodeGrpcMessage(hf.Value)
 		case ":status":
-			if hf.Value == "200" {
-				httpStatusErr = ""
-				statusCode := 200
-				httpStatusCode = &statusCode
-				break
-			}
-
-			c, err := strconv.ParseInt(hf.Value, 10, 32)
-			if err != nil {
-				se := status.New(codes.Internal, fmt.Sprintf("transport: malformed http-status: %v", err))
-				t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
-				return
-			}
-			statusCode := int(c)
-			httpStatusCode = &statusCode
-
-			httpStatusErr = fmt.Sprintf(
-				"unexpected HTTP status code received from server: %d (%s)",
-				statusCode,
-				http.StatusText(statusCode),
-			)
+			httpStatus = hf.Value
 		default:
 			if isReservedHeader(hf.Name) && !isWhitelistedHeader(hf.Name) {
 				break
@@ -1534,25 +1511,52 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		}
 	}
 
-	if !isGRPC || httpStatusErr != "" {
-		var code = codes.Internal // when header does not include HTTP status, return INTERNAL
-
-		if httpStatusCode != nil {
+	// If a non-gRPC response is received, then evaluate the HTTP status to
+	// process the response and close the stream.
+	// In case http status doesn't provide any error information (status : 200),
+	// then evalute response code to be Unknown.
+	if !isGRPC {
+		var grpcErrorCode = codes.Internal
+		if httpStatus == "" {
+			httpStatusErr = "malformed header: missing HTTP status"
+		} else {
+			// Parse the status codes (e.g. "200", 404").
+			statusCode, err := strconv.Atoi(httpStatus)
+			if err != nil {
+				se := status.New(grpcErrorCode, fmt.Sprintf("transport: malformed http-status: %v", err))
+				t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
+				return
+			}
+			if statusCode >= 100 && statusCode < 200 {
+				if endStream {
+					se := status.New(codes.Internal, fmt.Sprintf(
+						"protocol error: informational header with status code %d must not have END_STREAM set", statusCode))
+					t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
+				}
+				// In case of informational headers, return.
+				return
+			}
+			httpStatusErr = fmt.Sprintf(
+				"unexpected HTTP status code received from server: %d (%s)",
+				statusCode,
+				http.StatusText(statusCode),
+			)
 			var ok bool
-			code, ok = HTTPStatusConvTab[*httpStatusCode]
+			grpcErrorCode, ok = HTTPStatusConvTab[statusCode]
 			if !ok {
-				code = codes.Unknown
+				grpcErrorCode = codes.Unknown
 			}
 		}
 		var errs []string
 		if httpStatusErr != "" {
 			errs = append(errs, httpStatusErr)
 		}
+
 		if contentTypeErr != "" {
 			errs = append(errs, contentTypeErr)
 		}
-		// Verify the HTTP response is a 200.
-		se := status.New(code, strings.Join(errs, "; "))
+
+		se := status.New(grpcErrorCode, strings.Join(errs, "; "))
 		t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
 		return
 	}
@@ -1583,22 +1587,20 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		}
 	}
 
-	for _, sh := range t.statsHandlers {
+	if t.statsHandler != nil {
 		if !endStream {
-			inHeader := &stats.InHeader{
+			t.statsHandler.HandleRPC(s.ctx, &stats.InHeader{
 				Client:      true,
 				WireLength:  int(frame.Header().Length),
 				Header:      metadata.MD(mdata).Copy(),
 				Compression: s.recvCompress,
-			}
-			sh.HandleRPC(s.ctx, inHeader)
+			})
 		} else {
-			inTrailer := &stats.InTrailer{
+			t.statsHandler.HandleRPC(s.ctx, &stats.InTrailer{
 				Client:     true,
 				WireLength: int(frame.Header().Length),
 				Trailer:    metadata.MD(mdata).Copy(),
-			}
-			sh.HandleRPC(s.ctx, inTrailer)
+			})
 		}
 	}
 
@@ -1606,7 +1608,7 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		return
 	}
 
-	status := istatus.NewWithProto(rawStatusCode, grpcMessage, mdata[grpcStatusDetailsBinHeader])
+	status := istatus.NewWithProto(grpcStatusCode, grpcMessage, mdata[grpcStatusDetailsBinHeader])
 
 	// If client received END_STREAM from server while stream was still active,
 	// send RST_STREAM.
@@ -1653,7 +1655,7 @@ func (t *http2Client) reader(errCh chan<- error) {
 	// loop to keep reading incoming messages on this transport.
 	for {
 		t.controlBuf.throttle()
-		frame, err := t.framer.fr.ReadFrame()
+		frame, err := t.framer.readFrame()
 		if t.keepaliveEnabled {
 			atomic.StoreInt64(&t.lastRead, time.Now().UnixNano())
 		}
@@ -1668,7 +1670,7 @@ func (t *http2Client) reader(errCh chan<- error) {
 				if s != nil {
 					// use error detail to provide better err message
 					code := http2ErrConvTab[se.Code]
-					errorDetail := t.framer.fr.ErrorDetail()
+					errorDetail := t.framer.errorDetail()
 					var msg string
 					if errorDetail != nil {
 						msg = errorDetail.Error()
@@ -1686,8 +1688,9 @@ func (t *http2Client) reader(errCh chan<- error) {
 		switch frame := frame.(type) {
 		case *http2.MetaHeadersFrame:
 			t.operateHeaders(frame)
-		case *http2.DataFrame:
+		case *parsedDataFrame:
 			t.handleData(frame)
+			frame.data.Free()
 		case *http2.RSTStreamFrame:
 			t.handleRSTStream(frame)
 		case *http2.SettingsFrame:
@@ -1807,8 +1810,6 @@ func (t *http2Client) socketMetrics() *channelz.EphemeralSocketMetrics {
 	}
 }
 
-func (t *http2Client) RemoteAddr() net.Addr { return t.remoteAddr }
-
 func (t *http2Client) incrMsgSent() {
 	if channelz.IsOn() {
 		t.channelz.SocketMetrics.MessagesSent.Add(1)
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
index 83cee314c8..6f78a6b0c8 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
@@ -35,6 +35,8 @@ import (
 
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/hpack"
+	"google.golang.org/protobuf/proto"
+
 	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/grpclog"
 	"google.golang.org/grpc/internal/grpcutil"
@@ -42,7 +44,6 @@ import (
 	istatus "google.golang.org/grpc/internal/status"
 	"google.golang.org/grpc/internal/syscall"
 	"google.golang.org/grpc/mem"
-	"google.golang.org/protobuf/proto"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
@@ -86,7 +87,7 @@ type http2Server struct {
 	// updates, reset streams, and various settings) to the controller.
 	controlBuf *controlBuffer
 	fc         *trInFlow
-	stats      []stats.Handler
+	stats      stats.Handler
 	// Keepalive and max-age parameters for the server.
 	kp keepalive.ServerParameters
 	// Keepalive enforcement policy.
@@ -168,7 +169,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 	if config.MaxHeaderListSize != nil {
 		maxHeaderListSize = *config.MaxHeaderListSize
 	}
-	framer := newFramer(conn, writeBufSize, readBufSize, config.SharedWriteBuffer, maxHeaderListSize)
+	framer := newFramer(conn, writeBufSize, readBufSize, config.SharedWriteBuffer, maxHeaderListSize, config.BufferPool)
 	// Send initial settings as connection preface to client.
 	isettings := []http2.Setting{{
 		ID:  http2.SettingMaxFrameSize,
@@ -260,7 +261,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 		fc:                &trInFlow{limit: uint32(icwz)},
 		state:             reachable,
 		activeStreams:     make(map[uint32]*ServerStream),
-		stats:             config.StatsHandlers,
+		stats:             config.StatsHandler,
 		kp:                kp,
 		idle:              time.Now(),
 		kep:               kep,
@@ -390,16 +391,15 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
 	}
 	t.maxStreamID = streamID
 
-	buf := newRecvBuffer()
 	s := &ServerStream{
-		Stream: &Stream{
-			id:  streamID,
-			buf: buf,
-			fc:  &inFlow{limit: uint32(t.initialWindowSize)},
+		Stream: Stream{
+			id: streamID,
+			fc: inFlow{limit: uint32(t.initialWindowSize)},
 		},
 		st:               t,
 		headerWireLength: int(frame.Header().Length),
 	}
+	s.Stream.buf.init()
 	var (
 		// if false, content-type was missing or invalid
 		isGRPC      = false
@@ -640,25 +640,21 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
 		t.channelz.SocketMetrics.StreamsStarted.Add(1)
 		t.channelz.SocketMetrics.LastRemoteStreamCreatedTimestamp.Store(time.Now().UnixNano())
 	}
-	s.requestRead = func(n int) {
-		t.adjustWindow(s, uint32(n))
-	}
+	s.readRequester = s
 	s.ctxDone = s.ctx.Done()
-	s.wq = newWriteQuota(defaultWriteQuota, s.ctxDone)
-	s.trReader = &transportReader{
-		reader: &recvBufferReader{
+	s.Stream.wq.init(defaultWriteQuota, s.ctxDone)
+	s.trReader = transportReader{
+		reader: recvBufferReader{
 			ctx:     s.ctx,
 			ctxDone: s.ctxDone,
-			recv:    s.buf,
-		},
-		windowHandler: func(n int) {
-			t.updateWindow(s, uint32(n))
+			recv:    &s.buf,
 		},
+		windowHandler: s,
 	}
 	// Register the stream with loopy.
 	t.controlBuf.put(®isterStream{
 		streamID: s.id,
-		wq:       s.wq,
+		wq:       &s.wq,
 	})
 	handle(s)
 	return nil
@@ -674,7 +670,7 @@ func (t *http2Server) HandleStreams(ctx context.Context, handle func(*ServerStre
 	}()
 	for {
 		t.controlBuf.throttle()
-		frame, err := t.framer.fr.ReadFrame()
+		frame, err := t.framer.readFrame()
 		atomic.StoreInt64(&t.lastRead, time.Now().UnixNano())
 		if err != nil {
 			if se, ok := err.(http2.StreamError); ok {
@@ -711,8 +707,9 @@ func (t *http2Server) HandleStreams(ctx context.Context, handle func(*ServerStre
 				})
 				continue
 			}
-		case *http2.DataFrame:
+		case *parsedDataFrame:
 			t.handleData(frame)
+			frame.data.Free()
 		case *http2.RSTStreamFrame:
 			t.handleRSTStream(frame)
 		case *http2.SettingsFrame:
@@ -792,7 +789,7 @@ func (t *http2Server) updateFlowControl(n uint32) {
 
 }
 
-func (t *http2Server) handleData(f *http2.DataFrame) {
+func (t *http2Server) handleData(f *parsedDataFrame) {
 	size := f.Header().Length
 	var sendBDPPing bool
 	if t.bdpEst != nil {
@@ -837,22 +834,15 @@ func (t *http2Server) handleData(f *http2.DataFrame) {
 			t.closeStream(s, true, http2.ErrCodeFlowControl, false)
 			return
 		}
+		dataLen := f.data.Len()
 		if f.Header().Flags.Has(http2.FlagDataPadded) {
-			if w := s.fc.onRead(size - uint32(len(f.Data()))); w > 0 {
+			if w := s.fc.onRead(size - uint32(dataLen)); w > 0 {
 				t.controlBuf.put(&outgoingWindowUpdate{s.id, w})
 			}
 		}
-		// TODO(bradfitz, zhaoq): A copy is required here because there is no
-		// guarantee f.Data() is consumed before the arrival of next frame.
-		// Can this copy be eliminated?
-		if len(f.Data()) > 0 {
-			pool := t.bufferPool
-			if pool == nil {
-				// Note that this is only supposed to be nil in tests. Otherwise, stream is
-				// always initialized with a BufferPool.
-				pool = mem.DefaultBufferPool()
-			}
-			s.write(recvMsg{buffer: mem.Copy(f.Data(), pool)})
+		if dataLen > 0 {
+			f.data.Ref()
+			s.write(recvMsg{buffer: f.data})
 		}
 	}
 	if f.StreamEnded() {
@@ -1059,14 +1049,13 @@ func (t *http2Server) writeHeaderLocked(s *ServerStream) error {
 		t.closeStream(s, true, http2.ErrCodeInternal, false)
 		return ErrHeaderListSizeLimitViolation
 	}
-	for _, sh := range t.stats {
+	if t.stats != nil {
 		// Note: Headers are compressed with hpack after this call returns.
 		// No WireLength field is set here.
-		outHeader := &stats.OutHeader{
+		t.stats.HandleRPC(s.Context(), &stats.OutHeader{
 			Header:      s.header.Copy(),
 			Compression: s.sendCompress,
-		}
-		sh.HandleRPC(s.Context(), outHeader)
+		})
 	}
 	return nil
 }
@@ -1134,10 +1123,10 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
 	// Send a RST_STREAM after the trailers if the client has not already half-closed.
 	rst := s.getState() == streamActive
 	t.finishStream(s, rst, http2.ErrCodeNo, trailingHeader, true)
-	for _, sh := range t.stats {
+	if t.stats != nil {
 		// Note: The trailer fields are compressed with hpack after this call returns.
 		// No WireLength field is set here.
-		sh.HandleRPC(s.Context(), &stats.OutTrailer{
+		t.stats.HandleRPC(s.Context(), &stats.OutTrailer{
 			Trailer: s.trailer.Copy(),
 		})
 	}
@@ -1305,7 +1294,8 @@ func (t *http2Server) Close(err error) {
 // deleteStream deletes the stream s from transport's active streams.
 func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
 	t.mu.Lock()
-	if _, ok := t.activeStreams[s.id]; ok {
+	_, isActive := t.activeStreams[s.id]
+	if isActive {
 		delete(t.activeStreams, s.id)
 		if len(t.activeStreams) == 0 {
 			t.idle = time.Now()
@@ -1313,7 +1303,7 @@ func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
 	}
 	t.mu.Unlock()
 
-	if channelz.IsOn() {
+	if isActive && channelz.IsOn() {
 		if eosReceived {
 			t.channelz.SocketMetrics.StreamsSucceeded.Add(1)
 		} else {
diff --git a/vendor/google.golang.org/grpc/internal/transport/http_util.go b/vendor/google.golang.org/grpc/internal/transport/http_util.go
index e3663f87f3..5bbb641ad9 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http_util.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http_util.go
@@ -25,7 +25,6 @@ import (
 	"fmt"
 	"io"
 	"math"
-	"net"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -37,6 +36,7 @@ import (
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/hpack"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/mem"
 )
 
 const (
@@ -300,11 +300,11 @@ type bufWriter struct {
 	buf       []byte
 	offset    int
 	batchSize int
-	conn      net.Conn
+	conn      io.Writer
 	err       error
 }
 
-func newBufWriter(conn net.Conn, batchSize int, pool *sync.Pool) *bufWriter {
+func newBufWriter(conn io.Writer, batchSize int, pool *sync.Pool) *bufWriter {
 	w := &bufWriter{
 		batchSize: batchSize,
 		conn:      conn,
@@ -388,15 +388,29 @@ func toIOError(err error) error {
 	return ioError{error: err}
 }
 
+type parsedDataFrame struct {
+	http2.FrameHeader
+	data mem.Buffer
+}
+
+func (df *parsedDataFrame) StreamEnded() bool {
+	return df.FrameHeader.Flags.Has(http2.FlagDataEndStream)
+}
+
 type framer struct {
-	writer *bufWriter
-	fr     *http2.Framer
+	writer    *bufWriter
+	fr        *http2.Framer
+	headerBuf []byte // cached slice for framer headers to reduce heap allocs.
+	reader    io.Reader
+	dataFrame parsedDataFrame // Cached data frame to avoid heap allocations.
+	pool      mem.BufferPool
+	errDetail error
 }
 
 var writeBufferPoolMap = make(map[int]*sync.Pool)
 var writeBufferMutex sync.Mutex
 
-func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBuffer bool, maxHeaderListSize uint32) *framer {
+func newFramer(conn io.ReadWriter, writeBufferSize, readBufferSize int, sharedWriteBuffer bool, maxHeaderListSize uint32, memPool mem.BufferPool) *framer {
 	if writeBufferSize < 0 {
 		writeBufferSize = 0
 	}
@@ -412,6 +426,8 @@ func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBu
 	f := &framer{
 		writer: w,
 		fr:     http2.NewFramer(w, r),
+		reader: r,
+		pool:   memPool,
 	}
 	f.fr.SetMaxReadFrameSize(http2MaxFrameLen)
 	// Opt-in to Frame reuse API on framer to reduce garbage.
@@ -422,6 +438,146 @@ func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBu
 	return f
 }
 
+// writeData writes a DATA frame.
+//
+// It is the caller's responsibility not to violate the maximum frame size.
+func (f *framer) writeData(streamID uint32, endStream bool, data [][]byte) error {
+	var flags http2.Flags
+	if endStream {
+		flags = http2.FlagDataEndStream
+	}
+	length := uint32(0)
+	for _, d := range data {
+		length += uint32(len(d))
+	}
+	// TODO: Replace the header write with the framer API being added in
+	// https://github.com/golang/go/issues/66655.
+	f.headerBuf = append(f.headerBuf[:0],
+		byte(length>>16),
+		byte(length>>8),
+		byte(length),
+		byte(http2.FrameData),
+		byte(flags),
+		byte(streamID>>24),
+		byte(streamID>>16),
+		byte(streamID>>8),
+		byte(streamID))
+	if _, err := f.writer.Write(f.headerBuf); err != nil {
+		return err
+	}
+	for _, d := range data {
+		if _, err := f.writer.Write(d); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// readFrame reads a single frame. The returned Frame is only valid
+// until the next call to readFrame.
+func (f *framer) readFrame() (any, error) {
+	f.errDetail = nil
+	fh, err := f.fr.ReadFrameHeader()
+	if err != nil {
+		f.errDetail = f.fr.ErrorDetail()
+		return nil, err
+	}
+	// Read the data frame directly from the underlying io.Reader to avoid
+	// copies.
+	if fh.Type == http2.FrameData {
+		err = f.readDataFrame(fh)
+		return &f.dataFrame, err
+	}
+	fr, err := f.fr.ReadFrameForHeader(fh)
+	if err != nil {
+		f.errDetail = f.fr.ErrorDetail()
+		return nil, err
+	}
+	return fr, err
+}
+
+// errorDetail returns a more detailed error of the last error
+// returned by framer.readFrame. For instance, if readFrame
+// returns a StreamError with code PROTOCOL_ERROR, errorDetail
+// will say exactly what was invalid. errorDetail is not guaranteed
+// to return a non-nil value.
+// errorDetail is reset after the next call to readFrame.
+func (f *framer) errorDetail() error {
+	return f.errDetail
+}
+
+func (f *framer) readDataFrame(fh http2.FrameHeader) (err error) {
+	if fh.StreamID == 0 {
+		// DATA frames MUST be associated with a stream. If a
+		// DATA frame is received whose stream identifier
+		// field is 0x0, the recipient MUST respond with a
+		// connection error (Section 5.4.1) of type
+		// PROTOCOL_ERROR.
+		f.errDetail = errors.New("DATA frame with stream ID 0")
+		return http2.ConnectionError(http2.ErrCodeProtocol)
+	}
+	// Converting a *[]byte to a mem.SliceBuffer incurs a heap allocation. This
+	// conversion is performed by mem.NewBuffer. To avoid the extra allocation
+	// a []byte is allocated directly if required and cast to a mem.SliceBuffer.
+	var buf []byte
+	// poolHandle is the pointer returned by the buffer pool (if it's used.).
+	var poolHandle *[]byte
+	useBufferPool := !mem.IsBelowBufferPoolingThreshold(int(fh.Length))
+	if useBufferPool {
+		poolHandle = f.pool.Get(int(fh.Length))
+		buf = *poolHandle
+		defer func() {
+			if err != nil {
+				f.pool.Put(poolHandle)
+			}
+		}()
+	} else {
+		buf = make([]byte, int(fh.Length))
+	}
+	if fh.Flags.Has(http2.FlagDataPadded) {
+		if fh.Length == 0 {
+			return io.ErrUnexpectedEOF
+		}
+		// This initial 1-byte read can be inefficient for unbuffered readers,
+		// but it allows the rest of the payload to be read directly to the
+		// start of the destination slice. This makes it easy to return the
+		// original slice back to the buffer pool.
+		if _, err := io.ReadFull(f.reader, buf[:1]); err != nil {
+			return err
+		}
+		padSize := buf[0]
+		buf = buf[:len(buf)-1]
+		if int(padSize) > len(buf) {
+			// If the length of the padding is greater than the
+			// length of the frame payload, the recipient MUST
+			// treat this as a connection error.
+			// Filed: https://github.com/http2/http2-spec/issues/610
+			f.errDetail = errors.New("pad size larger than data payload")
+			return http2.ConnectionError(http2.ErrCodeProtocol)
+		}
+		if _, err := io.ReadFull(f.reader, buf); err != nil {
+			return err
+		}
+		buf = buf[:len(buf)-int(padSize)]
+	} else if _, err := io.ReadFull(f.reader, buf); err != nil {
+		return err
+	}
+
+	f.dataFrame.FrameHeader = fh
+	if useBufferPool {
+		// Update the handle to point to the (potentially re-sliced) buf.
+		*poolHandle = buf
+		f.dataFrame.data = mem.NewBuffer(poolHandle, f.pool)
+	} else {
+		f.dataFrame.data = mem.SliceBuffer(buf)
+	}
+	return nil
+}
+
+func (df *parsedDataFrame) Header() http2.FrameHeader {
+	return df.FrameHeader
+}
+
 func getWriteBufferPool(size int) *sync.Pool {
 	writeBufferMutex.Lock()
 	defer writeBufferMutex.Unlock()
diff --git a/vendor/google.golang.org/grpc/internal/transport/server_stream.go b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
index cf8da0b52d..ed6a13b750 100644
--- a/vendor/google.golang.org/grpc/internal/transport/server_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
@@ -32,7 +32,7 @@ import (
 
 // ServerStream implements streaming functionality for a gRPC server.
 type ServerStream struct {
-	*Stream // Embed for common stream functionality.
+	Stream // Embed for common stream functionality.
 
 	st      internalServerTransport
 	ctxDone <-chan struct{} // closed at the end of stream.  Cache of ctx.Done() (for performance)
@@ -43,12 +43,13 @@ type ServerStream struct {
 	// Holds compressor names passed in grpc-accept-encoding metadata from the
 	// client.
 	clientAdvertisedCompressors string
-	headerWireLength            int
 
 	// hdrMu protects outgoing header and trailer metadata.
 	hdrMu      sync.Mutex
 	header     metadata.MD // the outgoing header metadata.  Updated by WriteHeader.
 	headerSent atomic.Bool // atomically set when the headers are sent out.
+
+	headerWireLength int
 }
 
 // Read reads an n byte message from the input stream.
@@ -178,3 +179,11 @@ func (s *ServerStream) SetTrailer(md metadata.MD) error {
 	s.hdrMu.Unlock()
 	return nil
 }
+
+func (s *ServerStream) requestRead(n int) {
+	s.st.adjustWindow(s, uint32(n))
+}
+
+func (s *ServerStream) updateWindow(n int) {
+	s.st.updateWindow(s, uint32(n))
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/transport.go b/vendor/google.golang.org/grpc/internal/transport/transport.go
index 7dd53e80a7..6daf1e002d 100644
--- a/vendor/google.golang.org/grpc/internal/transport/transport.go
+++ b/vendor/google.golang.org/grpc/internal/transport/transport.go
@@ -68,11 +68,11 @@ type recvBuffer struct {
 	err     error
 }
 
-func newRecvBuffer() *recvBuffer {
-	b := &recvBuffer{
-		c: make(chan recvMsg, 1),
-	}
-	return b
+// init allows a recvBuffer to be initialized in-place, which is useful
+// for resetting a buffer or for avoiding a heap allocation when the buffer
+// is embedded in another struct.
+func (b *recvBuffer) init() {
+	b.c = make(chan recvMsg, 1)
 }
 
 func (b *recvBuffer) put(r recvMsg) {
@@ -123,12 +123,13 @@ func (b *recvBuffer) get() <-chan recvMsg {
 // recvBufferReader implements io.Reader interface to read the data from
 // recvBuffer.
 type recvBufferReader struct {
-	closeStream func(error) // Closes the client transport stream with the given error and nil trailer metadata.
-	ctx         context.Context
-	ctxDone     <-chan struct{} // cache of ctx.Done() (for performance).
-	recv        *recvBuffer
-	last        mem.Buffer // Stores the remaining data in the previous calls.
-	err         error
+	_            noCopy
+	clientStream *ClientStream // The client transport stream is closed with a status representing ctx.Err() and nil trailer metadata.
+	ctx          context.Context
+	ctxDone      <-chan struct{} // cache of ctx.Done() (for performance).
+	recv         *recvBuffer
+	last         mem.Buffer // Stores the remaining data in the previous calls.
+	err          error
 }
 
 func (r *recvBufferReader) ReadMessageHeader(header []byte) (n int, err error) {
@@ -139,7 +140,7 @@ func (r *recvBufferReader) ReadMessageHeader(header []byte) (n int, err error) {
 		n, r.last = mem.ReadUnsafe(header, r.last)
 		return n, nil
 	}
-	if r.closeStream != nil {
+	if r.clientStream != nil {
 		n, r.err = r.readMessageHeaderClient(header)
 	} else {
 		n, r.err = r.readMessageHeader(header)
@@ -164,7 +165,7 @@ func (r *recvBufferReader) Read(n int) (buf mem.Buffer, err error) {
 		}
 		return buf, nil
 	}
-	if r.closeStream != nil {
+	if r.clientStream != nil {
 		buf, r.err = r.readClient(n)
 	} else {
 		buf, r.err = r.read(n)
@@ -209,7 +210,7 @@ func (r *recvBufferReader) readMessageHeaderClient(header []byte) (n int, err er
 		// TODO: delaying ctx error seems like a unnecessary side effect. What
 		// we really want is to mark the stream as done, and return ctx error
 		// faster.
-		r.closeStream(ContextErr(r.ctx.Err()))
+		r.clientStream.Close(ContextErr(r.ctx.Err()))
 		m := <-r.recv.get()
 		return r.readMessageHeaderAdditional(m, header)
 	case m := <-r.recv.get():
@@ -236,7 +237,7 @@ func (r *recvBufferReader) readClient(n int) (buf mem.Buffer, err error) {
 		// TODO: delaying ctx error seems like a unnecessary side effect. What
 		// we really want is to mark the stream as done, and return ctx error
 		// faster.
-		r.closeStream(ContextErr(r.ctx.Err()))
+		r.clientStream.Close(ContextErr(r.ctx.Err()))
 		m := <-r.recv.get()
 		return r.readAdditional(m, n)
 	case m := <-r.recv.get():
@@ -285,27 +286,32 @@ const (
 
 // Stream represents an RPC in the transport layer.
 type Stream struct {
-	id           uint32
 	ctx          context.Context // the associated context of the stream
 	method       string          // the associated RPC method of the stream
 	recvCompress string
 	sendCompress string
-	buf          *recvBuffer
-	trReader     *transportReader
-	fc           *inFlow
-	wq           *writeQuota
-
-	// Callback to state application's intentions to read data. This
-	// is used to adjust flow control, if needed.
-	requestRead func(int)
 
-	state streamState
+	readRequester readRequester
 
 	// contentSubtype is the content-subtype for requests.
 	// this must be lowercase or the behavior is undefined.
 	contentSubtype string
 
 	trailer metadata.MD // the key-value map of trailer metadata.
+
+	// Non-pointer fields are at the end to optimize GC performance.
+	state    streamState
+	id       uint32
+	buf      recvBuffer
+	trReader transportReader
+	fc       inFlow
+	wq       writeQuota
+}
+
+// readRequester is used to state application's intentions to read data. This
+// is used to adjust flow control, if needed.
+type readRequester interface {
+	requestRead(int)
 }
 
 func (s *Stream) swapState(st streamState) streamState {
@@ -355,7 +361,7 @@ func (s *Stream) ReadMessageHeader(header []byte) (err error) {
 	if er := s.trReader.er; er != nil {
 		return er
 	}
-	s.requestRead(len(header))
+	s.readRequester.requestRead(len(header))
 	for len(header) != 0 {
 		n, err := s.trReader.ReadMessageHeader(header)
 		header = header[n:]
@@ -378,7 +384,7 @@ func (s *Stream) read(n int) (data mem.BufferSlice, err error) {
 	if er := s.trReader.er; er != nil {
 		return nil, er
 	}
-	s.requestRead(n)
+	s.readRequester.requestRead(n)
 	for n != 0 {
 		buf, err := s.trReader.Read(n)
 		var bufLen int
@@ -401,16 +407,34 @@ func (s *Stream) read(n int) (data mem.BufferSlice, err error) {
 	return data, nil
 }
 
+// noCopy may be embedded into structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+type noCopy struct {
+}
+
+func (*noCopy) Lock()   {}
+func (*noCopy) Unlock() {}
+
 // transportReader reads all the data available for this Stream from the transport and
 // passes them into the decoder, which converts them into a gRPC message stream.
 // The error is io.EOF when the stream is done or another non-nil error if
 // the stream broke.
 type transportReader struct {
-	reader *recvBufferReader
+	_ noCopy
 	// The handler to control the window update procedure for both this
 	// particular stream and the associated transport.
-	windowHandler func(int)
+	windowHandler windowHandler
 	er            error
+	reader        recvBufferReader
+}
+
+// The handler to control the window update procedure for both this
+// particular stream and the associated transport.
+type windowHandler interface {
+	updateWindow(int)
 }
 
 func (t *transportReader) ReadMessageHeader(header []byte) (int, error) {
@@ -419,7 +443,7 @@ func (t *transportReader) ReadMessageHeader(header []byte) (int, error) {
 		t.er = err
 		return 0, err
 	}
-	t.windowHandler(n)
+	t.windowHandler.updateWindow(n)
 	return n, nil
 }
 
@@ -429,7 +453,7 @@ func (t *transportReader) Read(n int) (mem.Buffer, error) {
 		t.er = err
 		return buf, err
 	}
-	t.windowHandler(buf.Len())
+	t.windowHandler.updateWindow(buf.Len())
 	return buf, nil
 }
 
@@ -454,7 +478,7 @@ type ServerConfig struct {
 	ConnectionTimeout     time.Duration
 	Credentials           credentials.TransportCredentials
 	InTapHandle           tap.ServerInHandle
-	StatsHandlers         []stats.Handler
+	StatsHandler          stats.Handler
 	KeepaliveParams       keepalive.ServerParameters
 	KeepalivePolicy       keepalive.EnforcementPolicy
 	InitialWindowSize     int32
@@ -529,6 +553,12 @@ type CallHdr struct {
 	// outbound message.
 	SendCompress string
 
+	// AcceptedCompressors overrides the grpc-accept-encoding header for this
+	// call. When nil, the transport advertises the default set of registered
+	// compressors. A non-nil pointer overrides that value (including the empty
+	// string to advertise none).
+	AcceptedCompressors *string
+
 	// Creds specifies credentials.PerRPCCredentials for a call.
 	Creds credentials.PerRPCCredentials
 
@@ -584,8 +614,9 @@ type ClientTransport interface {
 	// with a human readable string with debug info.
 	GetGoAwayReason() (GoAwayReason, string)
 
-	// RemoteAddr returns the remote network address.
-	RemoteAddr() net.Addr
+	// Peer returns information about the peer associated with the Transport.
+	// The returned information includes authentication and network address details.
+	Peer() *peer.Peer
 }
 
 // ServerTransport is the common interface for all gRPC server-side transport
@@ -615,6 +646,8 @@ type internalServerTransport interface {
 	write(s *ServerStream, hdr []byte, data mem.BufferSlice, opts *WriteOptions) error
 	writeStatus(s *ServerStream, st *status.Status) error
 	incrMsgRecv()
+	adjustWindow(s *ServerStream, n uint32)
+	updateWindow(s *ServerStream, n uint32)
 }
 
 // connectionErrorf creates an ConnectionError with the specified error description.
diff --git a/vendor/google.golang.org/grpc/mem/buffer_pool.go b/vendor/google.golang.org/grpc/mem/buffer_pool.go
index c37c58c023..e37afdd198 100644
--- a/vendor/google.golang.org/grpc/mem/buffer_pool.go
+++ b/vendor/google.golang.org/grpc/mem/buffer_pool.go
@@ -32,12 +32,17 @@ type BufferPool interface {
 	Get(length int) *[]byte
 
 	// Put returns a buffer to the pool.
+	//
+	// The provided pointer must hold a prefix of the buffer obtained via
+	// BufferPool.Get to ensure the buffer's entire capacity can be re-used.
 	Put(*[]byte)
 }
 
+const goPageSize = 4 << 10 // 4KiB. N.B. this must be a power of 2.
+
 var defaultBufferPoolSizes = []int{
 	256,
-	4 << 10,  // 4KB (go page size)
+	goPageSize,
 	16 << 10, // 16KB (max HTTP/2 frame size used by gRPC)
 	32 << 10, // 32KB (default buffer size for io.Copy)
 	1 << 20,  // 1MB
@@ -118,7 +123,11 @@ type sizedBufferPool struct {
 }
 
 func (p *sizedBufferPool) Get(size int) *[]byte {
-	buf := p.pool.Get().(*[]byte)
+	buf, ok := p.pool.Get().(*[]byte)
+	if !ok {
+		buf := make([]byte, size, p.defaultSize)
+		return &buf
+	}
 	b := *buf
 	clear(b[:cap(b)])
 	*buf = b[:size]
@@ -137,12 +146,6 @@ func (p *sizedBufferPool) Put(buf *[]byte) {
 
 func newSizedBufferPool(size int) *sizedBufferPool {
 	return &sizedBufferPool{
-		pool: sync.Pool{
-			New: func() any {
-				buf := make([]byte, size)
-				return &buf
-			},
-		},
 		defaultSize: size,
 	}
 }
@@ -160,6 +163,7 @@ type simpleBufferPool struct {
 func (p *simpleBufferPool) Get(size int) *[]byte {
 	bs, ok := p.pool.Get().(*[]byte)
 	if ok && cap(*bs) >= size {
+		clear((*bs)[:cap(*bs)])
 		*bs = (*bs)[:size]
 		return bs
 	}
@@ -170,7 +174,14 @@ func (p *simpleBufferPool) Get(size int) *[]byte {
 		p.pool.Put(bs)
 	}
 
-	b := make([]byte, size)
+	// If we're going to allocate, round up to the nearest page. This way if
+	// requests frequently arrive with small variation we don't allocate
+	// repeatedly if we get unlucky and they increase over time. By default we
+	// only allocate here if size > 1MiB. Because goPageSize is a power of 2, we
+	// can round up efficiently.
+	allocSize := (size + goPageSize - 1) & ^(goPageSize - 1)
+
+	b := make([]byte, size, allocSize)
 	return &b
 }
 
diff --git a/vendor/google.golang.org/grpc/mem/buffer_slice.go b/vendor/google.golang.org/grpc/mem/buffer_slice.go
index af510d20c5..084fb19c6d 100644
--- a/vendor/google.golang.org/grpc/mem/buffer_slice.go
+++ b/vendor/google.golang.org/grpc/mem/buffer_slice.go
@@ -19,6 +19,7 @@
 package mem
 
 import (
+	"fmt"
 	"io"
 )
 
@@ -117,43 +118,36 @@ func (s BufferSlice) MaterializeToBuffer(pool BufferPool) Buffer {
 
 // Reader returns a new Reader for the input slice after taking references to
 // each underlying buffer.
-func (s BufferSlice) Reader() Reader {
+func (s BufferSlice) Reader() *Reader {
 	s.Ref()
-	return &sliceReader{
+	return &Reader{
 		data: s,
 		len:  s.Len(),
 	}
 }
 
 // Reader exposes a BufferSlice's data as an io.Reader, allowing it to interface
-// with other parts systems. It also provides an additional convenience method
-// Remaining(), which returns the number of unread bytes remaining in the slice.
+// with other systems.
+//
 // Buffers will be freed as they are read.
-type Reader interface {
-	io.Reader
-	io.ByteReader
-	// Close frees the underlying BufferSlice and never returns an error. Subsequent
-	// calls to Read will return (0, io.EOF).
-	Close() error
-	// Remaining returns the number of unread bytes remaining in the slice.
-	Remaining() int
-	// Reset frees the currently held buffer slice and starts reading from the
-	// provided slice. This allows reusing the reader object.
-	Reset(s BufferSlice)
-}
-
-type sliceReader struct {
+//
+// A Reader can be constructed from a BufferSlice; alternatively the zero value
+// of a Reader may be used after calling Reset on it.
+type Reader struct {
 	data BufferSlice
 	len  int
 	// The index into data[0].ReadOnlyData().
 	bufferIdx int
 }
 
-func (r *sliceReader) Remaining() int {
+// Remaining returns the number of unread bytes remaining in the slice.
+func (r *Reader) Remaining() int {
 	return r.len
 }
 
-func (r *sliceReader) Reset(s BufferSlice) {
+// Reset frees the currently held buffer slice and starts reading from the
+// provided slice. This allows reusing the reader object.
+func (r *Reader) Reset(s BufferSlice) {
 	r.data.Free()
 	s.Ref()
 	r.data = s
@@ -161,14 +155,16 @@ func (r *sliceReader) Reset(s BufferSlice) {
 	r.bufferIdx = 0
 }
 
-func (r *sliceReader) Close() error {
+// Close frees the underlying BufferSlice and never returns an error. Subsequent
+// calls to Read will return (0, io.EOF).
+func (r *Reader) Close() error {
 	r.data.Free()
 	r.data = nil
 	r.len = 0
 	return nil
 }
 
-func (r *sliceReader) freeFirstBufferIfEmpty() bool {
+func (r *Reader) freeFirstBufferIfEmpty() bool {
 	if len(r.data) == 0 || r.bufferIdx != len(r.data[0].ReadOnlyData()) {
 		return false
 	}
@@ -179,7 +175,7 @@ func (r *sliceReader) freeFirstBufferIfEmpty() bool {
 	return true
 }
 
-func (r *sliceReader) Read(buf []byte) (n int, _ error) {
+func (r *Reader) Read(buf []byte) (n int, _ error) {
 	if r.len == 0 {
 		return 0, io.EOF
 	}
@@ -202,7 +198,8 @@ func (r *sliceReader) Read(buf []byte) (n int, _ error) {
 	return n, nil
 }
 
-func (r *sliceReader) ReadByte() (byte, error) {
+// ReadByte reads a single byte.
+func (r *Reader) ReadByte() (byte, error) {
 	if r.len == 0 {
 		return 0, io.EOF
 	}
@@ -290,3 +287,59 @@ nextBuffer:
 		}
 	}
 }
+
+// Discard skips the next n bytes, returning the number of bytes discarded.
+//
+// It frees buffers as they are fully consumed.
+//
+// If Discard skips fewer than n bytes, it also returns an error.
+func (r *Reader) Discard(n int) (discarded int, err error) {
+	total := n
+	for n > 0 && r.len > 0 {
+		curData := r.data[0].ReadOnlyData()
+		curSize := min(n, len(curData)-r.bufferIdx)
+		n -= curSize
+		r.len -= curSize
+		r.bufferIdx += curSize
+		if r.bufferIdx >= len(curData) {
+			r.data[0].Free()
+			r.data = r.data[1:]
+			r.bufferIdx = 0
+		}
+	}
+	discarded = total - n
+	if n > 0 {
+		return discarded, fmt.Errorf("insufficient bytes in reader")
+	}
+	return discarded, nil
+}
+
+// Peek returns the next n bytes without advancing the reader.
+//
+// Peek appends results to the provided res slice and returns the updated slice.
+// This pattern allows re-using the storage of res if it has sufficient
+// capacity.
+//
+// The returned subslices are views into the underlying buffers and are only
+// valid until the reader is advanced past the corresponding buffer.
+//
+// If Peek returns fewer than n bytes, it also returns an error.
+func (r *Reader) Peek(n int, res [][]byte) ([][]byte, error) {
+	for i := 0; n > 0 && i < len(r.data); i++ {
+		curData := r.data[i].ReadOnlyData()
+		start := 0
+		if i == 0 {
+			start = r.bufferIdx
+		}
+		curSize := min(n, len(curData)-start)
+		if curSize == 0 {
+			continue
+		}
+		res = append(res, curData[start:start+curSize])
+		n -= curSize
+	}
+	if n > 0 {
+		return nil, fmt.Errorf("insufficient bytes in reader")
+	}
+	return res, nil
+}
diff --git a/vendor/google.golang.org/grpc/preloader.go b/vendor/google.golang.org/grpc/preloader.go
index ee0ff969af..1e783febf9 100644
--- a/vendor/google.golang.org/grpc/preloader.go
+++ b/vendor/google.golang.org/grpc/preloader.go
@@ -47,9 +47,6 @@ func (p *PreparedMsg) Encode(s Stream, msg any) error {
 	}
 
 	// check if the context has the relevant information to prepareMsg
-	if rpcInfo.preloaderInfo == nil {
-		return status.Errorf(codes.Internal, "grpc: rpcInfo.preloaderInfo is nil")
-	}
 	if rpcInfo.preloaderInfo.codec == nil {
 		return status.Errorf(codes.Internal, "grpc: rpcInfo.preloaderInfo.codec is nil")
 	}
diff --git a/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection.pb.go b/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection.pb.go
index 92f5292211..92fdc3afab 100644
--- a/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection.pb.go
+++ b/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection.pb.go
@@ -21,7 +21,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/reflection/v1/reflection.proto
 
diff --git a/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection_grpc.pb.go b/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection_grpc.pb.go
index f4a361c644..93a243631c 100644
--- a/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection_grpc.pb.go
@@ -21,7 +21,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v5.27.1
 // source: grpc/reflection/v1/reflection.proto
 
diff --git a/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection.pb.go b/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection.pb.go
index 5253e862f0..c803cf3ba1 100644
--- a/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection.pb.go
+++ b/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection.pb.go
@@ -18,7 +18,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // grpc/reflection/v1alpha/reflection.proto is a deprecated file.
 
diff --git a/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection_grpc.pb.go b/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection_grpc.pb.go
index 0a43b521c9..cee004ab57 100644
--- a/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection_grpc.pb.go
@@ -18,7 +18,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v5.27.1
 // grpc/reflection/v1alpha/reflection.proto is a deprecated file.
 
diff --git a/vendor/google.golang.org/grpc/resolver_wrapper.go b/vendor/google.golang.org/grpc/resolver_wrapper.go
index 80e16a327c..6e61376437 100644
--- a/vendor/google.golang.org/grpc/resolver_wrapper.go
+++ b/vendor/google.golang.org/grpc/resolver_wrapper.go
@@ -69,6 +69,7 @@ func (ccr *ccResolverWrapper) start() error {
 	errCh := make(chan error)
 	ccr.serializer.TrySchedule(func(ctx context.Context) {
 		if ctx.Err() != nil {
+			errCh <- ctx.Err()
 			return
 		}
 		opts := resolver.BuildOptions{
diff --git a/vendor/google.golang.org/grpc/rpc_util.go b/vendor/google.golang.org/grpc/rpc_util.go
index 47ea09f5c9..8160f94304 100644
--- a/vendor/google.golang.org/grpc/rpc_util.go
+++ b/vendor/google.golang.org/grpc/rpc_util.go
@@ -33,6 +33,8 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/encoding"
 	"google.golang.org/grpc/encoding/proto"
+	"google.golang.org/grpc/internal"
+	"google.golang.org/grpc/internal/grpcutil"
 	"google.golang.org/grpc/internal/transport"
 	"google.golang.org/grpc/mem"
 	"google.golang.org/grpc/metadata"
@@ -41,6 +43,10 @@ import (
 	"google.golang.org/grpc/status"
 )
 
+func init() {
+	internal.AcceptCompressors = acceptCompressors
+}
+
 // Compressor defines the interface gRPC uses to compress a message.
 //
 // Deprecated: use package encoding.
@@ -151,16 +157,32 @@ func (d *gzipDecompressor) Type() string {
 
 // callInfo contains all related configuration and information about an RPC.
 type callInfo struct {
-	compressorName        string
-	failFast              bool
-	maxReceiveMessageSize *int
-	maxSendMessageSize    *int
-	creds                 credentials.PerRPCCredentials
-	contentSubtype        string
-	codec                 baseCodec
-	maxRetryRPCBufferSize int
-	onFinish              []func(err error)
-	authority             string
+	compressorName              string
+	failFast                    bool
+	maxReceiveMessageSize       *int
+	maxSendMessageSize          *int
+	creds                       credentials.PerRPCCredentials
+	contentSubtype              string
+	codec                       baseCodec
+	maxRetryRPCBufferSize       int
+	onFinish                    []func(err error)
+	authority                   string
+	acceptedResponseCompressors []string
+}
+
+func acceptedCompressorAllows(allowed []string, name string) bool {
+	if allowed == nil {
+		return true
+	}
+	if name == "" || name == encoding.Identity {
+		return true
+	}
+	for _, a := range allowed {
+		if a == name {
+			return true
+		}
+	}
+	return false
 }
 
 func defaultCallInfo() *callInfo {
@@ -170,6 +192,29 @@ func defaultCallInfo() *callInfo {
 	}
 }
 
+func newAcceptedCompressionConfig(names []string) ([]string, error) {
+	if len(names) == 0 {
+		return nil, nil
+	}
+	var allowed []string
+	seen := make(map[string]struct{}, len(names))
+	for _, name := range names {
+		name = strings.TrimSpace(name)
+		if name == "" || name == encoding.Identity {
+			continue
+		}
+		if !grpcutil.IsCompressorNameRegistered(name) {
+			return nil, status.Errorf(codes.InvalidArgument, "grpc: compressor %q is not registered", name)
+		}
+		if _, dup := seen[name]; dup {
+			continue
+		}
+		seen[name] = struct{}{}
+		allowed = append(allowed, name)
+	}
+	return allowed, nil
+}
+
 // CallOption configures a Call before it starts or extracts information from
 // a Call after it completes.
 type CallOption interface {
@@ -471,6 +516,31 @@ func (o CompressorCallOption) before(c *callInfo) error {
 }
 func (o CompressorCallOption) after(*callInfo, *csAttempt) {}
 
+// acceptCompressors returns a CallOption that limits the compression algorithms
+// advertised in the grpc-accept-encoding header for response messages.
+// Compression algorithms not in the provided list will not be advertised, and
+// responses compressed with non-listed algorithms will be rejected.
+func acceptCompressors(names ...string) CallOption {
+	cp := append([]string(nil), names...)
+	return acceptCompressorsCallOption{names: cp}
+}
+
+// acceptCompressorsCallOption is a CallOption that limits response compression.
+type acceptCompressorsCallOption struct {
+	names []string
+}
+
+func (o acceptCompressorsCallOption) before(c *callInfo) error {
+	allowed, err := newAcceptedCompressionConfig(o.names)
+	if err != nil {
+		return err
+	}
+	c.acceptedResponseCompressors = allowed
+	return nil
+}
+
+func (acceptCompressorsCallOption) after(*callInfo, *csAttempt) {}
+
 // CallContentSubtype returns a CallOption that will set the content-subtype
 // for a call. For example, if content-subtype is "json", the Content-Type over
 // the wire will be "application/grpc+json". The content-subtype is converted
@@ -657,8 +727,20 @@ type streamReader interface {
 	Read(n int) (mem.BufferSlice, error)
 }
 
+// noCopy may be embedded into structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+type noCopy struct {
+}
+
+func (*noCopy) Lock()   {}
+func (*noCopy) Unlock() {}
+
 // parser reads complete gRPC messages from the underlying reader.
 type parser struct {
+	_ noCopy
 	// r is the underlying reader.
 	// See the comment on recvMsg for the permissible
 	// error types.
@@ -845,8 +927,7 @@ func (p *payloadInfo) free() {
 // the buffer is no longer needed.
 // TODO: Refactor this function to reduce the number of arguments.
 // See: https://google.github.io/styleguide/go/best-practices.html#function-argument-lists
-func recvAndDecompress(p *parser, s recvCompressor, dc Decompressor, maxReceiveMessageSize int, payInfo *payloadInfo, compressor encoding.Compressor, isServer bool,
-) (out mem.BufferSlice, err error) {
+func recvAndDecompress(p *parser, s recvCompressor, dc Decompressor, maxReceiveMessageSize int, payInfo *payloadInfo, compressor encoding.Compressor, isServer bool) (out mem.BufferSlice, err error) {
 	pf, compressed, err := p.recvMsg(maxReceiveMessageSize)
 	if err != nil {
 		return nil, err
@@ -949,7 +1030,7 @@ func recv(p *parser, c baseCodec, s recvCompressor, dc Decompressor, m any, maxR
 // Information about RPC
 type rpcInfo struct {
 	failfast      bool
-	preloaderInfo *compressorInfo
+	preloaderInfo compressorInfo
 }
 
 // Information about Preloader
@@ -968,7 +1049,7 @@ type rpcInfoContextKey struct{}
 func newContextWithRPCInfo(ctx context.Context, failfast bool, codec baseCodec, cp Compressor, comp encoding.Compressor) context.Context {
 	return context.WithValue(ctx, rpcInfoContextKey{}, &rpcInfo{
 		failfast: failfast,
-		preloaderInfo: &compressorInfo{
+		preloaderInfo: compressorInfo{
 			codec: codec,
 			cp:    cp,
 			comp:  comp,
diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
index 1da2a542ac..ddd3773411 100644
--- a/vendor/google.golang.org/grpc/server.go
+++ b/vendor/google.golang.org/grpc/server.go
@@ -124,7 +124,8 @@ type serviceInfo struct {
 
 // Server is a gRPC server to serve RPC requests.
 type Server struct {
-	opts serverOptions
+	opts         serverOptions
+	statsHandler stats.Handler
 
 	mu  sync.Mutex // guards following
 	lis map[net.Listener]bool
@@ -692,13 +693,14 @@ func NewServer(opt ...ServerOption) *Server {
 		o.apply(&opts)
 	}
 	s := &Server{
-		lis:      make(map[net.Listener]bool),
-		opts:     opts,
-		conns:    make(map[string]map[transport.ServerTransport]bool),
-		services: make(map[string]*serviceInfo),
-		quit:     grpcsync.NewEvent(),
-		done:     grpcsync.NewEvent(),
-		channelz: channelz.RegisterServer(""),
+		lis:          make(map[net.Listener]bool),
+		opts:         opts,
+		statsHandler: istats.NewCombinedHandler(opts.statsHandlers...),
+		conns:        make(map[string]map[transport.ServerTransport]bool),
+		services:     make(map[string]*serviceInfo),
+		quit:         grpcsync.NewEvent(),
+		done:         grpcsync.NewEvent(),
+		channelz:     channelz.RegisterServer(""),
 	}
 	chainUnaryServerInterceptors(s)
 	chainStreamServerInterceptors(s)
@@ -999,7 +1001,7 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
 		ConnectionTimeout:     s.opts.connectionTimeout,
 		Credentials:           s.opts.creds,
 		InTapHandle:           s.opts.inTapHandle,
-		StatsHandlers:         s.opts.statsHandlers,
+		StatsHandler:          s.statsHandler,
 		KeepaliveParams:       s.opts.keepaliveParams,
 		KeepalivePolicy:       s.opts.keepalivePolicy,
 		InitialWindowSize:     s.opts.initialWindowSize,
@@ -1036,18 +1038,18 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
 func (s *Server) serveStreams(ctx context.Context, st transport.ServerTransport, rawConn net.Conn) {
 	ctx = transport.SetConnection(ctx, rawConn)
 	ctx = peer.NewContext(ctx, st.Peer())
-	for _, sh := range s.opts.statsHandlers {
-		ctx = sh.TagConn(ctx, &stats.ConnTagInfo{
+	if s.statsHandler != nil {
+		ctx = s.statsHandler.TagConn(ctx, &stats.ConnTagInfo{
 			RemoteAddr: st.Peer().Addr,
 			LocalAddr:  st.Peer().LocalAddr,
 		})
-		sh.HandleConn(ctx, &stats.ConnBegin{})
+		s.statsHandler.HandleConn(ctx, &stats.ConnBegin{})
 	}
 
 	defer func() {
 		st.Close(errors.New("finished serving streams for the server transport"))
-		for _, sh := range s.opts.statsHandlers {
-			sh.HandleConn(ctx, &stats.ConnEnd{})
+		if s.statsHandler != nil {
+			s.statsHandler.HandleConn(ctx, &stats.ConnEnd{})
 		}
 	}()
 
@@ -1104,7 +1106,7 @@ var _ http.Handler = (*Server)(nil)
 // Notice: This API is EXPERIMENTAL and may be changed or removed in a
 // later release.
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	st, err := transport.NewServerHandlerTransport(w, r, s.opts.statsHandlers, s.opts.bufferPool)
+	st, err := transport.NewServerHandlerTransport(w, r, s.statsHandler, s.opts.bufferPool)
 	if err != nil {
 		// Errors returned from transport.NewServerHandlerTransport have
 		// already been written to w.
@@ -1198,12 +1200,8 @@ func (s *Server) sendResponse(ctx context.Context, stream *transport.ServerStrea
 		return status.Errorf(codes.ResourceExhausted, "grpc: trying to send message larger than max (%d vs. %d)", payloadLen, s.opts.maxSendMessageSize)
 	}
 	err = stream.Write(hdr, payload, opts)
-	if err == nil {
-		if len(s.opts.statsHandlers) != 0 {
-			for _, sh := range s.opts.statsHandlers {
-				sh.HandleRPC(ctx, outPayload(false, msg, dataLen, payloadLen, time.Now()))
-			}
-		}
+	if err == nil && s.statsHandler != nil {
+		s.statsHandler.HandleRPC(ctx, outPayload(false, msg, dataLen, payloadLen, time.Now()))
 	}
 	return err
 }
@@ -1245,16 +1243,15 @@ func getChainUnaryHandler(interceptors []UnaryServerInterceptor, curr int, info
 }
 
 func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerStream, info *serviceInfo, md *MethodDesc, trInfo *traceInfo) (err error) {
-	shs := s.opts.statsHandlers
-	if len(shs) != 0 || trInfo != nil || channelz.IsOn() {
+	sh := s.statsHandler
+	if sh != nil || trInfo != nil || channelz.IsOn() {
 		if channelz.IsOn() {
 			s.incrCallsStarted()
 		}
 		var statsBegin *stats.Begin
-		for _, sh := range shs {
-			beginTime := time.Now()
+		if sh != nil {
 			statsBegin = &stats.Begin{
-				BeginTime:      beginTime,
+				BeginTime:      time.Now(),
 				IsClientStream: false,
 				IsServerStream: false,
 			}
@@ -1282,7 +1279,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
 				trInfo.tr.Finish()
 			}
 
-			for _, sh := range shs {
+			if sh != nil {
 				end := &stats.End{
 					BeginTime: statsBegin.BeginTime,
 					EndTime:   time.Now(),
@@ -1379,7 +1376,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
 	}
 
 	var payInfo *payloadInfo
-	if len(shs) != 0 || len(binlogs) != 0 {
+	if sh != nil || len(binlogs) != 0 {
 		payInfo = &payloadInfo{}
 		defer payInfo.free()
 	}
@@ -1405,7 +1402,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
 			return status.Errorf(codes.Internal, "grpc: error unmarshalling request: %v", err)
 		}
 
-		for _, sh := range shs {
+		if sh != nil {
 			sh.HandleRPC(ctx, &stats.InPayload{
 				RecvTime:         time.Now(),
 				Payload:          v,
@@ -1579,33 +1576,30 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
 	if channelz.IsOn() {
 		s.incrCallsStarted()
 	}
-	shs := s.opts.statsHandlers
+	sh := s.statsHandler
 	var statsBegin *stats.Begin
-	if len(shs) != 0 {
-		beginTime := time.Now()
+	if sh != nil {
 		statsBegin = &stats.Begin{
-			BeginTime:      beginTime,
+			BeginTime:      time.Now(),
 			IsClientStream: sd.ClientStreams,
 			IsServerStream: sd.ServerStreams,
 		}
-		for _, sh := range shs {
-			sh.HandleRPC(ctx, statsBegin)
-		}
+		sh.HandleRPC(ctx, statsBegin)
 	}
 	ctx = NewContextWithServerTransportStream(ctx, stream)
 	ss := &serverStream{
 		ctx:                   ctx,
 		s:                     stream,
-		p:                     &parser{r: stream, bufferPool: s.opts.bufferPool},
+		p:                     parser{r: stream, bufferPool: s.opts.bufferPool},
 		codec:                 s.getCodec(stream.ContentSubtype()),
 		desc:                  sd,
 		maxReceiveMessageSize: s.opts.maxReceiveMessageSize,
 		maxSendMessageSize:    s.opts.maxSendMessageSize,
 		trInfo:                trInfo,
-		statsHandler:          shs,
+		statsHandler:          sh,
 	}
 
-	if len(shs) != 0 || trInfo != nil || channelz.IsOn() {
+	if sh != nil || trInfo != nil || channelz.IsOn() {
 		// See comment in processUnaryRPC on defers.
 		defer func() {
 			if trInfo != nil {
@@ -1619,7 +1613,7 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
 				ss.mu.Unlock()
 			}
 
-			if len(shs) != 0 {
+			if sh != nil {
 				end := &stats.End{
 					BeginTime: statsBegin.BeginTime,
 					EndTime:   time.Now(),
@@ -1627,9 +1621,7 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
 				if err != nil && err != io.EOF {
 					end.Error = toRPCErr(err)
 				}
-				for _, sh := range shs {
-					sh.HandleRPC(ctx, end)
-				}
+				sh.HandleRPC(ctx, end)
 			}
 
 			if channelz.IsOn() {
@@ -1818,19 +1810,17 @@ func (s *Server) handleStream(t transport.ServerTransport, stream *transport.Ser
 	method := sm[pos+1:]
 
 	// FromIncomingContext is expensive: skip if there are no statsHandlers
-	if len(s.opts.statsHandlers) > 0 {
+	if s.statsHandler != nil {
 		md, _ := metadata.FromIncomingContext(ctx)
-		for _, sh := range s.opts.statsHandlers {
-			ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: stream.Method()})
-			sh.HandleRPC(ctx, &stats.InHeader{
-				FullMethod:  stream.Method(),
-				RemoteAddr:  t.Peer().Addr,
-				LocalAddr:   t.Peer().LocalAddr,
-				Compression: stream.RecvCompress(),
-				WireLength:  stream.HeaderWireLength(),
-				Header:      md,
-			})
-		}
+		ctx = s.statsHandler.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: stream.Method()})
+		s.statsHandler.HandleRPC(ctx, &stats.InHeader{
+			FullMethod:  stream.Method(),
+			RemoteAddr:  t.Peer().Addr,
+			LocalAddr:   t.Peer().LocalAddr,
+			Compression: stream.RecvCompress(),
+			WireLength:  stream.HeaderWireLength(),
+			Header:      md,
+		})
 	}
 	// To have calls in stream callouts work. Will delete once all stats handler
 	// calls come from the gRPC layer.
diff --git a/vendor/google.golang.org/grpc/stream.go b/vendor/google.golang.org/grpc/stream.go
index d9bbd4c57c..ec9577b278 100644
--- a/vendor/google.golang.org/grpc/stream.go
+++ b/vendor/google.golang.org/grpc/stream.go
@@ -25,6 +25,7 @@ import (
 	"math"
 	rand "math/rand/v2"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -177,13 +178,43 @@ func NewClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	return cc.NewStream(ctx, desc, method, opts...)
 }
 
+var emptyMethodConfig = serviceconfig.MethodConfig{}
+
+// endOfClientStream performs cleanup actions required for both successful and
+// failed streams. This includes incrementing channelz stats and invoking all
+// registered OnFinish call options.
+func endOfClientStream(cc *ClientConn, err error, opts ...CallOption) {
+	if channelz.IsOn() {
+		if err != nil {
+			cc.incrCallsFailed()
+		} else {
+			cc.incrCallsSucceeded()
+		}
+	}
+
+	for _, o := range opts {
+		if o, ok := o.(OnFinishCallOption); ok {
+			o.OnFinish(err)
+		}
+	}
+}
+
 func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, opts ...CallOption) (_ ClientStream, err error) {
+	if channelz.IsOn() {
+		cc.incrCallsStarted()
+	}
+	defer func() {
+		if err != nil {
+			// Ensure cleanup when stream creation fails.
+			endOfClientStream(cc, err, opts...)
+		}
+	}()
+
 	// Start tracking the RPC for idleness purposes. This is where a stream is
 	// created for both streaming and unary RPCs, and hence is a good place to
 	// track active RPC count.
-	if err := cc.idlenessMgr.OnCallBegin(); err != nil {
-		return nil, err
-	}
+	cc.idlenessMgr.OnCallBegin()
+
 	// Add a calloption, to decrement the active call count, that gets executed
 	// when the RPC completes.
 	opts = append([]CallOption{OnFinish(func(error) { cc.idlenessMgr.OnCallEnd() })}, opts...)
@@ -202,14 +233,6 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 			}
 		}
 	}
-	if channelz.IsOn() {
-		cc.incrCallsStarted()
-		defer func() {
-			if err != nil {
-				cc.incrCallsFailed()
-			}
-		}()
-	}
 	// Provide an opportunity for the first RPC to see the first service config
 	// provided by the resolver.
 	nameResolutionDelayed, err := cc.waitForResolvedAddrs(ctx)
@@ -217,7 +240,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 		return nil, err
 	}
 
-	var mc serviceconfig.MethodConfig
+	mc := &emptyMethodConfig
 	var onCommit func()
 	newStream := func(ctx context.Context, done func()) (iresolver.ClientStream, error) {
 		return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, nameResolutionDelayed, opts...)
@@ -240,7 +263,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 		if rpcConfig.Context != nil {
 			ctx = rpcConfig.Context
 		}
-		mc = rpcConfig.MethodConfig
+		mc = &rpcConfig.MethodConfig
 		onCommit = rpcConfig.OnCommitted
 		if rpcConfig.Interceptor != nil {
 			rpcInfo.Context = nil
@@ -258,7 +281,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	return newStream(ctx, func() {})
 }
 
-func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc serviceconfig.MethodConfig, onCommit, doneFunc func(), nameResolutionDelayed bool, opts ...CallOption) (_ iresolver.ClientStream, err error) {
+func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc *serviceconfig.MethodConfig, onCommit, doneFunc func(), nameResolutionDelayed bool, opts ...CallOption) (_ iresolver.ClientStream, err error) {
 	callInfo := defaultCallInfo()
 	if mc.WaitForReady != nil {
 		callInfo.failFast = !*mc.WaitForReady
@@ -299,6 +322,10 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 		DoneFunc:       doneFunc,
 		Authority:      callInfo.authority,
 	}
+	if allowed := callInfo.acceptedResponseCompressors; len(allowed) > 0 {
+		headerValue := strings.Join(allowed, ",")
+		callHdr.AcceptedCompressors = &headerValue
+	}
 
 	// Set our outgoing compression according to the UseCompressor CallOption, if
 	// set.  In that case, also find the compressor from the encoding package.
@@ -325,7 +352,7 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 	cs := &clientStream{
 		callHdr:             callHdr,
 		ctx:                 ctx,
-		methodConfig:        &mc,
+		methodConfig:        mc,
 		opts:                opts,
 		callInfo:            callInfo,
 		cc:                  cc,
@@ -418,19 +445,21 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
 	ctx := newContextWithRPCInfo(cs.ctx, cs.callInfo.failFast, cs.callInfo.codec, cs.compressorV0, cs.compressorV1)
 	method := cs.callHdr.Method
 	var beginTime time.Time
-	shs := cs.cc.dopts.copts.StatsHandlers
-	for _, sh := range shs {
-		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: method, FailFast: cs.callInfo.failFast, NameResolutionDelay: cs.nameResolutionDelay})
+	sh := cs.cc.statsHandler
+	if sh != nil {
 		beginTime = time.Now()
-		begin := &stats.Begin{
+		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{
+			FullMethodName: method, FailFast: cs.callInfo.failFast,
+			NameResolutionDelay: cs.nameResolutionDelay,
+		})
+		sh.HandleRPC(ctx, &stats.Begin{
 			Client:                    true,
 			BeginTime:                 beginTime,
 			FailFast:                  cs.callInfo.failFast,
 			IsClientStream:            cs.desc.ClientStreams,
 			IsServerStream:            cs.desc.ServerStreams,
 			IsTransparentRetryAttempt: isTransparent,
-		}
-		sh.HandleRPC(ctx, begin)
+		})
 	}
 
 	var trInfo *traceInfo
@@ -461,7 +490,7 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
 		beginTime:      beginTime,
 		cs:             cs,
 		decompressorV0: cs.cc.dopts.dc,
-		statsHandlers:  shs,
+		statsHandler:   sh,
 		trInfo:         trInfo,
 	}, nil
 }
@@ -480,12 +509,10 @@ func (a *csAttempt) getTransport() error {
 		return err
 	}
 	if a.trInfo != nil {
-		a.trInfo.firstLine.SetRemoteAddr(a.transport.RemoteAddr())
+		a.trInfo.firstLine.SetRemoteAddr(a.transport.Peer().Addr)
 	}
-	if pick.blocked {
-		for _, sh := range a.statsHandlers {
-			sh.HandleRPC(a.ctx, &stats.DelayedPickComplete{})
-		}
+	if pick.blocked && a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, &stats.DelayedPickComplete{})
 	}
 	return nil
 }
@@ -529,7 +556,7 @@ func (a *csAttempt) newStream() error {
 	}
 	a.transportStream = s
 	a.ctx = s.Context()
-	a.parser = &parser{r: s, bufferPool: a.cs.cc.dopts.copts.BufferPool}
+	a.parser = parser{r: s, bufferPool: a.cs.cc.dopts.copts.BufferPool}
 	return nil
 }
 
@@ -549,6 +576,8 @@ type clientStream struct {
 
 	sentLast bool // sent an end stream
 
+	receivedFirstMsg bool // set after the first message is received
+
 	methodConfig *MethodConfig
 
 	ctx context.Context // the application's context, wrapped by stats/tracing
@@ -599,7 +628,7 @@ type csAttempt struct {
 	cs              *clientStream
 	transport       transport.ClientTransport
 	transportStream *transport.ClientStream
-	parser          *parser
+	parser          parser
 	pickResult      balancer.PickResult
 
 	finished        bool
@@ -613,8 +642,8 @@ type csAttempt struct {
 	// and cleared when the finish method is called.
 	trInfo *traceInfo
 
-	statsHandlers []stats.Handler
-	beginTime     time.Time
+	statsHandler stats.Handler
+	beginTime    time.Time
 
 	// set for newStream errors that may be transparently retried
 	allowTransparentRetry bool
@@ -1038,9 +1067,6 @@ func (cs *clientStream) finish(err error) {
 		return
 	}
 	cs.finished = true
-	for _, onFinish := range cs.callInfo.onFinish {
-		onFinish(err)
-	}
 	cs.commitAttemptLocked()
 	if cs.attempt != nil {
 		cs.attempt.finish(err)
@@ -1080,13 +1106,7 @@ func (cs *clientStream) finish(err error) {
 	if err == nil {
 		cs.retryThrottler.successfulRPC()
 	}
-	if channelz.IsOn() {
-		if err != nil {
-			cs.cc.incrCallsFailed()
-		} else {
-			cs.cc.incrCallsSucceeded()
-		}
-	}
+	endOfClientStream(cs.cc, err, cs.opts...)
 	cs.cancel()
 }
 
@@ -1108,17 +1128,15 @@ func (a *csAttempt) sendMsg(m any, hdr []byte, payld mem.BufferSlice, dataLength
 		}
 		return io.EOF
 	}
-	if len(a.statsHandlers) != 0 {
-		for _, sh := range a.statsHandlers {
-			sh.HandleRPC(a.ctx, outPayload(true, m, dataLength, payloadLength, time.Now()))
-		}
+	if a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, outPayload(true, m, dataLength, payloadLength, time.Now()))
 	}
 	return nil
 }
 
 func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 	cs := a.cs
-	if len(a.statsHandlers) != 0 && payInfo == nil {
+	if a.statsHandler != nil && payInfo == nil {
 		payInfo = &payloadInfo{}
 		defer payInfo.free()
 	}
@@ -1132,6 +1150,10 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 				a.decompressorV0 = nil
 				a.decompressorV1 = encoding.GetCompressor(ct)
 			}
+			// Validate that the compression method is acceptable for this call.
+			if !acceptedCompressorAllows(cs.callInfo.acceptedResponseCompressors, ct) {
+				return status.Errorf(codes.Internal, "grpc: peer compressed the response with %q which is not allowed by AcceptCompressors", ct)
+			}
 		} else {
 			// No compression is used; disable our decompressor.
 			a.decompressorV0 = nil
@@ -1139,16 +1161,21 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 		// Only initialize this state once per stream.
 		a.decompressorSet = true
 	}
-	if err := recv(a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, payInfo, a.decompressorV1, false); err != nil {
+	if err := recv(&a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, payInfo, a.decompressorV1, false); err != nil {
 		if err == io.EOF {
 			if statusErr := a.transportStream.Status().Err(); statusErr != nil {
 				return statusErr
 			}
+			// Received no msg and status OK for non-server streaming rpcs.
+			if !cs.desc.ServerStreams && !cs.receivedFirstMsg {
+				return status.Error(codes.Internal, "cardinality violation: received no response message from non-server-streaming RPC")
+			}
 			return io.EOF // indicates successful end of stream.
 		}
 
 		return toRPCErr(err)
 	}
+	cs.receivedFirstMsg = true
 	if a.trInfo != nil {
 		a.mu.Lock()
 		if a.trInfo.tr != nil {
@@ -1156,8 +1183,8 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 		}
 		a.mu.Unlock()
 	}
-	for _, sh := range a.statsHandlers {
-		sh.HandleRPC(a.ctx, &stats.InPayload{
+	if a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, &stats.InPayload{
 			Client:           true,
 			RecvTime:         time.Now(),
 			Payload:          m,
@@ -1172,12 +1199,12 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 	}
 	// Special handling for non-server-stream rpcs.
 	// This recv expects EOF or errors, so we don't collect inPayload.
-	if err := recv(a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, nil, a.decompressorV1, false); err == io.EOF {
+	if err := recv(&a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, nil, a.decompressorV1, false); err == io.EOF {
 		return a.transportStream.Status().Err() // non-server streaming Recv returns nil on success
 	} else if err != nil {
 		return toRPCErr(err)
 	}
-	return status.Errorf(codes.Internal, "cardinality violation: expected  for non server-streaming RPCs, but received another message")
+	return status.Error(codes.Internal, "cardinality violation: expected  for non server-streaming RPCs, but received another message")
 }
 
 func (a *csAttempt) finish(err error) {
@@ -1210,15 +1237,14 @@ func (a *csAttempt) finish(err error) {
 			ServerLoad:    balancerload.Parse(tr),
 		})
 	}
-	for _, sh := range a.statsHandlers {
-		end := &stats.End{
+	if a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, &stats.End{
 			Client:    true,
 			BeginTime: a.beginTime,
 			EndTime:   time.Now(),
 			Trailer:   tr,
 			Error:     err,
-		}
-		sh.HandleRPC(a.ctx, end)
+		})
 	}
 	if a.trInfo != nil && a.trInfo.tr != nil {
 		if err == nil {
@@ -1324,7 +1350,7 @@ func newNonRetryClientStream(ctx context.Context, desc *StreamDesc, method strin
 		return nil, err
 	}
 	as.transportStream = s
-	as.parser = &parser{r: s, bufferPool: ac.dopts.copts.BufferPool}
+	as.parser = parser{r: s, bufferPool: ac.dopts.copts.BufferPool}
 	ac.incrCallsStarted()
 	if desc != unaryStreamDesc {
 		// Listen on stream context to cleanup when the stream context is
@@ -1359,6 +1385,7 @@ type addrConnStream struct {
 	transport        transport.ClientTransport
 	ctx              context.Context
 	sentLast         bool
+	receivedFirstMsg bool
 	desc             *StreamDesc
 	codec            baseCodec
 	sendCompressorV0 Compressor
@@ -1366,7 +1393,7 @@ type addrConnStream struct {
 	decompressorSet  bool
 	decompressorV0   Decompressor
 	decompressorV1   encoding.Compressor
-	parser           *parser
+	parser           parser
 
 	// mu guards finished and is held for the entire finish method.
 	mu       sync.Mutex
@@ -1472,6 +1499,10 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 				as.decompressorV0 = nil
 				as.decompressorV1 = encoding.GetCompressor(ct)
 			}
+			// Validate that the compression method is acceptable for this call.
+			if !acceptedCompressorAllows(as.callInfo.acceptedResponseCompressors, ct) {
+				return status.Errorf(codes.Internal, "grpc: peer compressed the response with %q which is not allowed by AcceptCompressors", ct)
+			}
 		} else {
 			// No compression is used; disable our decompressor.
 			as.decompressorV0 = nil
@@ -1479,15 +1510,20 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 		// Only initialize this state once per stream.
 		as.decompressorSet = true
 	}
-	if err := recv(as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err != nil {
+	if err := recv(&as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err != nil {
 		if err == io.EOF {
 			if statusErr := as.transportStream.Status().Err(); statusErr != nil {
 				return statusErr
 			}
+			// Received no msg and status OK for non-server streaming rpcs.
+			if !as.desc.ServerStreams && !as.receivedFirstMsg {
+				return status.Error(codes.Internal, "cardinality violation: received no response message from non-server-streaming RPC")
+			}
 			return io.EOF // indicates successful end of stream.
 		}
 		return toRPCErr(err)
 	}
+	as.receivedFirstMsg = true
 
 	if as.desc.ServerStreams {
 		// Subsequent messages should be received by subsequent RecvMsg calls.
@@ -1496,12 +1532,12 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 
 	// Special handling for non-server-stream rpcs.
 	// This recv expects EOF or errors, so we don't collect inPayload.
-	if err := recv(as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err == io.EOF {
+	if err := recv(&as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err == io.EOF {
 		return as.transportStream.Status().Err() // non-server streaming Recv returns nil on success
 	} else if err != nil {
 		return toRPCErr(err)
 	}
-	return status.Errorf(codes.Internal, "cardinality violation: expected  for non server-streaming RPCs, but received another message")
+	return status.Error(codes.Internal, "cardinality violation: expected  for non server-streaming RPCs, but received another message")
 }
 
 func (as *addrConnStream) finish(err error) {
@@ -1584,7 +1620,7 @@ type ServerStream interface {
 type serverStream struct {
 	ctx   context.Context
 	s     *transport.ServerStream
-	p     *parser
+	p     parser
 	codec baseCodec
 	desc  *StreamDesc
 
@@ -1601,7 +1637,7 @@ type serverStream struct {
 	maxSendMessageSize    int
 	trInfo                *traceInfo
 
-	statsHandler []stats.Handler
+	statsHandler stats.Handler
 
 	binlogs []binarylog.MethodLogger
 	// serverHeaderBinlogged indicates whether server header has been logged. It
@@ -1737,10 +1773,8 @@ func (ss *serverStream) SendMsg(m any) (err error) {
 			binlog.Log(ss.ctx, sm)
 		}
 	}
-	if len(ss.statsHandler) != 0 {
-		for _, sh := range ss.statsHandler {
-			sh.HandleRPC(ss.s.Context(), outPayload(false, m, dataLen, payloadLen, time.Now()))
-		}
+	if ss.statsHandler != nil {
+		ss.statsHandler.HandleRPC(ss.s.Context(), outPayload(false, m, dataLen, payloadLen, time.Now()))
 	}
 	return nil
 }
@@ -1771,11 +1805,11 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 		}
 	}()
 	var payInfo *payloadInfo
-	if len(ss.statsHandler) != 0 || len(ss.binlogs) != 0 {
+	if ss.statsHandler != nil || len(ss.binlogs) != 0 {
 		payInfo = &payloadInfo{}
 		defer payInfo.free()
 	}
-	if err := recv(ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, payInfo, ss.decompressorV1, true); err != nil {
+	if err := recv(&ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, payInfo, ss.decompressorV1, true); err != nil {
 		if err == io.EOF {
 			if len(ss.binlogs) != 0 {
 				chc := &binarylog.ClientHalfClose{}
@@ -1795,16 +1829,14 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 		return toRPCErr(err)
 	}
 	ss.recvFirstMsg = true
-	if len(ss.statsHandler) != 0 {
-		for _, sh := range ss.statsHandler {
-			sh.HandleRPC(ss.s.Context(), &stats.InPayload{
-				RecvTime:         time.Now(),
-				Payload:          m,
-				Length:           payInfo.uncompressedBytes.Len(),
-				WireLength:       payInfo.compressedLength + headerLen,
-				CompressedLength: payInfo.compressedLength,
-			})
-		}
+	if ss.statsHandler != nil {
+		ss.statsHandler.HandleRPC(ss.s.Context(), &stats.InPayload{
+			RecvTime:         time.Now(),
+			Payload:          m,
+			Length:           payInfo.uncompressedBytes.Len(),
+			WireLength:       payInfo.compressedLength + headerLen,
+			CompressedLength: payInfo.compressedLength,
+		})
 	}
 	if len(ss.binlogs) != 0 {
 		cm := &binarylog.ClientMessage{
@@ -1821,7 +1853,7 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 	}
 	// Special handling for non-client-stream rpcs.
 	// This recv expects EOF or errors, so we don't collect inPayload.
-	if err := recv(ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, nil, ss.decompressorV1, true); err == io.EOF {
+	if err := recv(&ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, nil, ss.decompressorV1, true); err == io.EOF {
 		return nil
 	} else if err != nil {
 		return err
diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go
index 468f110658..ff7840fd8e 100644
--- a/vendor/google.golang.org/grpc/version.go
+++ b/vendor/google.golang.org/grpc/version.go
@@ -19,4 +19,4 @@
 package grpc
 
 // Version is the current grpc version.
-const Version = "1.75.1"
+const Version = "1.78.0"
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
index 669133d04d..c96e448346 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
@@ -32,7 +32,7 @@ var byteType = reflect.TypeOf(byte(0))
 func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescriptors) protoreflect.FieldDescriptor {
 	f := new(filedesc.Field)
 	f.L0.ParentFile = filedesc.SurrogateProto2
-	f.L1.EditionFeatures = f.L0.ParentFile.L1.EditionFeatures
+	packed := false
 	for len(tag) > 0 {
 		i := strings.IndexByte(tag, ',')
 		if i < 0 {
@@ -108,7 +108,7 @@ func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescri
 				f.L1.StringName.InitJSON(jsonName)
 			}
 		case s == "packed":
-			f.L1.EditionFeatures.IsPacked = true
+			packed = true
 		case strings.HasPrefix(s, "def="):
 			// The default tag is special in that everything afterwards is the
 			// default regardless of the presence of commas.
@@ -121,6 +121,13 @@ func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescri
 		tag = strings.TrimPrefix(tag[i:], ",")
 	}
 
+	// Update EditionFeatures after the loop and after we know whether this is
+	// a proto2 or proto3 field.
+	f.L1.EditionFeatures = f.L0.ParentFile.L1.EditionFeatures
+	if packed {
+		f.L1.EditionFeatures.IsPacked = true
+	}
+
 	// The generator uses the group message name instead of the field name.
 	// We obtain the real field name by lowercasing the group name.
 	if f.L1.Kind == protoreflect.GroupKind {
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
index 099b2bf451..9aa7a9bb77 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
@@ -424,27 +424,34 @@ func (d *Decoder) parseFieldName() (tok Token, err error) {
 	return Token{}, d.newSyntaxError("invalid field name: %s", errId(d.in))
 }
 
-// parseTypeName parses Any type URL or extension field name. The name is
-// enclosed in [ and ] characters. The C++ parser does not handle many legal URL
-// strings. This implementation is more liberal and allows for the pattern
-// ^[-_a-zA-Z0-9]+([./][-_a-zA-Z0-9]+)*`). Whitespaces and comments are allowed
-// in between [ ], '.', '/' and the sub names.
+// parseTypeName parses an Any type URL or an extension field name. The name is
+// enclosed in [ and ] characters. We allow almost arbitrary type URL prefixes,
+// closely following the text-format spec [1,2]. We implement "ExtensionName |
+// AnyName" as follows (with some exceptions for backwards compatibility):
+//
+// char      = [-_a-zA-Z0-9]
+// url_char  = char | [.~!$&'()*+,;=] | "%", hex, hex
+//
+// Ident         = char, { char }
+// TypeName      = Ident, { ".", Ident } ;
+// UrlPrefix     = url_char, { url_char | "/" } ;
+// ExtensionName = "[", TypeName, "]" ;
+// AnyName       = "[", UrlPrefix, "/", TypeName, "]" ;
+//
+// Additionally, we allow arbitrary whitespace and comments between [ and ].
+//
+// [1] https://protobuf.dev/reference/protobuf/textformat-spec/#characters
+// [2] https://protobuf.dev/reference/protobuf/textformat-spec/#field-names
 func (d *Decoder) parseTypeName() (Token, error) {
-	startPos := len(d.orig) - len(d.in)
 	// Use alias s to advance first in order to use d.in for error handling.
-	// Caller already checks for [ as first character.
+	// Caller already checks for [ as first character (d.in[0] == '[').
 	s := consume(d.in[1:], 0)
 	if len(s) == 0 {
 		return Token{}, ErrUnexpectedEOF
 	}
 
+	// Collect everything between [ and ] in name.
 	var name []byte
-	for len(s) > 0 && isTypeNameChar(s[0]) {
-		name = append(name, s[0])
-		s = s[1:]
-	}
-	s = consume(s, 0)
-
 	var closed bool
 	for len(s) > 0 && !closed {
 		switch {
@@ -452,23 +459,20 @@ func (d *Decoder) parseTypeName() (Token, error) {
 			s = s[1:]
 			closed = true
 
-		case s[0] == '/', s[0] == '.':
-			if len(name) > 0 && (name[len(name)-1] == '/' || name[len(name)-1] == '.') {
-				return Token{}, d.newSyntaxError("invalid type URL/extension field name: %s",
-					d.orig[startPos:len(d.orig)-len(s)+1])
-			}
+		case s[0] == '/' || isTypeNameChar(s[0]) || isUrlExtraChar(s[0]):
 			name = append(name, s[0])
-			s = s[1:]
-			s = consume(s, 0)
-			for len(s) > 0 && isTypeNameChar(s[0]) {
-				name = append(name, s[0])
-				s = s[1:]
+			s = consume(s[1:], 0)
+
+		// URL percent-encoded chars
+		case s[0] == '%':
+			if len(s) < 3 || !isHexChar(s[1]) || !isHexChar(s[2]) {
+				return Token{}, d.parseTypeNameError(s, 3)
 			}
-			s = consume(s, 0)
+			name = append(name, s[0], s[1], s[2])
+			s = consume(s[3:], 0)
 
 		default:
-			return Token{}, d.newSyntaxError(
-				"invalid type URL/extension field name: %s", d.orig[startPos:len(d.orig)-len(s)+1])
+			return Token{}, d.parseTypeNameError(s, 1)
 		}
 	}
 
@@ -476,15 +480,38 @@ func (d *Decoder) parseTypeName() (Token, error) {
 		return Token{}, ErrUnexpectedEOF
 	}
 
-	// First character cannot be '.'. Last character cannot be '.' or '/'.
-	size := len(name)
-	if size == 0 || name[0] == '.' || name[size-1] == '.' || name[size-1] == '/' {
-		return Token{}, d.newSyntaxError("invalid type URL/extension field name: %s",
-			d.orig[startPos:len(d.orig)-len(s)])
+	// Split collected name on last '/' into urlPrefix and typeName (if '/' is
+	// present).
+	typeName := name
+	if i := bytes.LastIndexByte(name, '/'); i != -1 {
+		urlPrefix := name[:i]
+		typeName = name[i+1:]
+
+		// urlPrefix may be empty (for backwards compatibility).
+		// If non-empty, it must not start with '/'.
+		if len(urlPrefix) > 0 && urlPrefix[0] == '/' {
+			return Token{}, d.parseTypeNameError(s, 0)
+		}
 	}
 
+	// typeName must not be empty (note: "" splits to [""]) and all identifier
+	// parts must not be empty.
+	for _, ident := range bytes.Split(typeName, []byte{'.'}) {
+		if len(ident) == 0 {
+			return Token{}, d.parseTypeNameError(s, 0)
+		}
+	}
+
+	// typeName must not contain any percent-encoded or special URL chars.
+	for _, b := range typeName {
+		if b == '%' || (b != '.' && isUrlExtraChar(b)) {
+			return Token{}, d.parseTypeNameError(s, 0)
+		}
+	}
+
+	startPos := len(d.orig) - len(d.in)
+	endPos := len(d.orig) - len(s)
 	d.in = s
-	endPos := len(d.orig) - len(d.in)
 	d.consume(0)
 
 	return Token{
@@ -496,16 +523,32 @@ func (d *Decoder) parseTypeName() (Token, error) {
 	}, nil
 }
 
+func (d *Decoder) parseTypeNameError(s []byte, numUnconsumedChars int) error {
+	return d.newSyntaxError(
+		"invalid type URL/extension field name: %s",
+		d.in[:len(d.in)-len(s)+min(numUnconsumedChars, len(s))],
+	)
+}
+
+func isHexChar(b byte) bool {
+	return ('0' <= b && b <= '9') ||
+		('a' <= b && b <= 'f') ||
+		('A' <= b && b <= 'F')
+}
+
 func isTypeNameChar(b byte) bool {
-	return (b == '-' || b == '_' ||
+	return b == '-' || b == '_' ||
 		('0' <= b && b <= '9') ||
 		('a' <= b && b <= 'z') ||
-		('A' <= b && b <= 'Z'))
+		('A' <= b && b <= 'Z')
 }
 
-func isWhiteSpace(b byte) bool {
+// isUrlExtraChar complements isTypeNameChar with extra characters that we allow
+// in URLs but not in type names. Note that '/' is not included so that it can
+// be treated specially.
+func isUrlExtraChar(b byte) bool {
 	switch b {
-	case ' ', '\n', '\r', '\t':
+	case '.', '~', '!', '$', '&', '(', ')', '*', '+', ',', ';', '=':
 		return true
 	default:
 		return false
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
index 688aabe434..c775e5832f 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
@@ -32,6 +32,7 @@ const (
 	EditionProto3      Edition = 999
 	Edition2023        Edition = 1000
 	Edition2024        Edition = 1001
+	EditionUnstable    Edition = 9999
 	EditionUnsupported Edition = 100000
 )
 
@@ -72,9 +73,10 @@ type (
 		EditionFeatures EditionFeatures
 	}
 	FileL2 struct {
-		Options   func() protoreflect.ProtoMessage
-		Imports   FileImports
-		Locations SourceLocations
+		Options       func() protoreflect.ProtoMessage
+		Imports       FileImports
+		OptionImports func() protoreflect.FileImports
+		Locations     SourceLocations
 	}
 
 	// EditionFeatures is a frequently-instantiated struct, so please take care
@@ -126,12 +128,9 @@ func (fd *File) ParentFile() protoreflect.FileDescriptor { return fd }
 func (fd *File) Parent() protoreflect.Descriptor         { return nil }
 func (fd *File) Index() int                              { return 0 }
 func (fd *File) Syntax() protoreflect.Syntax             { return fd.L1.Syntax }
-
-// Not exported and just used to reconstruct the original FileDescriptor proto
-func (fd *File) Edition() int32                  { return int32(fd.L1.Edition) }
-func (fd *File) Name() protoreflect.Name         { return fd.L1.Package.Name() }
-func (fd *File) FullName() protoreflect.FullName { return fd.L1.Package }
-func (fd *File) IsPlaceholder() bool             { return false }
+func (fd *File) Name() protoreflect.Name                 { return fd.L1.Package.Name() }
+func (fd *File) FullName() protoreflect.FullName         { return fd.L1.Package }
+func (fd *File) IsPlaceholder() bool                     { return false }
 func (fd *File) Options() protoreflect.ProtoMessage {
 	if f := fd.lazyInit().Options; f != nil {
 		return f()
@@ -150,6 +149,16 @@ func (fd *File) Format(s fmt.State, r rune)                    { descfmt.FormatD
 func (fd *File) ProtoType(protoreflect.FileDescriptor)         {}
 func (fd *File) ProtoInternal(pragma.DoNotImplement)           {}
 
+// The next two are not part of the FileDescriptor interface. They are just used to reconstruct
+// the original FileDescriptor proto.
+func (fd *File) Edition() int32 { return int32(fd.L1.Edition) }
+func (fd *File) OptionImports() protoreflect.FileImports {
+	if f := fd.lazyInit().OptionImports; f != nil {
+		return f()
+	}
+	return emptyFiles
+}
+
 func (fd *File) lazyInit() *FileL2 {
 	if atomic.LoadUint32(&fd.once) == 0 {
 		fd.lazyInitOnce()
@@ -182,9 +191,9 @@ type (
 		L2 *EnumL2 // protected by fileDesc.once
 	}
 	EnumL1 struct {
-		eagerValues bool // controls whether EnumL2.Values is already populated
-
 		EditionFeatures EditionFeatures
+		Visibility      int32
+		eagerValues     bool // controls whether EnumL2.Values is already populated
 	}
 	EnumL2 struct {
 		Options        func() protoreflect.ProtoMessage
@@ -219,6 +228,11 @@ func (ed *Enum) ReservedNames() protoreflect.Names       { return &ed.lazyInit()
 func (ed *Enum) ReservedRanges() protoreflect.EnumRanges { return &ed.lazyInit().ReservedRanges }
 func (ed *Enum) Format(s fmt.State, r rune)              { descfmt.FormatDesc(s, r, ed) }
 func (ed *Enum) ProtoType(protoreflect.EnumDescriptor)   {}
+
+// This is not part of the EnumDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (ed *Enum) Visibility() int32 { return ed.L1.Visibility }
+
 func (ed *Enum) lazyInit() *EnumL2 {
 	ed.L0.ParentFile.lazyInit() // implicitly initializes L2
 	return ed.L2
@@ -244,13 +258,13 @@ type (
 		L2 *MessageL2 // protected by fileDesc.once
 	}
 	MessageL1 struct {
-		Enums        Enums
-		Messages     Messages
-		Extensions   Extensions
-		IsMapEntry   bool // promoted from google.protobuf.MessageOptions
-		IsMessageSet bool // promoted from google.protobuf.MessageOptions
-
+		Enums           Enums
+		Messages        Messages
+		Extensions      Extensions
 		EditionFeatures EditionFeatures
+		Visibility      int32
+		IsMapEntry      bool // promoted from google.protobuf.MessageOptions
+		IsMessageSet    bool // promoted from google.protobuf.MessageOptions
 	}
 	MessageL2 struct {
 		Options               func() protoreflect.ProtoMessage
@@ -319,6 +333,11 @@ func (md *Message) Messages() protoreflect.MessageDescriptors     { return &md.L
 func (md *Message) Extensions() protoreflect.ExtensionDescriptors { return &md.L1.Extensions }
 func (md *Message) ProtoType(protoreflect.MessageDescriptor)      {}
 func (md *Message) Format(s fmt.State, r rune)                    { descfmt.FormatDesc(s, r, md) }
+
+// This is not part of the MessageDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (md *Message) Visibility() int32 { return md.L1.Visibility }
+
 func (md *Message) lazyInit() *MessageL2 {
 	md.L0.ParentFile.lazyInit() // implicitly initializes L2
 	return md.L2
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
index d2f549497e..e91860f5a2 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
@@ -284,6 +284,13 @@ func (ed *Enum) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protorefl
 			case genid.EnumDescriptorProto_Value_field_number:
 				numValues++
 			}
+		case protowire.VarintType:
+			v, m := protowire.ConsumeVarint(b)
+			b = b[m:]
+			switch num {
+			case genid.EnumDescriptorProto_Visibility_field_number:
+				ed.L1.Visibility = int32(v)
+			}
 		default:
 			m := protowire.ConsumeFieldValue(num, typ, b)
 			b = b[m:]
@@ -365,6 +372,13 @@ func (md *Message) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protor
 				md.unmarshalSeedOptions(v)
 			}
 			prevField = num
+		case protowire.VarintType:
+			v, m := protowire.ConsumeVarint(b)
+			b = b[m:]
+			switch num {
+			case genid.DescriptorProto_Visibility_field_number:
+				md.L1.Visibility = int32(v)
+			}
 		default:
 			m := protowire.ConsumeFieldValue(num, typ, b)
 			b = b[m:]
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
index d4c94458bd..78f02b1b49 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
@@ -134,6 +134,7 @@ func (fd *File) unmarshalFull(b []byte) {
 
 	var enumIdx, messageIdx, extensionIdx, serviceIdx int
 	var rawOptions []byte
+	var optionImports []string
 	fd.L2 = new(FileL2)
 	for len(b) > 0 {
 		num, typ, n := protowire.ConsumeTag(b)
@@ -157,6 +158,8 @@ func (fd *File) unmarshalFull(b []byte) {
 					imp = PlaceholderFile(path)
 				}
 				fd.L2.Imports = append(fd.L2.Imports, protoreflect.FileImport{FileDescriptor: imp})
+			case genid.FileDescriptorProto_OptionDependency_field_number:
+				optionImports = append(optionImports, sb.MakeString(v))
 			case genid.FileDescriptorProto_EnumType_field_number:
 				fd.L1.Enums.List[enumIdx].unmarshalFull(v, sb)
 				enumIdx++
@@ -178,6 +181,23 @@ func (fd *File) unmarshalFull(b []byte) {
 		}
 	}
 	fd.L2.Options = fd.builder.optionsUnmarshaler(&descopts.File, rawOptions)
+	if len(optionImports) > 0 {
+		var imps FileImports
+		var once sync.Once
+		fd.L2.OptionImports = func() protoreflect.FileImports {
+			once.Do(func() {
+				imps = make(FileImports, len(optionImports))
+				for i, path := range optionImports {
+					imp, _ := fd.builder.FileRegistry.FindFileByPath(path)
+					if imp == nil {
+						imp = PlaceholderFile(path)
+					}
+					imps[i] = protoreflect.FileImport{FileDescriptor: imp}
+				}
+			})
+			return &imps
+		}
+	}
 }
 
 func (ed *Enum) unmarshalFull(b []byte, sb *strs.Builder) {
@@ -310,7 +330,6 @@ func (md *Message) unmarshalFull(b []byte, sb *strs.Builder) {
 				md.L1.Extensions.List[extensionIdx].unmarshalFull(v, sb)
 				extensionIdx++
 			case genid.DescriptorProto_Options_field_number:
-				md.unmarshalOptions(v)
 				rawOptions = appendOptions(rawOptions, v)
 			}
 		default:
@@ -336,27 +355,6 @@ func (md *Message) unmarshalFull(b []byte, sb *strs.Builder) {
 	md.L2.Options = md.L0.ParentFile.builder.optionsUnmarshaler(&descopts.Message, rawOptions)
 }
 
-func (md *Message) unmarshalOptions(b []byte) {
-	for len(b) > 0 {
-		num, typ, n := protowire.ConsumeTag(b)
-		b = b[n:]
-		switch typ {
-		case protowire.VarintType:
-			v, m := protowire.ConsumeVarint(b)
-			b = b[m:]
-			switch num {
-			case genid.MessageOptions_MapEntry_field_number:
-				md.L1.IsMapEntry = protowire.DecodeBool(v)
-			case genid.MessageOptions_MessageSetWireFormat_field_number:
-				md.L1.IsMessageSet = protowire.DecodeBool(v)
-			}
-		default:
-			m := protowire.ConsumeFieldValue(num, typ, b)
-			b = b[m:]
-		}
-	}
-}
-
 func unmarshalMessageReservedRange(b []byte) (r [2]protoreflect.FieldNumber) {
 	for len(b) > 0 {
 		num, typ, n := protowire.ConsumeTag(b)
diff --git a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
index 950a6a325a..65aaf4d210 100644
--- a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
+++ b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
@@ -26,6 +26,7 @@ const (
 	Edition_EDITION_PROTO3_enum_value          = 999
 	Edition_EDITION_2023_enum_value            = 1000
 	Edition_EDITION_2024_enum_value            = 1001
+	Edition_EDITION_UNSTABLE_enum_value        = 9999
 	Edition_EDITION_1_TEST_ONLY_enum_value     = 1
 	Edition_EDITION_2_TEST_ONLY_enum_value     = 2
 	Edition_EDITION_99997_TEST_ONLY_enum_value = 99997
diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_map.go b/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
index 229c698013..4a3bf393ef 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
@@ -113,6 +113,9 @@ func sizeMap(mapv reflect.Value, mapi *mapInfo, f *coderFieldInfo, opts marshalO
 }
 
 func consumeMap(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo, f *coderFieldInfo, opts unmarshalOptions) (out unmarshalOutput, err error) {
+	if opts.depth--; opts.depth < 0 {
+		return out, errRecursionDepth
+	}
 	if wtyp != protowire.BytesType {
 		return out, errUnknown
 	}
@@ -170,6 +173,9 @@ func consumeMap(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo
 }
 
 func consumeMapOfMessage(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo, f *coderFieldInfo, opts unmarshalOptions) (out unmarshalOutput, err error) {
+	if opts.depth--; opts.depth < 0 {
+		return out, errRecursionDepth
+	}
 	if wtyp != protowire.BytesType {
 		return out, errUnknown
 	}
diff --git a/vendor/google.golang.org/protobuf/internal/impl/decode.go b/vendor/google.golang.org/protobuf/internal/impl/decode.go
index e0dd21fa5f..1228b5c8c2 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/decode.go
@@ -102,8 +102,7 @@ var errUnknown = errors.New("unknown")
 
 func (mi *MessageInfo) unmarshalPointer(b []byte, p pointer, groupTag protowire.Number, opts unmarshalOptions) (out unmarshalOutput, err error) {
 	mi.init()
-	opts.depth--
-	if opts.depth < 0 {
+	if opts.depth--; opts.depth < 0 {
 		return out, errRecursionDepth
 	}
 	if flags.ProtoLegacy && mi.isMessageSet {
diff --git a/vendor/google.golang.org/protobuf/internal/impl/validate.go b/vendor/google.golang.org/protobuf/internal/impl/validate.go
index 7b2995dde5..99a1eb95f7 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/validate.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/validate.go
@@ -68,9 +68,13 @@ func Validate(mt protoreflect.MessageType, in protoiface.UnmarshalInput) (out pr
 	if in.Resolver == nil {
 		in.Resolver = protoregistry.GlobalTypes
 	}
+	if in.Depth == 0 {
+		in.Depth = protowire.DefaultRecursionLimit
+	}
 	o, st := mi.validate(in.Buf, 0, unmarshalOptions{
 		flags:    in.Flags,
 		resolver: in.Resolver,
+		depth:    in.Depth,
 	})
 	if o.initialized {
 		out.Flags |= protoiface.UnmarshalInitialized
@@ -257,6 +261,9 @@ func (mi *MessageInfo) validate(b []byte, groupTag protowire.Number, opts unmars
 		states[0].typ = validationTypeGroup
 		states[0].endGroup = groupTag
 	}
+	if opts.depth--; opts.depth < 0 {
+		return out, ValidationInvalid
+	}
 	initialized := true
 	start := len(b)
 State:
@@ -451,6 +458,13 @@ State:
 						mi:      vi.mi,
 						tail:    b,
 					})
+					if vi.typ == validationTypeMessage ||
+						vi.typ == validationTypeGroup ||
+						vi.typ == validationTypeMap {
+						if opts.depth--; opts.depth < 0 {
+							return out, ValidationInvalid
+						}
+					}
 					b = v
 					continue State
 				case validationTypeRepeatedVarint:
@@ -499,6 +513,9 @@ State:
 						mi:       vi.mi,
 						endGroup: num,
 					})
+					if opts.depth--; opts.depth < 0 {
+						return out, ValidationInvalid
+					}
 					continue State
 				case flags.ProtoLegacy && vi.typ == validationTypeMessageSetItem:
 					typeid, v, n, err := messageset.ConsumeFieldValue(b, false)
@@ -521,6 +538,13 @@ State:
 							mi:   xvi.mi,
 							tail: b[n:],
 						})
+						if xvi.typ == validationTypeMessage ||
+							xvi.typ == validationTypeGroup ||
+							xvi.typ == validationTypeMap {
+							if opts.depth--; opts.depth < 0 {
+								return out, ValidationInvalid
+							}
+						}
 						b = v
 						continue State
 					}
@@ -547,12 +571,14 @@ State:
 		switch st.typ {
 		case validationTypeMessage, validationTypeGroup:
 			numRequiredFields = int(st.mi.numRequiredFields)
+			opts.depth++
 		case validationTypeMap:
 			// If this is a map field with a message value that contains
 			// required fields, require that the value be present.
 			if st.mi != nil && st.mi.numRequiredFields > 0 {
 				numRequiredFields = 1
 			}
+			opts.depth++
 		}
 		// If there are more than 64 required fields, this check will
 		// always fail and we will report that the message is potentially
diff --git a/vendor/google.golang.org/protobuf/internal/version/version.go b/vendor/google.golang.org/protobuf/internal/version/version.go
index 31e79a6535..763fd82841 100644
--- a/vendor/google.golang.org/protobuf/internal/version/version.go
+++ b/vendor/google.golang.org/protobuf/internal/version/version.go
@@ -52,7 +52,7 @@ import (
 const (
 	Major      = 1
 	Minor      = 36
-	Patch      = 9
+	Patch      = 11
 	PreRelease = ""
 )
 
diff --git a/vendor/google.golang.org/protobuf/proto/decode.go b/vendor/google.golang.org/protobuf/proto/decode.go
index 4cbf1aeaf7..889d8511d2 100644
--- a/vendor/google.golang.org/protobuf/proto/decode.go
+++ b/vendor/google.golang.org/protobuf/proto/decode.go
@@ -121,9 +121,8 @@ func (o UnmarshalOptions) unmarshal(b []byte, m protoreflect.Message) (out proto
 
 		out, err = methods.Unmarshal(in)
 	} else {
-		o.RecursionLimit--
-		if o.RecursionLimit < 0 {
-			return out, errors.New("exceeded max recursion depth")
+		if o.RecursionLimit--; o.RecursionLimit < 0 {
+			return out, errRecursionDepth
 		}
 		err = o.unmarshalMessageSlow(b, m)
 	}
@@ -220,6 +219,9 @@ func (o UnmarshalOptions) unmarshalSingular(b []byte, wtyp protowire.Type, m pro
 }
 
 func (o UnmarshalOptions) unmarshalMap(b []byte, wtyp protowire.Type, mapv protoreflect.Map, fd protoreflect.FieldDescriptor) (n int, err error) {
+	if o.RecursionLimit--; o.RecursionLimit < 0 {
+		return 0, errRecursionDepth
+	}
 	if wtyp != protowire.BytesType {
 		return 0, errUnknown
 	}
@@ -305,3 +307,5 @@ func (o UnmarshalOptions) unmarshalMap(b []byte, wtyp protowire.Type, mapv proto
 var errUnknown = errors.New("BUG: internal error (unknown)")
 
 var errDecode = errors.New("cannot parse invalid wire-format data")
+
+var errRecursionDepth = errors.New("exceeded maximum recursion depth")
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
index 823dbf3ba6..40f17af4e3 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
@@ -108,7 +108,9 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot
 	if f.L1.Path == "" {
 		return nil, errors.New("file path must be populated")
 	}
-	if f.L1.Syntax == protoreflect.Editions && (fd.GetEdition() < editionssupport.Minimum || fd.GetEdition() > editionssupport.Maximum) {
+	if f.L1.Syntax == protoreflect.Editions &&
+		(fd.GetEdition() < editionssupport.Minimum || fd.GetEdition() > editionssupport.Maximum) &&
+		fd.GetEdition() != descriptorpb.Edition_EDITION_UNSTABLE {
 		// Allow cmd/protoc-gen-go/testdata to use any edition for easier
 		// testing of upcoming edition features.
 		if !strings.HasPrefix(fd.GetName(), "cmd/protoc-gen-go/testdata/") {
@@ -152,6 +154,31 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot
 		imp := &f.L2.Imports[i]
 		imps.importPublic(imp.Imports())
 	}
+	optionImps := importSet{f.Path(): true}
+	if len(fd.GetOptionDependency()) > 0 {
+		optionImports := make(filedesc.FileImports, len(fd.GetOptionDependency()))
+		for i, path := range fd.GetOptionDependency() {
+			imp := &optionImports[i]
+			f, err := r.FindFileByPath(path)
+			if err == protoregistry.NotFound {
+				// We always allow option imports to be unresolvable.
+				f = filedesc.PlaceholderFile(path)
+			} else if err != nil {
+				return nil, errors.New("could not resolve import %q: %v", path, err)
+			}
+			imp.FileDescriptor = f
+
+			if imps[imp.Path()] || optionImps[imp.Path()] {
+				return nil, errors.New("already imported %q", path)
+			}
+			// This needs to be a separate map so that we don't recognize non-options
+			// symbols coming from option imports.
+			optionImps[imp.Path()] = true
+		}
+		f.L2.OptionImports = func() protoreflect.FileImports {
+			return &optionImports
+		}
+	}
 
 	// Handle source locations.
 	f.L2.Locations.File = f
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
index 9da34998b1..c826ad0430 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
@@ -29,6 +29,7 @@ func (r descsByName) initEnumDeclarations(eds []*descriptorpb.EnumDescriptorProt
 			e.L2.Options = func() protoreflect.ProtoMessage { return opts }
 		}
 		e.L1.EditionFeatures = mergeEditionFeatures(parent, ed.GetOptions().GetFeatures())
+		e.L1.Visibility = int32(ed.GetVisibility())
 		for _, s := range ed.GetReservedName() {
 			e.L2.ReservedNames.List = append(e.L2.ReservedNames.List, protoreflect.Name(s))
 		}
@@ -70,6 +71,7 @@ func (r descsByName) initMessagesDeclarations(mds []*descriptorpb.DescriptorProt
 			return nil, err
 		}
 		m.L1.EditionFeatures = mergeEditionFeatures(parent, md.GetOptions().GetFeatures())
+		m.L1.Visibility = int32(md.GetVisibility())
 		if opts := md.GetOptions(); opts != nil {
 			opts = proto.Clone(opts).(*descriptorpb.MessageOptions)
 			m.L2.Options = func() protoreflect.ProtoMessage { return opts }
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
index 697a61b290..147b8c7398 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
@@ -46,6 +46,8 @@ func toEditionProto(ed filedesc.Edition) descriptorpb.Edition {
 		return descriptorpb.Edition_EDITION_2023
 	case filedesc.Edition2024:
 		return descriptorpb.Edition_EDITION_2024
+	case filedesc.EditionUnstable:
+		return descriptorpb.Edition_EDITION_UNSTABLE
 	default:
 		panic(fmt.Sprintf("unknown value for edition: %v", ed))
 	}
@@ -58,7 +60,7 @@ func getFeatureSetFor(ed filedesc.Edition) *descriptorpb.FeatureSet {
 		return def
 	}
 	edpb := toEditionProto(ed)
-	if defaults.GetMinimumEdition() > edpb || defaults.GetMaximumEdition() < edpb {
+	if (defaults.GetMinimumEdition() > edpb || defaults.GetMaximumEdition() < edpb) && edpb != descriptorpb.Edition_EDITION_UNSTABLE {
 		// This should never happen protodesc.(FileOptions).New would fail when
 		// initializing the file descriptor.
 		// This most likely means the embedded defaults were not updated.
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
index 9b880aa8c9..6f91074e36 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
@@ -70,16 +70,27 @@ func ToFileDescriptorProto(file protoreflect.FileDescriptor) *descriptorpb.FileD
 	if syntax := file.Syntax(); syntax != protoreflect.Proto2 && syntax.IsValid() {
 		p.Syntax = proto.String(file.Syntax().String())
 	}
+	desc := file
+	if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
+		desc = fileImportDesc.FileDescriptor
+	}
 	if file.Syntax() == protoreflect.Editions {
-		desc := file
-		if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
-			desc = fileImportDesc.FileDescriptor
-		}
-
 		if editionsInterface, ok := desc.(interface{ Edition() int32 }); ok {
 			p.Edition = descriptorpb.Edition(editionsInterface.Edition()).Enum()
 		}
 	}
+	type hasOptionImports interface {
+		OptionImports() protoreflect.FileImports
+	}
+	if opts, ok := desc.(hasOptionImports); ok {
+		if optionImports := opts.OptionImports(); optionImports.Len() > 0 {
+			optionDeps := make([]string, optionImports.Len())
+			for i := range optionImports.Len() {
+				optionDeps[i] = optionImports.Get(i).Path()
+			}
+			p.OptionDependency = optionDeps
+		}
+	}
 	return p
 }
 
@@ -123,6 +134,14 @@ func ToDescriptorProto(message protoreflect.MessageDescriptor) *descriptorpb.Des
 	for i, names := 0, message.ReservedNames(); i < names.Len(); i++ {
 		p.ReservedName = append(p.ReservedName, string(names.Get(i)))
 	}
+	type hasVisibility interface {
+		Visibility() int32
+	}
+	if vis, ok := message.(hasVisibility); ok {
+		if visibility := vis.Visibility(); visibility > 0 {
+			p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+		}
+	}
 	return p
 }
 
@@ -216,6 +235,14 @@ func ToEnumDescriptorProto(enum protoreflect.EnumDescriptor) *descriptorpb.EnumD
 	for i, names := 0, enum.ReservedNames(); i < names.Len(); i++ {
 		p.ReservedName = append(p.ReservedName, string(names.Get(i)))
 	}
+	type hasVisibility interface {
+		Visibility() int32
+	}
+	if vis, ok := enum.(hasVisibility); ok {
+		if visibility := vis.Visibility(); visibility > 0 {
+			p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+		}
+	}
 	return p
 }
 
diff --git a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
index 4eacb523c3..0b23faa957 100644
--- a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
+++ b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
@@ -69,6 +69,8 @@ const (
 	// comparison.
 	Edition_EDITION_2023 Edition = 1000
 	Edition_EDITION_2024 Edition = 1001
+	// A placeholder edition for developing and testing unscheduled features.
+	Edition_EDITION_UNSTABLE Edition = 9999
 	// Placeholder editions for testing feature resolution.  These should not be
 	// used or relied on outside of tests.
 	Edition_EDITION_1_TEST_ONLY     Edition = 1
@@ -91,6 +93,7 @@ var (
 		999:        "EDITION_PROTO3",
 		1000:       "EDITION_2023",
 		1001:       "EDITION_2024",
+		9999:       "EDITION_UNSTABLE",
 		1:          "EDITION_1_TEST_ONLY",
 		2:          "EDITION_2_TEST_ONLY",
 		99997:      "EDITION_99997_TEST_ONLY",
@@ -105,6 +108,7 @@ var (
 		"EDITION_PROTO3":          999,
 		"EDITION_2023":            1000,
 		"EDITION_2024":            1001,
+		"EDITION_UNSTABLE":        9999,
 		"EDITION_1_TEST_ONLY":     1,
 		"EDITION_2_TEST_ONLY":     2,
 		"EDITION_99997_TEST_ONLY": 99997,
@@ -4793,11 +4797,11 @@ const file_google_protobuf_descriptor_proto_rawDesc = "" +
 	"\x18EnumValueDescriptorProto\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x16\n" +
 	"\x06number\x18\x02 \x01(\x05R\x06number\x12;\n" +
-	"\aoptions\x18\x03 \x01(\v2!.google.protobuf.EnumValueOptionsR\aoptions\"\xa7\x01\n" +
+	"\aoptions\x18\x03 \x01(\v2!.google.protobuf.EnumValueOptionsR\aoptions\"\xb5\x01\n" +
 	"\x16ServiceDescriptorProto\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12>\n" +
 	"\x06method\x18\x02 \x03(\v2&.google.protobuf.MethodDescriptorProtoR\x06method\x129\n" +
-	"\aoptions\x18\x03 \x01(\v2\x1f.google.protobuf.ServiceOptionsR\aoptions\"\x89\x02\n" +
+	"\aoptions\x18\x03 \x01(\v2\x1f.google.protobuf.ServiceOptionsR\aoptionsJ\x04\b\x04\x10\x05R\x06stream\"\x89\x02\n" +
 	"\x15MethodDescriptorProto\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x1d\n" +
 	"\n" +
@@ -5033,14 +5037,15 @@ const file_google_protobuf_descriptor_proto_rawDesc = "" +
 	"\bSemantic\x12\b\n" +
 	"\x04NONE\x10\x00\x12\a\n" +
 	"\x03SET\x10\x01\x12\t\n" +
-	"\x05ALIAS\x10\x02*\xa7\x02\n" +
+	"\x05ALIAS\x10\x02*\xbe\x02\n" +
 	"\aEdition\x12\x13\n" +
 	"\x0fEDITION_UNKNOWN\x10\x00\x12\x13\n" +
 	"\x0eEDITION_LEGACY\x10\x84\a\x12\x13\n" +
 	"\x0eEDITION_PROTO2\x10\xe6\a\x12\x13\n" +
 	"\x0eEDITION_PROTO3\x10\xe7\a\x12\x11\n" +
 	"\fEDITION_2023\x10\xe8\a\x12\x11\n" +
-	"\fEDITION_2024\x10\xe9\a\x12\x17\n" +
+	"\fEDITION_2024\x10\xe9\a\x12\x15\n" +
+	"\x10EDITION_UNSTABLE\x10\x8fN\x12\x17\n" +
 	"\x13EDITION_1_TEST_ONLY\x10\x01\x12\x17\n" +
 	"\x13EDITION_2_TEST_ONLY\x10\x02\x12\x1d\n" +
 	"\x17EDITION_99997_TEST_ONLY\x10\x9d\x8d\x06\x12\x1d\n" +
diff --git a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
index 06d584c14b..484c21fd53 100644
--- a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
@@ -172,13 +172,14 @@ import (
 // ) to obtain a formatter capable of generating timestamps in this format.
 type Timestamp struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
-	// Represents seconds of UTC time since Unix epoch
-	// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
-	// 9999-12-31T23:59:59Z inclusive.
+	// Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must
+	// be between -315576000000 and 315576000000 inclusive (which corresponds to
+	// 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
 	Seconds int64 `protobuf:"varint,1,opt,name=seconds,proto3" json:"seconds,omitempty"`
-	// Non-negative fractions of a second at nanosecond resolution. Negative
-	// second values with fractions must still have non-negative nanos values
-	// that count forward in time. Must be from 0 to 999,999,999
+	// Non-negative fractions of a second at nanosecond resolution. This field is
+	// the nanosecond portion of the duration, not an alternative to seconds.
+	// Negative second values with fractions must still have non-negative nanos
+	// values that count forward in time. Must be between 0 and 999,999,999
 	// inclusive.
 	Nanos         int32 `protobuf:"varint,2,opt,name=nanos,proto3" json:"nanos,omitempty"`
 	unknownFields protoimpl.UnknownFields
diff --git a/vendor/k8s.io/kubernetes/pkg/api/service/warnings.go b/vendor/k8s.io/kubernetes/pkg/api/service/warnings.go
index 41e69704bc..92fef3afa9 100644
--- a/vendor/k8s.io/kubernetes/pkg/api/service/warnings.go
+++ b/vendor/k8s.io/kubernetes/pkg/api/service/warnings.go
@@ -48,7 +48,7 @@ func GetWarningsForService(service, oldService *api.Service) []string {
 		if len(service.Spec.ExternalIPs) > 0 {
 			warnings = append(warnings, "spec.externalIPs is ignored for headless services")
 		}
-		if service.Spec.SessionAffinity != "" {
+		if service.Spec.SessionAffinity != api.ServiceAffinityNone {
 			warnings = append(warnings, "spec.SessionAffinity is ignored for headless services")
 		}
 	}
diff --git a/vendor/k8s.io/kubernetes/pkg/controller/controller_utils.go b/vendor/k8s.io/kubernetes/pkg/controller/controller_utils.go
index c847ad4f22..c6c3b31f0d 100644
--- a/vendor/k8s.io/kubernetes/pkg/controller/controller_utils.go
+++ b/vendor/k8s.io/kubernetes/pkg/controller/controller_utils.go
@@ -89,12 +89,9 @@ const (
 	// PodNodeNameKeyIndex is the name of the index used by PodInformer to index pods by their node name.
 	PodNodeNameKeyIndex = "spec.nodeName"
 
-	// OrphanPodIndexKey is used to index all Orphan pods to this key
-	OrphanPodIndexKey = "_ORPHAN_POD"
-
-	// podControllerUIDIndex is the name for the Pod store's index function,
-	// which is to index by pods's controllerUID.
-	PodControllerUIDIndex = "podControllerUID"
+	// PodControllerIndex is the name for the Pod store's index function,
+	// which indexes by the key returned from PodControllerIndexKey.
+	PodControllerIndex = "podController"
 )
 
 var UpdateTaintBackoff = wait.Backoff{
@@ -1139,43 +1136,59 @@ func AddPodNodeNameIndexer(podInformer cache.SharedIndexInformer) error {
 	})
 }
 
-// OrphanPodIndexKeyForNamespace returns the orphan pod index key for a specific namespace.
-func OrphanPodIndexKeyForNamespace(namespace string) string {
-	return OrphanPodIndexKey + "/" + namespace
+// PodControllerIndexKey returns the index key to locate pods with the specified controller ownerReference.
+// If ownerReference is nil, the returned key locates pods in the namespace without a controller ownerReference.
+func PodControllerIndexKey(namespace string, ownerReference *metav1.OwnerReference) string {
+	if ownerReference == nil {
+		return namespace
+	}
+	return namespace + "/" + ownerReference.Kind + "/" + ownerReference.Name + "/" + string(ownerReference.UID)
 }
 
-// AddPodControllerUIDIndexer adds an indexer for Pod's controllerRef.UID to the given PodInformer.
+// AddPodControllerIndexer adds an indexer for Pod's controllerRef.UID to the given PodInformer.
 // This indexer is used to efficiently look up pods by their ControllerRef.UID
-func AddPodControllerUIDIndexer(podInformer cache.SharedIndexInformer) error {
-	if _, exists := podInformer.GetIndexer().GetIndexers()[PodControllerUIDIndex]; exists {
+func AddPodControllerIndexer(podInformer cache.SharedIndexInformer) error {
+	if _, exists := podInformer.GetIndexer().GetIndexers()[PodControllerIndex]; exists {
 		// indexer already exists, do nothing
 		return nil
 	}
 	return podInformer.AddIndexers(cache.Indexers{
-		PodControllerUIDIndex: func(obj interface{}) ([]string, error) {
+		PodControllerIndex: func(obj interface{}) ([]string, error) {
 			pod, ok := obj.(*v1.Pod)
 			if !ok {
 				return nil, nil
 			}
-			// Get the ControllerRef of the Pod to check if it's managed by a controller
-			if ref := metav1.GetControllerOf(pod); ref != nil {
-				return []string{string(ref.UID)}, nil
-			}
-			// If the Pod has no controller (i.e., it's orphaned), index it with the OrphanPodIndexKeyForNamespace
-			// This helps identify orphan pods for reconciliation and adoption by controllers
-			return []string{OrphanPodIndexKeyForNamespace(pod.Namespace)}, nil
+			// Get the ControllerRef of the Pod to check if it's managed by a controller.
+			// Index with a non-nil controller (indicating an owned pod) or a nil controller (indicating an orphan pod).
+			return []string{PodControllerIndexKey(pod.Namespace, metav1.GetControllerOf(pod))}, nil
 		},
 	})
 }
 
 // FilterPodsByOwner gets the Pods managed by an owner or orphan Pods in the owner's namespace
-func FilterPodsByOwner(podIndexer cache.Indexer, owner *metav1.ObjectMeta) ([]*v1.Pod, error) {
+func FilterPodsByOwner(podIndexer cache.Indexer, owner *metav1.ObjectMeta, ownerKind string, includeOrphanedPods bool) ([]*v1.Pod, error) {
 	result := []*v1.Pod{}
-	// Iterate over two keys:
-	// - the UID of the owner, which identifies Pods that are controlled by the owner
-	// - the OrphanPodIndexKey, which identifies orphaned Pods in the owner's namespace and might be adopted by the owner later
-	for _, key := range []string{string(owner.UID), OrphanPodIndexKeyForNamespace(owner.Namespace)} {
-		pods, err := podIndexer.ByIndex(PodControllerUIDIndex, key)
+
+	if len(owner.Namespace) == 0 {
+		return nil, fmt.Errorf("no owner namespace provided")
+	}
+	if len(owner.Name) == 0 {
+		return nil, fmt.Errorf("no owner name provided")
+	}
+	if len(owner.UID) == 0 {
+		return nil, fmt.Errorf("no owner uid provided")
+	}
+	if len(ownerKind) == 0 {
+		return nil, fmt.Errorf("no owner kind provided")
+	}
+	// Always include the owner key, which identifies Pods that are controlled by the owner
+	keys := []string{PodControllerIndexKey(owner.Namespace, &metav1.OwnerReference{Name: owner.Name, Kind: ownerKind, UID: owner.UID})}
+	if includeOrphanedPods {
+		// Optionally include the unowned key, which identifies orphaned Pods in the owner's namespace and might be adopted by the owner later
+		keys = append(keys, PodControllerIndexKey(owner.Namespace, nil))
+	}
+	for _, key := range keys {
+		pods, err := podIndexer.ByIndex(PodControllerIndex, key)
 		if err != nil {
 			return nil, err
 		}
diff --git a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go
index cf5d933767..d5515d0d84 100644
--- a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go
+++ b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go
@@ -941,6 +941,12 @@ const (
 	// Enables policies controlling deletion of PVCs created by a StatefulSet.
 	StatefulSetAutoDeletePVC featuregate.Feature = "StatefulSetAutoDeletePVC"
 
+	// owner: @liggitt
+	//
+	// Mitigates spurious statefulset rollouts due to controller revision comparison mismatches
+	// which are not semantically significant (e.g. serialization differences or missing defaulted fields).
+	StatefulSetSemanticRevisionComparison = "StatefulSetSemanticRevisionComparison"
+
 	// owner: @cupnes
 	// kep: https://kep.k8s.io/4049
 	//
@@ -1679,7 +1685,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	},
 
 	SchedulerAsyncAPICalls: {
-		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Beta},
 	},
 
 	SchedulerAsyncPreemption: {
@@ -1755,6 +1761,12 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // GA in 1.32, remove in 1.35
 	},
 
+	StatefulSetSemanticRevisionComparison: {
+		// This is a mitigation for a 1.34 regression due to serialization differences that cannot be feature-gated,
+		// so this mitigation should not auto-disable even if emulating versions prior to 1.34 with --emulation-version.
+		{Version: version.MustParse("1.0"), Default: true, PreRelease: featuregate.Beta},
+	},
+
 	StorageCapacityScoring: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
 	},
diff --git a/vendor/k8s.io/kubernetes/pkg/volume/plugins.go b/vendor/k8s.io/kubernetes/pkg/volume/plugins.go
index a6426cbd9d..24b661493f 100644
--- a/vendor/k8s.io/kubernetes/pkg/volume/plugins.go
+++ b/vendor/k8s.io/kubernetes/pkg/volume/plugins.go
@@ -997,7 +997,7 @@ func NewPersistentVolumeRecyclerPodTemplate() *v1.Pod {
 			Containers: []v1.Container{
 				{
 					Name:    "pv-recycler",
-					Image:   "registry.k8s.io/build-image/debian-base:bookworm-v1.0.4",
+					Image:   "registry.k8s.io/build-image/debian-base:bookworm-v1.0.6",
 					Command: []string{"/bin/sh"},
 					Args:    []string{"-c", "test -e /scrub && find /scrub -mindepth 1 -delete && test -z \"$(ls -A /scrub)\" || exit 1"},
 					VolumeMounts: []v1.VolumeMount{
diff --git a/vendor/k8s.io/kubernetes/test/e2e/framework/pv/wait.go b/vendor/k8s.io/kubernetes/test/e2e/framework/pv/wait.go
index ebfe227afe..aa94b17081 100644
--- a/vendor/k8s.io/kubernetes/test/e2e/framework/pv/wait.go
+++ b/vendor/k8s.io/kubernetes/test/e2e/framework/pv/wait.go
@@ -76,11 +76,16 @@ func WaitForPersistentVolumeClaimModificationFailure(ctx context.Context, c clie
 	desiredClass := ptr.Deref(claim.Spec.VolumeAttributesClassName, "")
 
 	var match = func(claim *v1.PersistentVolumeClaim) bool {
+		foundErrorCondition := false
 		for _, condition := range claim.Status.Conditions {
-			if condition.Type != v1.PersistentVolumeClaimVolumeModifyVolumeError {
-				return false
+			if condition.Type == v1.PersistentVolumeClaimVolumeModifyVolumeError {
+				foundErrorCondition = true
 			}
 		}
+		// if no error found it must be an error
+		if !foundErrorCondition {
+			return false
+		}
 
 		// check if claim's current volume attributes class is NOT desired one, and has appropriate ModifyVolumeStatus
 		currentClass := ptr.Deref(claim.Status.CurrentVolumeAttributesClassName, "")
diff --git a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go
index 412ae957ee..157edb2af4 100644
--- a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go
+++ b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go
@@ -226,7 +226,7 @@ func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config
 	configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.29.2"}
 	configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"}
 	configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.37.0-1"}
-	configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.7.8"}
+	configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.7.13"}
 	configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.6.4-0"}
 	configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"}
 	configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 8f2f78476f..1adb17a3a4 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1,7 +1,13 @@
 # cel.dev/expr v0.24.0
 ## explicit; go 1.22.0
 cel.dev/expr
-# github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1
+# cyphar.com/go-pathrs v0.2.1
+## explicit; go 1.18
+cyphar.com/go-pathrs
+cyphar.com/go-pathrs/internal/fdutils
+cyphar.com/go-pathrs/internal/libpathrs
+cyphar.com/go-pathrs/procfs
+# github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
 ## explicit; go 1.23.0
 github.com/Azure/azure-sdk-for-go/sdk/azcore
 github.com/Azure/azure-sdk-for-go/sdk/azcore/arm
@@ -24,7 +30,7 @@ github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime
 github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming
 github.com/Azure/azure-sdk-for-go/sdk/azcore/to
 github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing
-# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0
+# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
 ## explicit; go 1.23.0
 github.com/Azure/azure-sdk-for-go/sdk/azidentity
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal
@@ -73,8 +79,8 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets
 # github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0
 ## explicit; go 1.23.0
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal
-# github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.2
-## explicit; go 1.23.0
+# github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.4
+## explicit; go 1.24.0
 github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/directory
 github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/file
 github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/fileerror
@@ -90,7 +96,7 @@ github.com/Azure/azure-sdk-for-go/sdk/storage/azfile/share
 github.com/Azure/msi-dataplane/pkg/dataplane
 github.com/Azure/msi-dataplane/pkg/dataplane/internal/challenge
 github.com/Azure/msi-dataplane/pkg/dataplane/internal/client
-# github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0
+# github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0
 ## explicit; go 1.18
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential
@@ -142,6 +148,19 @@ github.com/cespare/xxhash/v2
 # github.com/container-storage-interface/spec v1.10.0
 ## explicit; go 1.18
 github.com/container-storage-interface/spec/lib/go/csi
+# github.com/cyphar/filepath-securejoin v0.6.0
+## explicit; go 1.18
+github.com/cyphar/filepath-securejoin/internal/consts
+github.com/cyphar/filepath-securejoin/pathrs-lite
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs
+github.com/cyphar/filepath-securejoin/pathrs-lite/procfs
 # github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 ## explicit
 github.com/davecgh/go-spew/spew
@@ -238,7 +257,7 @@ github.com/google/go-cmp/cmp/internal/diff
 github.com/google/go-cmp/cmp/internal/flags
 github.com/google/go-cmp/cmp/internal/function
 github.com/google/go-cmp/cmp/internal/value
-# github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6
+# github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83
 ## explicit; go 1.24.0
 github.com/google/pprof/profile
 # github.com/google/uuid v1.6.0
@@ -305,7 +324,7 @@ github.com/kylelemons/godebug/pretty
 github.com/mailru/easyjson/buffer
 github.com/mailru/easyjson/jlexer
 github.com/mailru/easyjson/jwriter
-# github.com/microsoft/wmi v0.37.0
+# github.com/microsoft/wmi v0.38.3
 ## explicit; go 1.24.3
 github.com/microsoft/wmi/go/wmi
 github.com/microsoft/wmi/pkg/base/credential
@@ -332,12 +351,13 @@ github.com/munnerz/goautoneg
 # github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
 ## explicit
 github.com/mxk/go-flowrate/flowrate
-# github.com/onsi/ginkgo/v2 v2.25.3
+# github.com/onsi/ginkgo/v2 v2.28.0
 ## explicit; go 1.23.0
 github.com/onsi/ginkgo/v2
 github.com/onsi/ginkgo/v2/config
 github.com/onsi/ginkgo/v2/formatter
 github.com/onsi/ginkgo/v2/ginkgo
+github.com/onsi/ginkgo/v2/ginkgo/automaxprocs
 github.com/onsi/ginkgo/v2/ginkgo/build
 github.com/onsi/ginkgo/v2/ginkgo/command
 github.com/onsi/ginkgo/v2/ginkgo/generators
@@ -351,11 +371,12 @@ github.com/onsi/ginkgo/v2/internal
 github.com/onsi/ginkgo/v2/internal/global
 github.com/onsi/ginkgo/v2/internal/interrupt_handler
 github.com/onsi/ginkgo/v2/internal/parallel_support
+github.com/onsi/ginkgo/v2/internal/reporters
 github.com/onsi/ginkgo/v2/internal/testingtproxy
 github.com/onsi/ginkgo/v2/reporters
 github.com/onsi/ginkgo/v2/types
-# github.com/onsi/gomega v1.38.2
-## explicit; go 1.23.0
+# github.com/onsi/gomega v1.39.1
+## explicit; go 1.24.0
 github.com/onsi/gomega
 github.com/onsi/gomega/format
 github.com/onsi/gomega/gcustom
@@ -371,7 +392,7 @@ github.com/onsi/gomega/types
 # github.com/opencontainers/go-digest v1.0.0
 ## explicit; go 1.13
 github.com/opencontainers/go-digest
-# github.com/opencontainers/selinux v1.11.1
+# github.com/opencontainers/selinux v1.13.0
 ## explicit; go 1.19
 github.com/opencontainers/selinux/go-selinux
 github.com/opencontainers/selinux/go-selinux/label
@@ -435,8 +456,8 @@ github.com/stretchr/testify/require
 # github.com/x448/float16 v0.8.4
 ## explicit; go 1.11
 github.com/x448/float16
-# go.opentelemetry.io/auto/sdk v1.1.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/auto/sdk v1.2.1
+## explicit; go 1.24.0
 go.opentelemetry.io/auto/sdk
 go.opentelemetry.io/auto/sdk/internal/telemetry
 # go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0
@@ -457,7 +478,6 @@ go.opentelemetry.io/otel/internal/global
 go.opentelemetry.io/otel/propagation
 go.opentelemetry.io/otel/semconv/v1.17.0
 go.opentelemetry.io/otel/semconv/v1.20.0
-go.opentelemetry.io/otel/semconv/v1.26.0
 go.opentelemetry.io/otel/semconv/v1.34.0
 go.opentelemetry.io/otel/semconv/v1.34.0/httpconv
 go.opentelemetry.io/otel/semconv/v1.37.0
@@ -510,12 +530,6 @@ go.opentelemetry.io/proto/otlp/collector/trace/v1
 go.opentelemetry.io/proto/otlp/common/v1
 go.opentelemetry.io/proto/otlp/resource/v1
 go.opentelemetry.io/proto/otlp/trace/v1
-# go.uber.org/automaxprocs v1.6.0
-## explicit; go 1.20
-go.uber.org/automaxprocs
-go.uber.org/automaxprocs/internal/cgroups
-go.uber.org/automaxprocs/internal/runtime
-go.uber.org/automaxprocs/maxprocs
 # go.uber.org/goleak v1.3.0
 ## explicit; go 1.20
 go.uber.org/goleak
@@ -529,7 +543,7 @@ go.yaml.in/yaml/v2
 # go.yaml.in/yaml/v3 v3.0.4
 ## explicit; go 1.16
 go.yaml.in/yaml/v3
-# golang.org/x/crypto v0.42.0
+# golang.org/x/crypto v0.47.0
 ## explicit; go 1.24.0
 golang.org/x/crypto/blowfish
 golang.org/x/crypto/chacha20
@@ -543,7 +557,10 @@ golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
 # golang.org/x/exp v0.0.0-20250911091902-df9299821621
 ## explicit; go 1.24.0
 golang.org/x/exp/slices
-# golang.org/x/net v0.44.0
+# golang.org/x/mod v0.32.0
+## explicit; go 1.24.0
+golang.org/x/mod/semver
+# golang.org/x/net v0.49.0
 ## explicit; go 1.24.0
 golang.org/x/net/context
 golang.org/x/net/html
@@ -559,25 +576,25 @@ golang.org/x/net/internal/timeseries
 golang.org/x/net/proxy
 golang.org/x/net/trace
 golang.org/x/net/websocket
-# golang.org/x/oauth2 v0.30.0
-## explicit; go 1.23.0
+# golang.org/x/oauth2 v0.32.0
+## explicit; go 1.24.0
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
-# golang.org/x/sync v0.17.0
+# golang.org/x/sync v0.19.0
 ## explicit; go 1.24.0
 golang.org/x/sync/errgroup
 golang.org/x/sync/singleflight
-# golang.org/x/sys v0.36.0
+# golang.org/x/sys v0.40.0
 ## explicit; go 1.24.0
 golang.org/x/sys/cpu
 golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
 golang.org/x/sys/windows/registry
-# golang.org/x/term v0.35.0
+# golang.org/x/term v0.39.0
 ## explicit; go 1.24.0
 golang.org/x/term
-# golang.org/x/text v0.29.0
+# golang.org/x/text v0.33.0
 ## explicit; go 1.24.0
 golang.org/x/text/cases
 golang.org/x/text/encoding
@@ -611,21 +628,38 @@ golang.org/x/text/unicode/norm
 # golang.org/x/time v0.13.0
 ## explicit; go 1.24.0
 golang.org/x/time/rate
-# golang.org/x/tools v0.37.0
+# golang.org/x/tools v0.41.0
 ## explicit; go 1.24.0
 golang.org/x/tools/cover
 golang.org/x/tools/go/ast/edge
 golang.org/x/tools/go/ast/inspector
-# google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1
+golang.org/x/tools/go/gcexportdata
+golang.org/x/tools/go/packages
+golang.org/x/tools/go/types/objectpath
+golang.org/x/tools/go/types/typeutil
+golang.org/x/tools/internal/aliases
+golang.org/x/tools/internal/event
+golang.org/x/tools/internal/event/core
+golang.org/x/tools/internal/event/keys
+golang.org/x/tools/internal/event/label
+golang.org/x/tools/internal/gcimporter
+golang.org/x/tools/internal/gocommand
+golang.org/x/tools/internal/packagesinternal
+golang.org/x/tools/internal/pkgbits
+golang.org/x/tools/internal/stdlib
+golang.org/x/tools/internal/typeparams
+golang.org/x/tools/internal/typesinternal
+golang.org/x/tools/internal/versions
+# google.golang.org/genproto/googleapis/api v0.0.0-20251029180050-ab9386a59fda
 ## explicit; go 1.24.0
 google.golang.org/genproto/googleapis/api/expr/v1alpha1
 google.golang.org/genproto/googleapis/api/httpbody
-# google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1
+# google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda
 ## explicit; go 1.24.0
 google.golang.org/genproto/googleapis/rpc/errdetails
 google.golang.org/genproto/googleapis/rpc/status
-# google.golang.org/grpc v1.75.1
-## explicit; go 1.23.0
+# google.golang.org/grpc v1.78.0
+## explicit; go 1.24.0
 google.golang.org/grpc
 google.golang.org/grpc/attributes
 google.golang.org/grpc/backoff
@@ -635,7 +669,6 @@ google.golang.org/grpc/balancer/endpointsharding
 google.golang.org/grpc/balancer/grpclb/state
 google.golang.org/grpc/balancer/pickfirst
 google.golang.org/grpc/balancer/pickfirst/internal
-google.golang.org/grpc/balancer/pickfirst/pickfirstleaf
 google.golang.org/grpc/balancer/roundrobin
 google.golang.org/grpc/binarylog/grpc_binarylog_v1
 google.golang.org/grpc/channelz
@@ -645,6 +678,7 @@ google.golang.org/grpc/credentials
 google.golang.org/grpc/credentials/insecure
 google.golang.org/grpc/encoding
 google.golang.org/grpc/encoding/gzip
+google.golang.org/grpc/encoding/internal
 google.golang.org/grpc/encoding/proto
 google.golang.org/grpc/experimental/stats
 google.golang.org/grpc/grpclog
@@ -692,7 +726,7 @@ google.golang.org/grpc/serviceconfig
 google.golang.org/grpc/stats
 google.golang.org/grpc/status
 google.golang.org/grpc/tap
-# google.golang.org/protobuf v1.36.9
+# google.golang.org/protobuf v1.36.11
 ## explicit; go 1.23
 google.golang.org/protobuf/encoding/protodelim
 google.golang.org/protobuf/encoding/protojson
@@ -1353,7 +1387,7 @@ k8s.io/kubectl/pkg/util/podutils
 # k8s.io/kubelet v0.34.1 => k8s.io/kubelet v0.32.2
 ## explicit; go 1.23.0
 k8s.io/kubelet/pkg/apis
-# k8s.io/kubernetes v1.34.1
+# k8s.io/kubernetes v1.34.3
 ## explicit; go 1.24.0
 k8s.io/kubernetes/pkg/api/legacyscheme
 k8s.io/kubernetes/pkg/api/service