Merge pull request #8 from qiujian16/updat-cluster-roles

Fix clusterrole of spoke agent

go.mod

@@ -4,7 +4,7 @@ go 1.13
 
 require (
 	github.com/jteeuwen/go-bindata v3.0.8-0.20151023091102-a0ff2567cfb7+incompatible
-	github.com/open-cluster-management/api v0.0.0-20200512021938-5f0d5c12ea67
+	github.com/open-cluster-management/api v0.0.0-20200512175145-bed9ce79e17e
 	github.com/openshift/api v0.0.0-20200326160804-ecb9283fe820
 	github.com/openshift/build-machinery-go v0.0.0-20200211121458-5e3d6e570160
 	github.com/openshift/library-go v0.0.0-20200414135834-ccc4bb27d032

go.sum

@@ -279,8 +279,8 @@ github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/open-cluster-management/api v0.0.0-20200512021938-5f0d5c12ea67 h1:JHbmXcawfV/Flb+csFz+FFHOG9EfEfcUH5cggNX8Yu4=
-github.com/open-cluster-management/api v0.0.0-20200512021938-5f0d5c12ea67/go.mod h1:RgKeB8PJ7upe2QXy/MpCejU/xm2G6/i0Y+/itWuPugs=
+github.com/open-cluster-management/api v0.0.0-20200512175145-bed9ce79e17e h1:WIzt0Bs7g0PIrVAVSobXAbDqvC2P5VjEwFTpjB4777I=
+github.com/open-cluster-management/api v0.0.0-20200512175145-bed9ce79e17e/go.mod h1:RgKeB8PJ7upe2QXy/MpCejU/xm2G6/i0Y+/itWuPugs=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/runc v0.0.0-20191031171055-b133feaeeb2e/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=

manifests/hub/0000_00_clusters.open-cluster-management.io_spokeclusters.crd.yaml

@@ -54,19 +54,26 @@ spec:
                 to grant the permision of access from agent on spoke. When the value
                 is set false, the namespace representing the spoke cluster is deleted.
               type: boolean
-            spokeClientConfig:
-              description: SpokeClientConfig represents the apiserver address of the
-                spoke cluster
-              type: object
-              properties:
-                caBundle:
-                  description: CABundle is the ca bundle to connect to apiserver of
-                    the spoke cluster. System certs are used if it is not set.
-                  type: string
-                  format: byte
-                url:
-                  description: URL is the url of apiserver endpoint of the spoke cluster.
-                  type: string
+            spokeClientConfigs:
+              description: SpokeClientConfigs represents a list of the apiserver address
+                of the spoke cluster. If it is empty, spoke cluster has no accessible
+                address to be visited from hub.
+              type: array
+              items:
+                description: ClientConfig represents the apiserver address of the
+                  spoke cluster. TODO include credential to connect to spoke cluster
+                  kube-apiserver
+                type: object
+                properties:
+                  caBundle:
+                    description: CABundle is the ca bundle to connect to apiserver
+                      of the spoke cluster. System certs are used if it is not set.
+                    type: string
+                    format: byte
+                  url:
+                    description: URL is the url of apiserver endpoint of the spoke
+                      cluster.
+                    type: string
         status:
           description: Status represents the current status of joined spoke cluster
           type: object

manifests/hub/hub-clusterrole.yaml

@@ -16,14 +16,17 @@ rules:
   verbs: ["get", "list", "watch", "create", "delete", "update"]
 - apiGroups: ["", "events.k8s.io"]
   resources: ["events"]
-  verbs: [create", "patch", "update"]
+  verbs: ["create", "patch", "update"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
 # Allow hub to manage clusterrole/clusterrolebinding/role/rolebinding
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["clusterrolebindings", "rolebindings"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["clusterroles", "roles"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "escalate"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "escalate", "bind"]
 # Allow hub to manage spokeclusters
 - apiGroups: ["cluster.open-cluster-management.io"]
   resources: ["spokeclusters"]

manifests/hub/hub-clusterrolebinding.yaml

@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   namespace: {{ .HubCoreNamespace }}
-  name: {{ .HubCoreName }}-sa
+  name: {{ .HubCoreName }}-sa

manifests/hub/hub-deployment.yaml

@@ -27,12 +27,12 @@ spec:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
           periodSeconds: 10
         readinessProbe:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
-          initialDelaySeconds: 2
+            port: 8443
+          initialDelaySeconds: 2

manifests/hub/hub-namespace.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .HubCoreNamespace }}
+  name: {{ .HubCoreNamespace }}

manifests/spoke/spoke-registration-clusterrole.yaml

@@ -0,0 +1,13 @@
+# Clusterrole for work agent in addition to admin clusterrole.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+rules:
+# Allow agent to get/list/watch nodes.
+- apiGroups: [""]
+  resources: ["nodes", "configmaps", "secrets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]

manifests/spoke/spoke-registration-clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+subjects:
+  - kind: ServiceAccount
+    name: {{ .SpokeCoreName }}-registration-sa
+    namespace: {{ .SpokeCoreNamespace }}

manifests/spoke/spoke-registration-deployment.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app: spoke-registration-agent
 spec:
-  replicas: 1
+  replicas: 3
   selector:
     matchLabels:
       app: spoke-registration-agent
@@ -15,7 +15,7 @@ spec:
       labels:
         app: spoke-registration-agent
     spec:
-      serviceAccountName: {{ .SpokeCoreName }}-sa
+      serviceAccountName: {{ .SpokeCoreName }}-registration-sa
       containers:
       - name: spoke-agent
         image: {{ .RegistrationImage }}
@@ -25,7 +25,7 @@ spec:
           - "agent"
           - "--cluster-name={{ .ClusterName }}"
           - "--bootstrap-kubeconfig=/spoke/bootstrap/kubeconfig"
-          - "--spoke-external-server-url={{ .ExternalServerURL }}"
+          - "--spoke-external-server-urls={{ .ExternalServerURL }}"
         volumeMounts:
         - name: bootstrap-secret
           mountPath: "/spoke/bootstrap"
@@ -37,14 +37,14 @@ spec:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
           periodSeconds: 10
         readinessProbe:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
       volumes:
       - name: bootstrap-secret

manifests/spoke/spoke-registration-role.yaml

@@ -0,0 +1,13 @@
+# Role for registration agent.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+  namespace: {{ .SpokeCoreNamespace }}
+rules:
+- apiGroups: [""]
+  resources: ["configmaps", "secrets"]
+  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+- apiGroups: ["", "events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create", "patch", "update"]

manifests/spoke/spoke-registration-rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+  namespace: {{ .SpokeCoreNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+subjects:
+  - kind: ServiceAccount
+    name: {{ .SpokeCoreName }}-registration-sa
+    namespace: {{ .SpokeCoreNamespace }}

manifests/spoke/spoke-registration-serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .SpokeCoreName }}-registration-sa
+  namespace: {{ .SpokeCoreNamespace }}

manifests/spoke/spoke-work-clusterrole.yaml

@@ -0,0 +1,29 @@
+# Clusterrole for work agent in addition to admin clusterrole.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-work-agent
+rules:
+# Allow agent to get/list/watch/create/delete crds.
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list", "watch", "create", "delete", "update"]
+# Allow agent to create/delete namespaces, get/list are contained in admin role already
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["create", "delete"]
+# Allow agent to manage role/rolebinding/clusterrole/clusterrolebinding
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterrolebindings", "rolebindings"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterroles", "roles"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "escalate", "bind"]
+# Allow agent to create sar
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
+# Allow agent to create events
+- apiGroups: ["", "events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create", "patch", "update"]

manifests/spoke/spoke-work-clusterrolebinding-addition.yaml

@@ -1,13 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .SpokeCoreName }}
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-work-agent-addition
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-work-agent
 subjects:
   - kind: ServiceAccount
-    name: {{ .SpokeCoreName }}-sa
+    name: {{ .SpokeCoreName }}-work-sa
     namespace: {{ .SpokeCoreNamespace }}
-  

manifests/spoke/spoke-work-clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-work-agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  # We deploy a controller that could work with permission lower than cluster-admin, the tradeoff is 
+  # responsivity because list/watch cannot be maintained over too many namespaces.
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: {{ .SpokeCoreName }}-work-sa
+    namespace: {{ .SpokeCoreNamespace }}

manifests/spoke/spoke-work-deployment.yaml

@@ -15,7 +15,7 @@ spec:
       labels:
         app: spoke-work-agent
     spec:
-      serviceAccountName: {{ .SpokeCoreName }}-sa
+      serviceAccountName: {{ .SpokeCoreName }}-work-sa
       containers:
       - name: spoke-agent
         image: {{ .WorkImage }}
@@ -23,8 +23,8 @@ spec:
         args:
           - "/work"
           - "agent"
-          - "--cluster-name={{ .ClusterName }}"
-          - "--kubeconfig=/spoke/hub-kubeconfig"
+          - "--spoke-cluster-name={{ .ClusterName }}"
+          - "--hub-kubeconfig=/spoke/hub-kubeconfig/kubeconfig"
         volumeMounts:
         - name: hub-kubeconfig-secret
           mountPath: "/spoke/hub-kubeconfig"
@@ -33,14 +33,14 @@ spec:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
           periodSeconds: 10
         readinessProbe:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
       volumes:
       - name: hub-kubeconfig-secret

manifests/spoke/spoke-work-serviceaccount.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .SpokeCoreName }}-sa
+  name: {{ .SpokeCoreName }}-work-sa
   namespace: {{ .SpokeCoreNamespace }}

pkg/helpers/helpers.go

@@ -2,12 +2,21 @@ package helpers
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	nucleusv1client "github.com/open-cluster-management/api/client/nucleus/clientset/versioned/typed/nucleus/v1"
 	nucleusapiv1 "github.com/open-cluster-management/api/nucleus/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
 )
 
@@ -146,3 +155,41 @@ func UpdateNucleusSpokeConditionFn(conds ...nucleusapiv1.StatusCondition) Update
 		return nil
 	}
 }
+
+func CleanUpStaticObject(
+	ctx context.Context,
+	client kubernetes.Interface,
+	apiextensionclient apiextensionsclient.Interface,
+	object runtime.Object) error {
+	var err error
+	switch t := object.(type) {
+	case *corev1.Namespace:
+		err = client.CoreV1().Namespaces().Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *corev1.Service:
+		err = client.CoreV1().Services(t.Namespace).Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *corev1.ServiceAccount:
+		err = client.CoreV1().ServiceAccounts(t.Namespace).Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *corev1.ConfigMap:
+		err = client.CoreV1().ConfigMaps(t.Namespace).Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *corev1.Secret:
+		err = client.CoreV1().Secrets(t.Namespace).Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *rbacv1.ClusterRole:
+		err = client.RbacV1().ClusterRoles().Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *rbacv1.ClusterRoleBinding:
+		err = client.RbacV1().ClusterRoleBindings().Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *rbacv1.Role:
+		err = client.RbacV1().Roles(t.Namespace).Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *rbacv1.RoleBinding:
+		err = client.RbacV1().RoleBindings(t.Namespace).Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *apiextensionsv1.CustomResourceDefinition:
+		err = apiextensionclient.ApiextensionsV1().CustomResourceDefinitions().Delete(ctx, t.Name, metav1.DeleteOptions{})
+	case *apiextensionsv1beta1.CustomResourceDefinition:
+		err = apiextensionclient.ApiextensionsV1beta1().CustomResourceDefinitions().Delete(ctx, t.Name, metav1.DeleteOptions{})
+	default:
+		err = fmt.Errorf("unhandled type %T", object)
+	}
+	if errors.IsNotFound(err) {
+		return nil
+	}
+	return err
+}

pkg/operators/hub/bindata/bindata.go

@@ -107,19 +107,26 @@ spec:
                 to grant the permision of access from agent on spoke. When the value
                 is set false, the namespace representing the spoke cluster is deleted.
               type: boolean
-            spokeClientConfig:
-              description: SpokeClientConfig represents the apiserver address of the
-                spoke cluster
-              type: object
-              properties:
-                caBundle:
-                  description: CABundle is the ca bundle to connect to apiserver of
-                    the spoke cluster. System certs are used if it is not set.
-                  type: string
-                  format: byte
-                url:
-                  description: URL is the url of apiserver endpoint of the spoke cluster.
-                  type: string
+            spokeClientConfigs:
+              description: SpokeClientConfigs represents a list of the apiserver address
+                of the spoke cluster. If it is empty, spoke cluster has no accessible
+                address to be visited from hub.
+              type: array
+              items:
+                description: ClientConfig represents the apiserver address of the
+                  spoke cluster. TODO include credential to connect to spoke cluster
+                  kube-apiserver
+                type: object
+                properties:
+                  caBundle:
+                    description: CABundle is the ca bundle to connect to apiserver
+                      of the spoke cluster. System certs are used if it is not set.
+                    type: string
+                    format: byte
+                  url:
+                    description: URL is the url of apiserver endpoint of the spoke
+                      cluster.
+                    type: string
         status:
           description: Status represents the current status of joined spoke cluster
           type: object
@@ -422,14 +429,17 @@ rules:
   verbs: ["get", "list", "watch", "create", "delete", "update"]
 - apiGroups: ["", "events.k8s.io"]
   resources: ["events"]
-  verbs: [create", "patch", "update"]
+  verbs: ["create", "patch", "update"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
 # Allow hub to manage clusterrole/clusterrolebinding/role/rolebinding
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["clusterrolebindings", "rolebindings"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["clusterroles", "roles"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "escalate"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "escalate", "bind"]
 # Allow hub to manage spokeclusters
 - apiGroups: ["cluster.open-cluster-management.io"]
   resources: ["spokeclusters"]
@@ -465,7 +475,8 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   namespace: {{ .HubCoreNamespace }}
-  name: {{ .HubCoreName }}-sa`)
+  name: {{ .HubCoreName }}-sa
+`)
 
 func manifestsHubHubClusterrolebindingYamlBytes() ([]byte, error) {
 	return _manifestsHubHubClusterrolebindingYaml, nil
@@ -511,15 +522,16 @@ spec:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
           periodSeconds: 10
         readinessProbe:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
-          initialDelaySeconds: 2`)
+            port: 8443
+          initialDelaySeconds: 2
+`)
 
 func manifestsHubHubDeploymentYamlBytes() ([]byte, error) {
 	return _manifestsHubHubDeploymentYaml, nil
@@ -539,7 +551,8 @@ func manifestsHubHubDeploymentYaml() (*asset, error) {
 var _manifestsHubHubNamespaceYaml = []byte(`apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .HubCoreNamespace }}`)
+  name: {{ .HubCoreNamespace }}
+`)
 
 func manifestsHubHubNamespaceYamlBytes() ([]byte, error) {
 	return _manifestsHubHubNamespaceYaml, nil

pkg/operators/hub/controller.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	appsv1 "k8s.io/api/apps/v1"
+	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -40,6 +41,14 @@ var (
 		"manifestworks.work.open-cluster-management.io",
 		"spokeclusters.cluster.open-cluster-management.io",
 	}
+	staticResourceFiles = []string{
+		"manifests/hub/0000_00_clusters.open-cluster-management.io_spokeclusters.crd.yaml",
+		"manifests/hub/0000_00_work.open-cluster-management.io_manifestworks.crd.yaml",
+		"manifests/hub/hub-clusterrole.yaml",
+		"manifests/hub/hub-clusterrolebinding.yaml",
+		"manifests/hub/hub-namespace.yaml",
+		"manifests/hub/hub-serviceaccount.yaml",
+	}
 )
 
 const (
@@ -51,6 +60,7 @@ const (
 
 func init() {
 	utilruntime.Must(api.InstallKube(genericScheme))
+	utilruntime.Must(apiextensionsv1beta1.AddToScheme(genericScheme))
 }
 
 type nucleusHubController struct {
@@ -106,6 +116,12 @@ func (n *nucleusHubController) sync(ctx context.Context, controllerContext facto
 	}
 	hubCore = hubCore.DeepCopy()
 
+	config := hubConfig{
+		HubCoreName:       hubCore.Name,
+		HubCoreNamespace:  nucluesHubCoreNamespace,
+		RegistrationImage: hubCore.Spec.RegistrationImagePullSpec,
+	}
+
 	// Update finalizer at first
 	if hubCore.DeletionTimestamp.IsZero() {
 		hasFinalizer := false
@@ -124,18 +140,12 @@ func (n *nucleusHubController) sync(ctx context.Context, controllerContext facto
 
 	// HubCore is deleting, we remove its related resources on hub
 	if !hubCore.DeletionTimestamp.IsZero() {
-		if err := n.cleanUp(ctx, controllerContext, hubCore.Name, nucluesHubCoreNamespace); err != nil {
+		if err := n.cleanUp(ctx, controllerContext, config); err != nil {
 			return err
 		}
 		return n.removeWorkFinalizer(ctx, hubCore)
 	}
 
-	config := hubConfig{
-		HubCoreName:       hubCore.Name,
-		HubCoreNamespace:  nucluesHubCoreNamespace,
-		RegistrationImage: hubCore.Spec.RegistrationImagePullSpec,
-	}
-
 	clientHolder := resourceapply.NewKubeClientHolder(n.kubeClient).WithAPIExtensionsClient(n.apiExtensionClient)
 	// Apply static files
 	resourceResults := resourceapply.ApplyDirectly(
@@ -144,12 +154,7 @@ func (n *nucleusHubController) sync(ctx context.Context, controllerContext facto
 		func(name string) ([]byte, error) {
 			return assets.MustCreateAssetFromTemplate(name, bindata.MustAsset(filepath.Join("", name)), config).Data, nil
 		},
-		"manifests/hub/0000_00_clusters.open-cluster-management.io_spokeclusters.crd.yaml",
-		"manifests/hub/0000_00_work.open-cluster-management.io_manifestworks.crd.yaml",
-		"manifests/hub/hub-clusterrole.yaml",
-		"manifests/hub/hub-clusterrolebinding.yaml",
-		"manifests/hub/hub-namespace.yaml",
-		"manifests/hub/hub-serviceaccount.yaml",
+		staticResourceFiles...,
 	)
 	errs := []error{}
 	for _, result := range resourceResults {
@@ -260,7 +265,7 @@ func (n *nucleusHubController) removeCRD(ctx context.Context, name string) error
 }
 
 func (n *nucleusHubController) cleanUp(
-	ctx context.Context, controllerContext factory.SyncContext, name, namespace string) error {
+	ctx context.Context, controllerContext factory.SyncContext, config hubConfig) error {
 	// Remove crd
 	for _, name := range crdNames {
 		err := n.removeCRD(ctx, name)
@@ -271,34 +276,26 @@ func (n *nucleusHubController) cleanUp(
 	}
 
 	// Remove deployment
-	deploymentName := fmt.Sprintf("%s-controller", name)
-	err := n.kubeClient.AppsV1().Deployments(namespace).Delete(ctx, deploymentName, metav1.DeleteOptions{})
+	deploymentName := fmt.Sprintf("%s-controller", config.HubCoreName)
+	err := n.kubeClient.AppsV1().Deployments(config.HubCoreNamespace).Delete(ctx, deploymentName, metav1.DeleteOptions{})
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	controllerContext.Recorder().Eventf("DeploymentDeleted", "deployment %s is deleted", deploymentName)
 
-	// Remove serviceaccount
-	serviceAccountName := fmt.Sprintf("%s-sa", name)
-	err = n.kubeClient.CoreV1().ServiceAccounts(namespace).Delete(ctx, serviceAccountName, metav1.DeleteOptions{})
-	if err != nil && !errors.IsNotFound(err) {
-		return err
+	// Remove Static files
+	for _, file := range staticResourceFiles {
+		objectRaw := assets.MustCreateAssetFromTemplate(
+			file,
+			bindata.MustAsset(filepath.Join("", file)), config).Data
+		object, _, err := genericCodec.Decode(objectRaw, nil, nil)
+		if err != nil {
+			return err
+		}
+		err = helpers.CleanUpStaticObject(ctx, n.kubeClient, n.apiExtensionClient, object)
+		if err != nil {
+			return err
+		}
 	}
-	controllerContext.Recorder().Eventf("ServiceAccountDeleted", "serviceaccoount %s is deleted", serviceAccountName)
-
-	// Remove clusterrole
-	clusterRoleName := fmt.Sprintf("system:open-cluster-management:%s", name)
-	err = n.kubeClient.RbacV1().ClusterRoles().Delete(ctx, clusterRoleName, metav1.DeleteOptions{})
-	if err != nil && !errors.IsNotFound(err) {
-		return err
-	}
-	controllerContext.Recorder().Eventf("ClusterRoleDeleted", "clusterrole %s is deleted", clusterRoleName)
-
-	// Remove clusterrolebinding
-	err = n.kubeClient.RbacV1().ClusterRoleBindings().Delete(ctx, clusterRoleName, metav1.DeleteOptions{})
-	if err != nil && !errors.IsNotFound(err) {
-		return err
-	}
-	controllerContext.Recorder().Eventf("ClusterRoleDeleted", "clusterrole %s is deleted", clusterRoleName)
 	return nil
 }

pkg/operators/spoke/bindata/bindata.go

@@ -1,9 +1,16 @@
 // Code generated by go-bindata.
 // sources:
-// manifests/spoke/spoke-clusterrolebinding.yaml
+// manifests/spoke/spoke-registration-clusterrole.yaml
+// manifests/spoke/spoke-registration-clusterrolebinding.yaml
 // manifests/spoke/spoke-registration-deployment.yaml
-// manifests/spoke/spoke-serviceaccount.yaml
+// manifests/spoke/spoke-registration-role.yaml
+// manifests/spoke/spoke-registration-rolebinding.yaml
+// manifests/spoke/spoke-registration-serviceaccount.yaml
+// manifests/spoke/spoke-work-clusterrole.yaml
+// manifests/spoke/spoke-work-clusterrolebinding-addition.yaml
+// manifests/spoke/spoke-work-clusterrolebinding.yaml
 // manifests/spoke/spoke-work-deployment.yaml
+// manifests/spoke/spoke-work-serviceaccount.yaml
 // DO NOT EDIT!
 
 package bindata
@@ -48,31 +55,61 @@ func (fi bindataFileInfo) Sys() interface{} {
 	return nil
 }
 
-var _manifestsSpokeSpokeClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+var _manifestsSpokeSpokeRegistrationClusterroleYaml = []byte(`# Clusterrole for work agent in addition to admin clusterrole.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
-  name: system:open-cluster-management:{{ .SpokeCoreName }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: {{ .SpokeCoreName }}-sa
-    namespace: {{ .SpokeCoreNamespace }}
-  `)
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+rules:
+# Allow agent to get/list/watch nodes.
+- apiGroups: [""]
+  resources: ["nodes", "configmaps", "secrets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
+`)
 
-func manifestsSpokeSpokeClusterrolebindingYamlBytes() ([]byte, error) {
-	return _manifestsSpokeSpokeClusterrolebindingYaml, nil
+func manifestsSpokeSpokeRegistrationClusterroleYamlBytes() ([]byte, error) {
+	return _manifestsSpokeSpokeRegistrationClusterroleYaml, nil
 }
 
-func manifestsSpokeSpokeClusterrolebindingYaml() (*asset, error) {
-	bytes, err := manifestsSpokeSpokeClusterrolebindingYamlBytes()
+func manifestsSpokeSpokeRegistrationClusterroleYaml() (*asset, error) {
+	bytes, err := manifestsSpokeSpokeRegistrationClusterroleYamlBytes()
 	if err != nil {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "manifests/spoke/spoke-clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	info := bindataFileInfo{name: "manifests/spoke/spoke-registration-clusterrole.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
+var _manifestsSpokeSpokeRegistrationClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+subjects:
+  - kind: ServiceAccount
+    name: {{ .SpokeCoreName }}-registration-sa
+    namespace: {{ .SpokeCoreNamespace }}
+`)
+
+func manifestsSpokeSpokeRegistrationClusterrolebindingYamlBytes() ([]byte, error) {
+	return _manifestsSpokeSpokeRegistrationClusterrolebindingYaml, nil
+}
+
+func manifestsSpokeSpokeRegistrationClusterrolebindingYaml() (*asset, error) {
+	bytes, err := manifestsSpokeSpokeRegistrationClusterrolebindingYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "manifests/spoke/spoke-registration-clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -85,7 +122,7 @@ metadata:
   labels:
     app: spoke-registration-agent
 spec:
-  replicas: 1
+  replicas: 3
   selector:
     matchLabels:
       app: spoke-registration-agent
@@ -94,7 +131,7 @@ spec:
       labels:
         app: spoke-registration-agent
     spec:
-      serviceAccountName: {{ .SpokeCoreName }}-sa
+      serviceAccountName: {{ .SpokeCoreName }}-registration-sa
       containers:
       - name: spoke-agent
         image: {{ .RegistrationImage }}
@@ -104,7 +141,7 @@ spec:
           - "agent"
           - "--cluster-name={{ .ClusterName }}"
           - "--bootstrap-kubeconfig=/spoke/bootstrap/kubeconfig"
-          - "--spoke-external-server-url={{ .ExternalServerURL }}"
+          - "--spoke-external-server-urls={{ .ExternalServerURL }}"
         volumeMounts:
         - name: bootstrap-secret
           mountPath: "/spoke/bootstrap"
@@ -116,14 +153,14 @@ spec:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
           periodSeconds: 10
         readinessProbe:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
       volumes:
       - name: bootstrap-secret
@@ -149,24 +186,190 @@ func manifestsSpokeSpokeRegistrationDeploymentYaml() (*asset, error) {
 	return a, nil
 }
 
-var _manifestsSpokeSpokeServiceaccountYaml = []byte(`apiVersion: v1
-kind: ServiceAccount
+var _manifestsSpokeSpokeRegistrationRoleYaml = []byte(`# Role for registration agent.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
-  name: {{ .SpokeCoreName }}-sa
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
   namespace: {{ .SpokeCoreNamespace }}
+rules:
+- apiGroups: [""]
+  resources: ["configmaps", "secrets"]
+  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+- apiGroups: ["", "events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create", "patch", "update"]
 `)
 
-func manifestsSpokeSpokeServiceaccountYamlBytes() ([]byte, error) {
-	return _manifestsSpokeSpokeServiceaccountYaml, nil
+func manifestsSpokeSpokeRegistrationRoleYamlBytes() ([]byte, error) {
+	return _manifestsSpokeSpokeRegistrationRoleYaml, nil
 }
 
-func manifestsSpokeSpokeServiceaccountYaml() (*asset, error) {
-	bytes, err := manifestsSpokeSpokeServiceaccountYamlBytes()
+func manifestsSpokeSpokeRegistrationRoleYaml() (*asset, error) {
+	bytes, err := manifestsSpokeSpokeRegistrationRoleYamlBytes()
 	if err != nil {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "manifests/spoke/spoke-serviceaccount.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	info := bindataFileInfo{name: "manifests/spoke/spoke-registration-role.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
+var _manifestsSpokeSpokeRegistrationRolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+  namespace: {{ .SpokeCoreNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-registration-agent
+subjects:
+  - kind: ServiceAccount
+    name: {{ .SpokeCoreName }}-registration-sa
+    namespace: {{ .SpokeCoreNamespace }}
+`)
+
+func manifestsSpokeSpokeRegistrationRolebindingYamlBytes() ([]byte, error) {
+	return _manifestsSpokeSpokeRegistrationRolebindingYaml, nil
+}
+
+func manifestsSpokeSpokeRegistrationRolebindingYaml() (*asset, error) {
+	bytes, err := manifestsSpokeSpokeRegistrationRolebindingYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "manifests/spoke/spoke-registration-rolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
+var _manifestsSpokeSpokeRegistrationServiceaccountYaml = []byte(`apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .SpokeCoreName }}-registration-sa
+  namespace: {{ .SpokeCoreNamespace }}
+`)
+
+func manifestsSpokeSpokeRegistrationServiceaccountYamlBytes() ([]byte, error) {
+	return _manifestsSpokeSpokeRegistrationServiceaccountYaml, nil
+}
+
+func manifestsSpokeSpokeRegistrationServiceaccountYaml() (*asset, error) {
+	bytes, err := manifestsSpokeSpokeRegistrationServiceaccountYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "manifests/spoke/spoke-registration-serviceaccount.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
+var _manifestsSpokeSpokeWorkClusterroleYaml = []byte(`# Clusterrole for work agent in addition to admin clusterrole.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-work-agent
+rules:
+# Allow agent to get/list/watch/create/delete crds.
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list", "watch", "create", "delete", "update"]
+# Allow agent to create/delete namespaces, get/list are contained in admin role already
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["create", "delete"]
+# Allow agent to manage role/rolebinding/clusterrole/clusterrolebinding
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterrolebindings", "rolebindings"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterroles", "roles"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "escalate", "bind"]
+# Allow agent to create sar
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
+# Allow agent to create events
+- apiGroups: ["", "events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create", "patch", "update"]
+`)
+
+func manifestsSpokeSpokeWorkClusterroleYamlBytes() ([]byte, error) {
+	return _manifestsSpokeSpokeWorkClusterroleYaml, nil
+}
+
+func manifestsSpokeSpokeWorkClusterroleYaml() (*asset, error) {
+	bytes, err := manifestsSpokeSpokeWorkClusterroleYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "manifests/spoke/spoke-work-clusterrole.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
+var _manifestsSpokeSpokeWorkClusterrolebindingAdditionYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-work-agent-addition
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-work-agent
+subjects:
+  - kind: ServiceAccount
+    name: {{ .SpokeCoreName }}-work-sa
+    namespace: {{ .SpokeCoreNamespace }}
+`)
+
+func manifestsSpokeSpokeWorkClusterrolebindingAdditionYamlBytes() ([]byte, error) {
+	return _manifestsSpokeSpokeWorkClusterrolebindingAdditionYaml, nil
+}
+
+func manifestsSpokeSpokeWorkClusterrolebindingAdditionYaml() (*asset, error) {
+	bytes, err := manifestsSpokeSpokeWorkClusterrolebindingAdditionYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "manifests/spoke/spoke-work-clusterrolebinding-addition.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
+var _manifestsSpokeSpokeWorkClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:open-cluster-management:{{ .SpokeCoreName }}-work-agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  # We deploy a controller that could work with permission lower than cluster-admin, the tradeoff is 
+  # responsivity because list/watch cannot be maintained over too many namespaces.
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: {{ .SpokeCoreName }}-work-sa
+    namespace: {{ .SpokeCoreNamespace }}
+`)
+
+func manifestsSpokeSpokeWorkClusterrolebindingYamlBytes() ([]byte, error) {
+	return _manifestsSpokeSpokeWorkClusterrolebindingYaml, nil
+}
+
+func manifestsSpokeSpokeWorkClusterrolebindingYaml() (*asset, error) {
+	bytes, err := manifestsSpokeSpokeWorkClusterrolebindingYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "manifests/spoke/spoke-work-clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -188,7 +391,7 @@ spec:
       labels:
         app: spoke-work-agent
     spec:
-      serviceAccountName: {{ .SpokeCoreName }}-sa
+      serviceAccountName: {{ .SpokeCoreName }}-work-sa
       containers:
       - name: spoke-agent
         image: {{ .WorkImage }}
@@ -196,8 +399,8 @@ spec:
         args:
           - "/work"
           - "agent"
-          - "--cluster-name={{ .ClusterName }}"
-          - "--kubeconfig=/spoke/hub-kubeconfig"
+          - "--spoke-cluster-name={{ .ClusterName }}"
+          - "--hub-kubeconfig=/spoke/hub-kubeconfig/kubeconfig"
         volumeMounts:
         - name: hub-kubeconfig-secret
           mountPath: "/spoke/hub-kubeconfig"
@@ -206,14 +409,14 @@ spec:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
           periodSeconds: 10
         readinessProbe:
           httpGet:
             path: /healthz
             scheme: HTTPS
-            port: 443
+            port: 8443
           initialDelaySeconds: 2
       volumes:
       - name: hub-kubeconfig-secret
@@ -236,6 +439,28 @@ func manifestsSpokeSpokeWorkDeploymentYaml() (*asset, error) {
 	return a, nil
 }
 
+var _manifestsSpokeSpokeWorkServiceaccountYaml = []byte(`apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .SpokeCoreName }}-work-sa
+  namespace: {{ .SpokeCoreNamespace }}
+`)
+
+func manifestsSpokeSpokeWorkServiceaccountYamlBytes() ([]byte, error) {
+	return _manifestsSpokeSpokeWorkServiceaccountYaml, nil
+}
+
+func manifestsSpokeSpokeWorkServiceaccountYaml() (*asset, error) {
+	bytes, err := manifestsSpokeSpokeWorkServiceaccountYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "manifests/spoke/spoke-work-serviceaccount.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
 // Asset loads and returns the asset for the given name.
 // It returns an error if the asset could not be found or
 // could not be loaded.
@@ -288,10 +513,17 @@ func AssetNames() []string {
 
 // _bindata is a table, holding each asset generator, mapped to its name.
 var _bindata = map[string]func() (*asset, error){
-	"manifests/spoke/spoke-clusterrolebinding.yaml":      manifestsSpokeSpokeClusterrolebindingYaml,
-	"manifests/spoke/spoke-registration-deployment.yaml": manifestsSpokeSpokeRegistrationDeploymentYaml,
-	"manifests/spoke/spoke-serviceaccount.yaml":          manifestsSpokeSpokeServiceaccountYaml,
-	"manifests/spoke/spoke-work-deployment.yaml":         manifestsSpokeSpokeWorkDeploymentYaml,
+	"manifests/spoke/spoke-registration-clusterrole.yaml":         manifestsSpokeSpokeRegistrationClusterroleYaml,
+	"manifests/spoke/spoke-registration-clusterrolebinding.yaml":  manifestsSpokeSpokeRegistrationClusterrolebindingYaml,
+	"manifests/spoke/spoke-registration-deployment.yaml":          manifestsSpokeSpokeRegistrationDeploymentYaml,
+	"manifests/spoke/spoke-registration-role.yaml":                manifestsSpokeSpokeRegistrationRoleYaml,
+	"manifests/spoke/spoke-registration-rolebinding.yaml":         manifestsSpokeSpokeRegistrationRolebindingYaml,
+	"manifests/spoke/spoke-registration-serviceaccount.yaml":      manifestsSpokeSpokeRegistrationServiceaccountYaml,
+	"manifests/spoke/spoke-work-clusterrole.yaml":                 manifestsSpokeSpokeWorkClusterroleYaml,
+	"manifests/spoke/spoke-work-clusterrolebinding-addition.yaml": manifestsSpokeSpokeWorkClusterrolebindingAdditionYaml,
+	"manifests/spoke/spoke-work-clusterrolebinding.yaml":          manifestsSpokeSpokeWorkClusterrolebindingYaml,
+	"manifests/spoke/spoke-work-deployment.yaml":                  manifestsSpokeSpokeWorkDeploymentYaml,
+	"manifests/spoke/spoke-work-serviceaccount.yaml":              manifestsSpokeSpokeWorkServiceaccountYaml,
 }
 
 // AssetDir returns the file names below a certain
@@ -337,10 +569,17 @@ type bintree struct {
 var _bintree = &bintree{nil, map[string]*bintree{
 	"manifests": {nil, map[string]*bintree{
 		"spoke": {nil, map[string]*bintree{
-			"spoke-clusterrolebinding.yaml":      {manifestsSpokeSpokeClusterrolebindingYaml, map[string]*bintree{}},
-			"spoke-registration-deployment.yaml": {manifestsSpokeSpokeRegistrationDeploymentYaml, map[string]*bintree{}},
-			"spoke-serviceaccount.yaml":          {manifestsSpokeSpokeServiceaccountYaml, map[string]*bintree{}},
-			"spoke-work-deployment.yaml":         {manifestsSpokeSpokeWorkDeploymentYaml, map[string]*bintree{}},
+			"spoke-registration-clusterrole.yaml":         {manifestsSpokeSpokeRegistrationClusterroleYaml, map[string]*bintree{}},
+			"spoke-registration-clusterrolebinding.yaml":  {manifestsSpokeSpokeRegistrationClusterrolebindingYaml, map[string]*bintree{}},
+			"spoke-registration-deployment.yaml":          {manifestsSpokeSpokeRegistrationDeploymentYaml, map[string]*bintree{}},
+			"spoke-registration-role.yaml":                {manifestsSpokeSpokeRegistrationRoleYaml, map[string]*bintree{}},
+			"spoke-registration-rolebinding.yaml":         {manifestsSpokeSpokeRegistrationRolebindingYaml, map[string]*bintree{}},
+			"spoke-registration-serviceaccount.yaml":      {manifestsSpokeSpokeRegistrationServiceaccountYaml, map[string]*bintree{}},
+			"spoke-work-clusterrole.yaml":                 {manifestsSpokeSpokeWorkClusterroleYaml, map[string]*bintree{}},
+			"spoke-work-clusterrolebinding-addition.yaml": {manifestsSpokeSpokeWorkClusterrolebindingAdditionYaml, map[string]*bintree{}},
+			"spoke-work-clusterrolebinding.yaml":          {manifestsSpokeSpokeWorkClusterrolebindingYaml, map[string]*bintree{}},
+			"spoke-work-deployment.yaml":                  {manifestsSpokeSpokeWorkDeploymentYaml, map[string]*bintree{}},
+			"spoke-work-serviceaccount.yaml":              {manifestsSpokeSpokeWorkServiceaccountYaml, map[string]*bintree{}},
 		}},
 	}},
 }}

pkg/operators/spoke/controller.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"path/filepath"
+	"strings"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -35,15 +36,26 @@ import (
 const (
 	nucleusSpokeFinalizer        = "nucleus.open-cluster-management.io/spoke-core-cleanup"
 	bootstrapHubKubeConfigSecret = "bootstrap-hub-kubeconfig"
-	hubKubeConfigSecret          = "hub-kubeconfig"
-	nucluesSpokeCoreNamespace    = "open-cluster-management"
+	hubKubeConfigSecret          = "hub-kubeconfig-secret"
+	nucleusSpokeCoreNamespace    = "open-cluster-management-core"
 	spokeCoreApplied             = "Applied"
 )
 
 var (
-	genericScheme = runtime.NewScheme()
-	genericCodecs = serializer.NewCodecFactory(genericScheme)
-	genericCodec  = genericCodecs.UniversalDeserializer()
+	genericScheme       = runtime.NewScheme()
+	genericCodecs       = serializer.NewCodecFactory(genericScheme)
+	genericCodec        = genericCodecs.UniversalDeserializer()
+	staticResourceFiles = []string{
+		"manifests/spoke/spoke-registration-serviceaccount.yaml",
+		"manifests/spoke/spoke-registration-clusterrole.yaml",
+		"manifests/spoke/spoke-registration-clusterrolebinding.yaml",
+		"manifests/spoke/spoke-registration-role.yaml",
+		"manifests/spoke/spoke-registration-rolebinding.yaml",
+		"manifests/spoke/spoke-work-serviceaccount.yaml",
+		"manifests/spoke/spoke-work-clusterrole.yaml",
+		"manifests/spoke/spoke-work-clusterrolebinding.yaml",
+		"manifests/spoke/spoke-work-clusterrolebinding-addition.yaml",
+	}
 )
 
 type nucleusSpokeController struct {
@@ -111,10 +123,11 @@ func (n *nucleusSpokeController) sync(ctx context.Context, controllerContext fac
 		ClusterName:               spokeCore.Spec.ClusterName,
 		BootStrapKubeConfigSecret: bootstrapHubKubeConfigSecret,
 		HubKubeConfigSecret:       hubKubeConfigSecret,
+		ExternalServerURL:         getServersFromSpokeCore(spokeCore),
 	}
 	// If namespace is not set, use the default namespace
 	if config.SpokeCoreNamespace == "" {
-		config.SpokeCoreNamespace = nucluesSpokeCoreNamespace
+		config.SpokeCoreNamespace = nucleusSpokeCoreNamespace
 	}
 
 	// Update finalizer at first
@@ -179,8 +192,7 @@ func (n *nucleusSpokeController) sync(ctx context.Context, controllerContext fac
 		func(name string) ([]byte, error) {
 			return assets.MustCreateAssetFromTemplate(name, bindata.MustAsset(filepath.Join("", name)), config).Data, nil
 		},
-		"manifests/spoke/spoke-clusterrolebinding.yaml",
-		"manifests/spoke/spoke-serviceaccount.yaml",
+		staticResourceFiles...,
 	)
 	errs := []error{}
 	for _, result := range resourceResults {
@@ -190,16 +202,16 @@ func (n *nucleusSpokeController) sync(ctx context.Context, controllerContext fac
 	}
 
 	if len(errs) > 0 {
-		appleErros := operatorhelpers.NewMultiLineAggregate(errs)
+		applyErrors := operatorhelpers.NewMultiLineAggregate(errs)
 		helpers.SetNucleusCondition(&spokeCore.Status.Conditions, nucleusapiv1.StatusCondition{
 			Type:    spokeCoreApplied,
 			Status:  metav1.ConditionFalse,
 			Reason:  "SpokeCoreApplyFailed",
-			Message: appleErros.Error(),
+			Message: applyErrors.Error(),
 		})
 		helpers.UpdateNucleusSpokeStatus(
 			ctx, n.nucleusClient, spokeCoreName, helpers.UpdateNucleusSpokeConditionFn(spokeCore.Status.Conditions...))
-		return appleErros
+		return applyErrors
 	}
 
 	// Create hub config secret
@@ -267,7 +279,6 @@ func (n *nucleusSpokeController) sync(ctx context.Context, controllerContext fac
 
 	// If hub kubeconfig does not exist, return err.
 	if hubSecret.Data["kubeconfig"] == nil {
-		klog.Infof("data is %#v", hubSecret.Data)
 		return fmt.Errorf("Failed to get kubeconfig from hub kubeconfig secret")
 	}
 
@@ -338,26 +349,28 @@ func (n *nucleusSpokeController) cleanUp(ctx context.Context, controllerContext
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
+
 	// Remove secret
 	err = n.kubeClient.CoreV1().Secrets(config.SpokeCoreNamespace).Delete(ctx, config.HubKubeConfigSecret, metav1.DeleteOptions{})
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	controllerContext.Recorder().Eventf("SecretDeleted", "secret %s is deleted", config.HubKubeConfigSecret)
-	// Remove service account
-	serviceAccountName := fmt.Sprintf("%s-sa", config.SpokeCoreName)
-	err = n.kubeClient.CoreV1().ServiceAccounts(config.SpokeCoreNamespace).Delete(ctx, serviceAccountName, metav1.DeleteOptions{})
-	if err != nil && !errors.IsNotFound(err) {
-		return err
+
+	// Remove Static files
+	for _, file := range staticResourceFiles {
+		objectRaw := assets.MustCreateAssetFromTemplate(
+			file,
+			bindata.MustAsset(filepath.Join("", file)), config).Data
+		object, _, err := genericCodec.Decode(objectRaw, nil, nil)
+		if err != nil {
+			return err
+		}
+		err = helpers.CleanUpStaticObject(ctx, n.kubeClient, nil, object)
+		if err != nil {
+			return err
+		}
 	}
-	controllerContext.Recorder().Eventf("ServiceAccountDeleted", "serviceaccoount %s is deleted", serviceAccountName)
-	// Remove clusterrolebinding
-	clusterRoleBindingName := fmt.Sprintf("system:open-cluster-management:%s", config.SpokeCoreName)
-	err = n.kubeClient.RbacV1().ClusterRoleBindings().Delete(ctx, clusterRoleBindingName, metav1.DeleteOptions{})
-	if err != nil && !errors.IsNotFound(err) {
-		return err
-	}
-	controllerContext.Recorder().Eventf("ClusterRoleBindingDeleted", "clusterrole %s is deleted", clusterRoleBindingName)
 	return nil
 }
 
@@ -388,9 +401,21 @@ func readClusterNameFromSecret(secret *corev1.Secret) (string, error) {
 }
 
 func readKubuConfigFromSecret(secret *corev1.Secret, config spokeConfig) (string, error) {
-	if secret.Data["cluster-name"] == nil {
-		return "", fmt.Errorf("Unable to find cluster name in secret")
+	if secret.Data["kubeconfig"] == nil {
+		return "", fmt.Errorf("Unable to find kubeconfig in secret")
 	}
 
-	return string(secret.Data["cluster-name"]), nil
+	return string(secret.Data["kubeconfig"]), nil
+}
+
+// TODO also read CABundle from ExternalServerURLs and set into registration deployment
+func getServersFromSpokeCore(spokeCore *nucleusapiv1.SpokeCore) string {
+	if spokeCore.Spec.ExternalServerURLs == nil {
+		return ""
+	}
+	serverString := make([]string, 0, len(spokeCore.Spec.ExternalServerURLs))
+	for _, server := range spokeCore.Spec.ExternalServerURLs {
+		serverString = append(serverString, server.URL)
+	}
+	return strings.Join(serverString, ",")
 }

pkg/operators/spoke/controller_test.go

@@ -57,6 +57,7 @@ func newSpokeCore(name, namespace, clustername string) *nucleusapiv1.SpokeCore {
 			WorkImagePullSpec:         "testwork",
 			ClusterName:               clustername,
 			Namespace:                 namespace,
+			ExternalServerURLs:        []nucleusapiv1.ServerURL{},
 		},
 	}
 }
@@ -138,8 +139,6 @@ func ensureObject(t *testing.T, object runtime.Object, spokeCore *nucleusapiv1.S
 	}
 
 	switch o := object.(type) {
-	case *corev1.ServiceAccount:
-		ensureNameNamespace(t, access.GetName(), access.GetNamespace(), fmt.Sprintf("%s-sa", spokeCore.Name), spokeCore.Spec.Namespace)
 	case *appsv1.Deployment:
 		if strings.Contains(access.GetName(), "registration") {
 			ensureNameNamespace(
@@ -186,8 +185,8 @@ func TestSyncDeploy(t *testing.T) {
 	}
 
 	// Check if resources are created as expected
-	if len(createObjects) != 4 {
-		t.Errorf("Expect 4 objects created in the sync loop, actual %d", len(createObjects))
+	if len(createObjects) != 11 {
+		t.Errorf("Expect 11 objects created in the sync loop, actual %d", len(createObjects))
 	}
 	for _, object := range createObjects {
 		ensureObject(t, object, spokeCore)
@@ -277,3 +276,75 @@ func TestSyncWithNoSecret(t *testing.T) {
 	assertAction(t, nucleusAction[5], "update")
 	assertCondition(t, nucleusAction[5].(clienttesting.UpdateActionImpl).Object, spokeCoreApplied, metav1.ConditionTrue)
 }
+
+// TestSyncDelete test cleanup hub deploy
+func TestSyncDelete(t *testing.T) {
+	spokeCore := newSpokeCore("testspoke", "testns", "")
+	now := metav1.Now()
+	spokeCore.ObjectMeta.SetDeletionTimestamp(&now)
+	namespace := newNamespace("testns")
+	controller := newTestController(spokeCore, namespace)
+	syncContext := newFakeSyncContext(t, "testspoke")
+
+	err := controller.controller.sync(nil, syncContext)
+	if err != nil {
+		t.Errorf("Expected non error when sync, %v", err)
+	}
+
+	deleteActions := []clienttesting.DeleteActionImpl{}
+	kubeActions := controller.kubeClient.Actions()
+	for _, action := range kubeActions {
+		if action.GetVerb() == "delete" {
+			deleteAction := action.(clienttesting.DeleteActionImpl)
+			deleteActions = append(deleteActions, deleteAction)
+		}
+	}
+
+	if len(kubeActions) != 12 {
+		t.Errorf("Expected 7 delete actions, but got %d", len(kubeActions))
+	}
+}
+
+// TestGetServersFromSpokeCore tests getServersFromSpokeCore func
+func TestGetServersFromSpokeCore(t *testing.T) {
+	cases := []struct {
+		name     string
+		servers  []string
+		expected string
+	}{
+		{
+			name:     "Null",
+			servers:  nil,
+			expected: "",
+		},
+		{
+			name:     "Empty string",
+			servers:  []string{},
+			expected: "",
+		},
+		{
+			name:     "Single server",
+			servers:  []string{"https://server1"},
+			expected: "https://server1",
+		},
+		{
+			name:     "Multiple servers",
+			servers:  []string{"https://server1", "https://server2"},
+			expected: "https://server1,https://server2",
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			spokeCore := newSpokeCore("testspoke", "testns", "")
+			for _, server := range c.servers {
+				spokeCore.Spec.ExternalServerURLs = append(spokeCore.Spec.ExternalServerURLs,
+					nucleusapiv1.ServerURL{URL: server})
+			}
+			actual := getServersFromSpokeCore(spokeCore)
+			if actual != c.expected {
+				t.Errorf("Expected to be same, actual %q, expected %q", actual, c.expected)
+			}
+		})
+	}
+}

vendor/github.com/open-cluster-management/api/cluster/v1/0000_00_clusters.open-cluster-management.io_spokeclusters.crd.yaml

@@ -54,19 +54,26 @@ spec:
                 to grant the permision of access from agent on spoke. When the value
                 is set false, the namespace representing the spoke cluster is deleted.
               type: boolean
-            spokeClientConfig:
-              description: SpokeClientConfig represents the apiserver address of the
-                spoke cluster
-              type: object
-              properties:
-                caBundle:
-                  description: CABundle is the ca bundle to connect to apiserver of
-                    the spoke cluster. System certs are used if it is not set.
-                  type: string
-                  format: byte
-                url:
-                  description: URL is the url of apiserver endpoint of the spoke cluster.
-                  type: string
+            spokeClientConfigs:
+              description: SpokeClientConfigs represents a list of the apiserver address
+                of the spoke cluster. If it is empty, spoke cluster has no accessible
+                address to be visited from hub.
+              type: array
+              items:
+                description: ClientConfig represents the apiserver address of the
+                  spoke cluster. TODO include credential to connect to spoke cluster
+                  kube-apiserver
+                type: object
+                properties:
+                  caBundle:
+                    description: CABundle is the ca bundle to connect to apiserver
+                      of the spoke cluster. System certs are used if it is not set.
+                    type: string
+                    format: byte
+                  url:
+                    description: URL is the url of apiserver endpoint of the spoke
+                      cluster.
+                    type: string
         status:
           description: Status represents the current status of joined spoke cluster
           type: object

vendor/github.com/open-cluster-management/api/cluster/v1/generated.pb.go

@@ -244,64 +244,63 @@ func init() {
 }
 
 var fileDescriptor_65aa4961edf1a5e7 = []byte{
-	// 898 bytes of a gzipped FileDescriptorProto
+	// 895 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0xcf, 0x8f, 0xdb, 0x44,
-	0x14, 0x8e, 0x93, 0xfd, 0x91, 0x4e, 0x52, 0x9a, 0xce, 0xc9, 0x44, 0xc2, 0x59, 0xe5, 0x80, 0x02,
-	0xd2, 0x8e, 0x9b, 0x05, 0xa1, 0x8a, 0x0b, 0x5a, 0xa7, 0x45, 0x20, 0xb6, 0x20, 0x66, 0x97, 0x22,
-	0x21, 0x44, 0x99, 0x38, 0xaf, 0x5e, 0x37, 0xf6, 0xd8, 0xf2, 0x8c, 0x23, 0xe5, 0x86, 0x38, 0x71,
-	0xe4, 0x5f, 0xe0, 0xc8, 0x81, 0x7f, 0x03, 0xed, 0xb1, 0x27, 0xd4, 0x53, 0x60, 0xd3, 0xff, 0xa2,
-	0x27, 0xe4, 0xf1, 0xc4, 0xf6, 0x26, 0xa5, 0x2c, 0xdb, 0xe5, 0xe6, 0xf9, 0xde, 0xbc, 0xef, 0xfb,
-	0xe6, 0xf9, 0xcd, 0x1b, 0x74, 0xe8, 0xf9, 0xf2, 0x34, 0x1d, 0x13, 0x37, 0x0a, 0xed, 0x28, 0x06,
-	0xbe, 0xef, 0x06, 0xa9, 0x90, 0x90, 0xec, 0x87, 0x8c, 0x33, 0x0f, 0x42, 0xe0, 0xd2, 0x66, 0xb1,
-	0x6f, 0x6b, 0xd8, 0x9e, 0x0d, 0x6d, 0x0f, 0x38, 0x24, 0x4c, 0xc2, 0x84, 0xc4, 0x49, 0x24, 0x23,
-	0x3c, 0x2c, 0x29, 0x48, 0x46, 0xf1, 0x48, 0xef, 0x7d, 0x54, 0x52, 0x10, 0x16, 0xfb, 0x44, 0xc3,
-	0x64, 0x36, 0xec, 0xee, 0x57, 0x54, 0xbd, 0xc8, 0x8b, 0x6c, 0xc5, 0x34, 0x4e, 0x1f, 0xab, 0x95,
-	0x5a, 0xa8, 0xaf, 0x5c, 0xa1, 0xfb, 0xfe, 0xf4, 0xae, 0x20, 0x7e, 0x94, 0x19, 0x09, 0x99, 0x7b,
-	0xea, 0x73, 0x48, 0xe6, 0x76, 0x3c, 0xf5, 0x94, 0xb3, 0x04, 0x44, 0x94, 0x26, 0x2e, 0xac, 0xfb,
-	0x7a, 0x65, 0x96, 0xb0, 0x43, 0x90, 0xec, 0x25, 0xa7, 0xe9, 0x7e, 0xf0, 0x4f, 0x59, 0x49, 0xca,
-	0xa5, 0x1f, 0x82, 0x2d, 0xdc, 0x53, 0x08, 0xd9, 0x7a, 0x5e, 0xff, 0x6b, 0xd4, 0x1e, 0x05, 0x3e,
-	0x70, 0x39, 0x8a, 0xf8, 0x63, 0xdf, 0xc3, 0x6f, 0xa1, 0x46, 0x9a, 0x04, 0xa6, 0xb1, 0x67, 0x0c,
-	0x6e, 0x38, 0xad, 0xb3, 0x45, 0xaf, 0xb6, 0x5c, 0xf4, 0x1a, 0x5f, 0xd1, 0x23, 0x9a, 0xe1, 0x78,
-	0x80, 0x9a, 0x2e, 0x73, 0x52, 0x3e, 0x09, 0xc0, 0xac, 0xef, 0x19, 0x83, 0xb6, 0xd3, 0x5e, 0x2e,
-	0x7a, 0xcd, 0xd1, 0x61, 0x8e, 0xd1, 0x22, 0xda, 0xff, 0xbd, 0x8e, 0xda, 0xc7, 0x71, 0x34, 0x85,
-	0x51, 0x5e, 0x3f, 0xfc, 0x3d, 0x6a, 0x66, 0xe6, 0x27, 0x4c, 0x32, 0x45, 0xdf, 0x3a, 0xb8, 0x43,
-	0x72, 0xd3, 0xa4, 0x6a, 0x9a, 0xc4, 0x53, 0x2f, 0x03, 0x04, 0xc9, 0x76, 0x93, 0xd9, 0x90, 0x7c,
-	0x31, 0x7e, 0x02, 0xae, 0x7c, 0x00, 0x92, 0x39, 0x58, 0x1b, 0x42, 0x25, 0x46, 0x0b, 0x56, 0x0c,
-	0x68, 0x4b, 0xc4, 0xe0, 0x2a, 0x63, 0xad, 0x83, 0x11, 0xf9, 0xcf, 0x3f, 0x98, 0x54, 0x0d, 0x1f,
-	0xc7, 0xe0, 0x3a, 0x6d, 0x2d, 0xb8, 0x95, 0xad, 0xa8, 0xa2, 0xc7, 0x21, 0xda, 0x11, 0x92, 0xc9,
-	0x54, 0x98, 0x0d, 0x25, 0x74, 0xff, 0x75, 0x85, 0x14, 0x99, 0xf3, 0x86, 0x96, 0xda, 0xc9, 0xd7,
-	0x54, 0x8b, 0xf4, 0xff, 0x30, 0x50, 0xa7, 0xba, 0xfd, 0xc8, 0x17, 0x12, 0x7f, 0xbb, 0x51, 0x4c,
-	0x72, 0xb9, 0x62, 0x66, 0xd9, 0xaa, 0x94, 0x1d, 0x2d, 0xd7, 0x5c, 0x21, 0x95, 0x42, 0x4e, 0xd0,
-	0xb6, 0x2f, 0x21, 0x14, 0x66, 0x7d, 0xaf, 0x31, 0x68, 0x1d, 0x7c, 0xf4, 0x9a, 0x07, 0x74, 0x6e,
-	0x6a, 0xad, 0xed, 0x4f, 0x33, 0x56, 0x9a, 0x93, 0xf7, 0x9f, 0xaf, 0x1d, 0x2c, 0x2b, 0x31, 0xfe,
-	0xc9, 0x40, 0xb7, 0x45, 0x0e, 0x96, 0x5d, 0xa9, 0x8f, 0x78, 0x15, 0x1f, 0x55, 0x1a, 0xe7, 0x4d,
-	0xed, 0xe3, 0xf6, 0xf1, 0xba, 0x02, 0xdd, 0x14, 0xc5, 0xf7, 0x50, 0xe7, 0x34, 0x1d, 0x1f, 0xba,
-	0x2e, 0xc4, 0x52, 0xe4, 0x11, 0xd5, 0x5a, 0x4d, 0xc7, 0xd4, 0x3c, 0x9d, 0x4f, 0xd6, 0xe2, 0x74,
-	0x23, 0xa3, 0xff, 0xeb, 0x0e, 0xc2, 0x9b, 0x7f, 0x1b, 0xcf, 0x10, 0x72, 0x23, 0x3e, 0xf1, 0xa5,
-	0x1f, 0x71, 0x61, 0x1a, 0xaa, 0xce, 0xce, 0x55, 0xea, 0xac, 0xe8, 0x46, 0x2b, 0xaa, 0xf2, 0x86,
-	0x14, 0x90, 0xa0, 0x15, 0x25, 0xfc, 0x8b, 0x91, 0xdd, 0xe0, 0x98, 0xb9, 0xbe, 0x9c, 0xeb, 0xdf,
-	0x7b, 0x7c, 0x2d, 0xfd, 0x4b, 0x46, 0x9a, 0xf5, 0x3e, 0x97, 0xc9, 0xdc, 0xb9, 0xb3, 0x6a, 0xaf,
-	0x15, 0xfc, 0x62, 0xd1, 0x6b, 0x53, 0x3d, 0xf3, 0xb2, 0x96, 0xfb, 0xf1, 0xcf, 0x72, 0xfd, 0x39,
-	0x0b, 0xd5, 0xe8, 0xc8, 0x77, 0xe2, 0xdf, 0x0c, 0xd4, 0x62, 0x41, 0x10, 0xb9, 0x4c, 0xb2, 0x71,
-	0x00, 0x66, 0x43, 0xd9, 0x7c, 0x78, 0x3d, 0x36, 0x0f, 0x4b, 0xe2, 0xdc, 0xe9, 0x7b, 0xda, 0x69,
-	0xab, 0x12, 0xf9, 0x57, 0xb3, 0x55, 0x7f, 0xf8, 0x09, 0xda, 0x9d, 0x41, 0x22, 0xfc, 0x88, 0x9b,
-	0x5b, 0x57, 0x6e, 0x54, 0x65, 0xf5, 0x61, 0x4e, 0xe3, 0xdc, 0xd2, 0x9e, 0x76, 0x35, 0x40, 0x57,
-	0x02, 0xdd, 0x29, 0xba, 0x79, 0xa1, 0xd0, 0xb8, 0x83, 0x1a, 0x53, 0x98, 0xe7, 0x03, 0x9b, 0x66,
-	0x9f, 0xf8, 0x1e, 0xda, 0x9e, 0xb1, 0x20, 0x05, 0x3d, 0x07, 0x5f, 0x39, 0x18, 0xc8, 0xea, 0x19,
-	0x22, 0x5f, 0xa6, 0x8c, 0x4b, 0x5f, 0xce, 0x69, 0x9e, 0xfc, 0x61, 0xfd, 0xae, 0xd1, 0xe5, 0xa8,
-	0xb3, 0x5e, 0xae, 0xff, 0x53, 0xaf, 0xef, 0xe8, 0x27, 0x43, 0x9f, 0x1a, 0x1f, 0x20, 0x34, 0x4d,
-	0xc7, 0x90, 0x70, 0x90, 0x20, 0xf4, 0x9b, 0x54, 0x34, 0xf8, 0x67, 0x45, 0x84, 0x56, 0x76, 0xf5,
-	0x17, 0x75, 0x74, 0x6b, 0xed, 0x52, 0xe0, 0x3d, 0xb4, 0x25, 0xe7, 0x31, 0x68, 0x86, 0x62, 0xa6,
-	0x9f, 0xcc, 0x63, 0xa0, 0x2a, 0x82, 0xbf, 0x2b, 0x66, 0x7a, 0x5d, 0xed, 0xf9, 0xf8, 0xe2, 0x30,
-	0x7e, 0xb1, 0xe8, 0x5d, 0xea, 0x59, 0x26, 0x85, 0xe6, 0xc5, 0x21, 0x8e, 0x67, 0x08, 0x07, 0x4c,
-	0xc8, 0x93, 0x84, 0x71, 0xa1, 0xe2, 0x27, 0x7e, 0x08, 0xfa, 0xfd, 0x78, 0xf7, 0x72, 0x93, 0x3b,
-	0xcb, 0x70, 0xba, 0xda, 0x17, 0x3e, 0xda, 0x60, 0xa3, 0x2f, 0x51, 0xc0, 0x6f, 0xa3, 0x9d, 0x04,
-	0x98, 0xd0, 0x9d, 0x79, 0xa3, 0x7c, 0x64, 0xa8, 0x42, 0xa9, 0x8e, 0xe2, 0x77, 0xd0, 0x6e, 0x08,
-	0x42, 0x30, 0x0f, 0xcc, 0x6d, 0xb5, 0xb1, 0xe8, 0xc0, 0x07, 0x39, 0x4c, 0x57, 0x71, 0x67, 0x70,
-	0x76, 0x6e, 0xd5, 0x9e, 0x9e, 0x5b, 0xb5, 0x67, 0xe7, 0x56, 0xed, 0x87, 0xa5, 0x65, 0x9c, 0x2d,
-	0x2d, 0xe3, 0xe9, 0xd2, 0x32, 0x9e, 0x2d, 0x2d, 0xe3, 0xaf, 0xa5, 0x65, 0xfc, 0xfc, 0xdc, 0xaa,
-	0x7d, 0x53, 0x9f, 0x0d, 0xff, 0x0e, 0x00, 0x00, 0xff, 0xff, 0x8b, 0xf4, 0xd5, 0x0b, 0xa5, 0x09,
-	0x00, 0x00,
+	0x14, 0x8e, 0x93, 0xfd, 0x91, 0x4e, 0x52, 0x1a, 0xcd, 0xc9, 0x8a, 0x84, 0xb3, 0xca, 0x01, 0x05,
+	0xa4, 0x1d, 0x37, 0x0b, 0x42, 0x15, 0x17, 0xb4, 0x4e, 0x8b, 0x40, 0x6c, 0x41, 0xcc, 0x2e, 0x45,
+	0x42, 0x88, 0x32, 0x71, 0x5e, 0xbd, 0x6e, 0xec, 0xb1, 0xe5, 0x19, 0x47, 0xca, 0x0d, 0x71, 0xe5,
+	0xc2, 0xbf, 0xc0, 0x91, 0x03, 0xff, 0x06, 0xda, 0x63, 0x4f, 0xa8, 0xa7, 0xc0, 0x06, 0x89, 0x3f,
+	0xa2, 0x27, 0xe4, 0xf1, 0xc4, 0xf6, 0x26, 0x4b, 0x59, 0xb6, 0xdb, 0x9b, 0xe7, 0x7b, 0xf3, 0xbe,
+	0xef, 0x9b, 0xe7, 0x37, 0x6f, 0xd0, 0xa1, 0xe7, 0xcb, 0xd3, 0x74, 0x4c, 0xdc, 0x28, 0xb4, 0xa3,
+	0x18, 0xf8, 0xbe, 0x1b, 0xa4, 0x42, 0x42, 0xb2, 0x1f, 0x32, 0xce, 0x3c, 0x08, 0x81, 0x4b, 0x9b,
+	0xc5, 0xbe, 0xad, 0x61, 0x7b, 0x36, 0xb4, 0x3d, 0xe0, 0x90, 0x30, 0x09, 0x13, 0x12, 0x27, 0x91,
+	0x8c, 0xf0, 0xb0, 0xa4, 0x20, 0x19, 0xc5, 0x63, 0xbd, 0xf7, 0x71, 0x49, 0x41, 0x58, 0xec, 0x13,
+	0x0d, 0x93, 0xd9, 0xb0, 0xbb, 0x5f, 0x51, 0xf5, 0x22, 0x2f, 0xb2, 0x15, 0xd3, 0x38, 0x7d, 0xa2,
+	0x56, 0x6a, 0xa1, 0xbe, 0x72, 0x85, 0xee, 0x7b, 0xd3, 0x7b, 0x82, 0xf8, 0x51, 0x66, 0x24, 0x64,
+	0xee, 0xa9, 0xcf, 0x21, 0x99, 0xdb, 0xf1, 0xd4, 0x53, 0xce, 0x12, 0x10, 0x51, 0x9a, 0xb8, 0xb0,
+	0xee, 0xeb, 0xa5, 0x59, 0xc2, 0x0e, 0x41, 0xb2, 0x4b, 0x4e, 0xd3, 0x7d, 0xff, 0xdf, 0xb2, 0x92,
+	0x94, 0x4b, 0x3f, 0x04, 0x5b, 0xb8, 0xa7, 0x10, 0xb2, 0xf5, 0xbc, 0xfe, 0x57, 0xa8, 0x3d, 0x0a,
+	0x7c, 0xe0, 0x72, 0x14, 0xf1, 0x27, 0xbe, 0x87, 0xdf, 0x44, 0x8d, 0x34, 0x09, 0x4c, 0x63, 0xcf,
+	0x18, 0xdc, 0x72, 0x5a, 0x67, 0x8b, 0x5e, 0x6d, 0xb9, 0xe8, 0x35, 0xbe, 0xa4, 0x47, 0x34, 0xc3,
+	0xf1, 0x00, 0x35, 0x5d, 0xe6, 0xa4, 0x7c, 0x12, 0x80, 0x59, 0xdf, 0x33, 0x06, 0x6d, 0xa7, 0xbd,
+	0x5c, 0xf4, 0x9a, 0xa3, 0xc3, 0x1c, 0xa3, 0x45, 0xb4, 0xff, 0x5b, 0x1d, 0xb5, 0x8f, 0xe3, 0x68,
+	0x0a, 0xa3, 0xbc, 0x7e, 0xf8, 0x3b, 0xd4, 0xcc, 0xcc, 0x4f, 0x98, 0x64, 0x8a, 0xbe, 0x75, 0x70,
+	0x97, 0xe4, 0xa6, 0x49, 0xd5, 0x34, 0x89, 0xa7, 0x5e, 0x06, 0x08, 0x92, 0xed, 0x26, 0xb3, 0x21,
+	0xf9, 0x7c, 0xfc, 0x14, 0x5c, 0xf9, 0x10, 0x24, 0x73, 0xb0, 0x36, 0x84, 0x4a, 0x8c, 0x16, 0xac,
+	0x18, 0xd0, 0x96, 0x88, 0xc1, 0x55, 0xc6, 0x5a, 0x07, 0x23, 0xf2, 0xbf, 0x7f, 0x30, 0xa9, 0x1a,
+	0x3e, 0x8e, 0xc1, 0x75, 0xda, 0x5a, 0x70, 0x2b, 0x5b, 0x51, 0x45, 0x8f, 0x43, 0xb4, 0x23, 0x24,
+	0x93, 0xa9, 0x30, 0x1b, 0x4a, 0xe8, 0xc1, 0xab, 0x0a, 0x29, 0x32, 0xe7, 0x0d, 0x2d, 0xb5, 0x93,
+	0xaf, 0xa9, 0x16, 0xe9, 0xff, 0x6e, 0xa0, 0x4e, 0x75, 0xfb, 0x91, 0x2f, 0x24, 0xfe, 0x66, 0xa3,
+	0x98, 0xe4, 0x6a, 0xc5, 0xcc, 0xb2, 0x55, 0x29, 0x3b, 0x5a, 0xae, 0xb9, 0x42, 0x2a, 0x85, 0x9c,
+	0xa0, 0x6d, 0x5f, 0x42, 0x28, 0xcc, 0xfa, 0x5e, 0x63, 0xd0, 0x3a, 0xf8, 0xf0, 0x15, 0x0f, 0xe8,
+	0xdc, 0xd6, 0x5a, 0xdb, 0x9f, 0x64, 0xac, 0x34, 0x27, 0xef, 0xff, 0xbd, 0x76, 0xb0, 0xac, 0xc4,
+	0xf8, 0x47, 0x03, 0x61, 0x91, 0x83, 0x65, 0x57, 0x0a, 0xd3, 0xb8, 0xb6, 0x91, 0x2a, 0x8f, 0xd3,
+	0xd5, 0x46, 0xf0, 0xf1, 0x86, 0x04, 0xbd, 0x44, 0x16, 0xdf, 0x47, 0x9d, 0xd3, 0x74, 0x7c, 0xe8,
+	0xba, 0x10, 0x4b, 0x91, 0x87, 0x54, 0x77, 0x35, 0x1d, 0x53, 0x33, 0x75, 0x3e, 0x5e, 0x8b, 0xd3,
+	0x8d, 0x8c, 0xfe, 0x2f, 0x3b, 0x08, 0x6f, 0xfe, 0x70, 0x3c, 0x43, 0xc8, 0x8d, 0xf8, 0xc4, 0x97,
+	0x7e, 0xc4, 0x57, 0x27, 0x74, 0xae, 0x53, 0x6a, 0x45, 0x37, 0x5a, 0x51, 0x95, 0x97, 0xa4, 0x80,
+	0x04, 0xad, 0x28, 0xe1, 0x9f, 0x8d, 0xec, 0x12, 0xc7, 0xcc, 0xf5, 0xe5, 0x5c, 0xff, 0xe1, 0xe3,
+	0x1b, 0x69, 0x61, 0x32, 0xd2, 0xac, 0x0f, 0xb8, 0x4c, 0xe6, 0xce, 0xdd, 0x55, 0x87, 0xad, 0xe0,
+	0x17, 0x8b, 0x5e, 0x9b, 0xea, 0xb1, 0x97, 0x75, 0xdd, 0x0f, 0x7f, 0x94, 0xeb, 0xcf, 0x58, 0xa8,
+	0xa6, 0x47, 0xbe, 0x13, 0xff, 0x6a, 0xa0, 0x16, 0x0b, 0x82, 0xc8, 0x65, 0x92, 0x8d, 0x03, 0x30,
+	0x1b, 0xca, 0xe6, 0xa3, 0x9b, 0xb1, 0x79, 0x58, 0x12, 0xe7, 0x4e, 0xdf, 0xd5, 0x4e, 0x5b, 0x95,
+	0xc8, 0x7f, 0x9a, 0xad, 0xfa, 0xc3, 0x4f, 0xd1, 0xee, 0x0c, 0x12, 0xe1, 0x47, 0xdc, 0xdc, 0x52,
+	0xd7, 0xf1, 0xda, 0x77, 0xe6, 0x51, 0x4e, 0xe3, 0xdc, 0xd1, 0x9e, 0x76, 0x35, 0x40, 0x57, 0x02,
+	0xdd, 0x29, 0xba, 0x7d, 0xa1, 0xd0, 0xb8, 0x83, 0x1a, 0x53, 0x98, 0xe7, 0x33, 0x9b, 0x66, 0x9f,
+	0xf8, 0x3e, 0xda, 0x9e, 0xb1, 0x20, 0x05, 0x3d, 0x0a, 0x5f, 0x3a, 0x1b, 0xc8, 0xea, 0x25, 0x22,
+	0x5f, 0xa4, 0x8c, 0x4b, 0x5f, 0xce, 0x69, 0x9e, 0xfc, 0x41, 0xfd, 0x9e, 0xd1, 0xe5, 0xa8, 0xb3,
+	0x5e, 0xae, 0xd7, 0xa9, 0xd7, 0x77, 0xf4, 0xab, 0xa1, 0x4f, 0x8d, 0x0f, 0x10, 0x9a, 0xa6, 0x63,
+	0x48, 0x38, 0x48, 0x10, 0xfa, 0x59, 0x2a, 0x1a, 0xfc, 0xd3, 0x22, 0x42, 0x2b, 0xbb, 0xfa, 0x8b,
+	0x3a, 0xba, 0xb3, 0x76, 0x29, 0xf0, 0x1e, 0xda, 0x92, 0xf3, 0x18, 0x34, 0x43, 0x31, 0xd6, 0x4f,
+	0xe6, 0x31, 0x50, 0x15, 0xc1, 0xdf, 0x16, 0x63, 0xbd, 0xae, 0xf6, 0x7c, 0x74, 0x71, 0x1e, 0xbf,
+	0x58, 0xf4, 0xae, 0xf4, 0x32, 0x93, 0x42, 0xf3, 0xe2, 0x1c, 0xc7, 0x33, 0x84, 0x03, 0x26, 0xe4,
+	0x49, 0xc2, 0xb8, 0x50, 0xf1, 0x13, 0x3f, 0x04, 0xfd, 0x84, 0xbc, 0x73, 0xb5, 0xe1, 0x9d, 0x65,
+	0x94, 0x33, 0xec, 0x68, 0x83, 0x8d, 0x5e, 0xa2, 0x80, 0xdf, 0x42, 0x3b, 0x09, 0x30, 0xa1, 0x3b,
+	0xf3, 0x56, 0xf9, 0xce, 0x50, 0x85, 0x52, 0x1d, 0xc5, 0x6f, 0xa3, 0xdd, 0x10, 0x84, 0x60, 0x1e,
+	0x98, 0xdb, 0x6a, 0x63, 0xd1, 0x81, 0x0f, 0x73, 0x98, 0xae, 0xe2, 0xce, 0xe0, 0xec, 0xdc, 0xaa,
+	0x3d, 0x3b, 0xb7, 0x6a, 0xcf, 0xcf, 0xad, 0xda, 0xf7, 0x4b, 0xcb, 0x38, 0x5b, 0x5a, 0xc6, 0xb3,
+	0xa5, 0x65, 0x3c, 0x5f, 0x5a, 0xc6, 0x9f, 0x4b, 0xcb, 0xf8, 0xe9, 0x2f, 0xab, 0xf6, 0x75, 0x7d,
+	0x36, 0xfc, 0x27, 0x00, 0x00, 0xff, 0xff, 0x5e, 0xff, 0x41, 0x9c, 0xa8, 0x09, 0x00, 0x00,
 }
 
 func (m *ClientConfig) Marshal() (dAtA []byte, err error) {
@@ -467,16 +466,20 @@ func (m *SpokeClusterSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	}
 	i--
 	dAtA[i] = 0x10
-	{
-		size, err := m.SpokeClientConfig.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
+	if len(m.SpokeClientConfigs) > 0 {
+		for iNdEx := len(m.SpokeClientConfigs) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.SpokeClientConfigs[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0xa
 		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
 	}
-	i--
-	dAtA[i] = 0xa
 	return len(dAtA) - i, nil
 }
 
@@ -730,8 +733,12 @@ func (m *SpokeClusterSpec) Size() (n int) {
 	}
 	var l int
 	_ = l
-	l = m.SpokeClientConfig.Size()
-	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.SpokeClientConfigs) > 0 {
+		for _, e := range m.SpokeClientConfigs {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	n += 2
 	return n
 }
@@ -850,8 +857,13 @@ func (this *SpokeClusterSpec) String() string {
 	if this == nil {
 		return "nil"
 	}
+	repeatedStringForSpokeClientConfigs := "[]ClientConfig{"
+	for _, f := range this.SpokeClientConfigs {
+		repeatedStringForSpokeClientConfigs += strings.Replace(strings.Replace(f.String(), "ClientConfig", "ClientConfig", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForSpokeClientConfigs += "}"
 	s := strings.Join([]string{`&SpokeClusterSpec{`,
-		`SpokeClientConfig:` + strings.Replace(strings.Replace(this.SpokeClientConfig.String(), "ClientConfig", "ClientConfig", 1), `&`, ``, 1) + `,`,
+		`SpokeClientConfigs:` + repeatedStringForSpokeClientConfigs + `,`,
 		`HubAcceptsClient:` + fmt.Sprintf("%v", this.HubAcceptsClient) + `,`,
 		`}`,
 	}, "")
@@ -1349,7 +1361,7 @@ func (m *SpokeClusterSpec) Unmarshal(dAtA []byte) error {
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field SpokeClientConfig", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field SpokeClientConfigs", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1376,7 +1388,8 @@ func (m *SpokeClusterSpec) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.SpokeClientConfig.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			m.SpokeClientConfigs = append(m.SpokeClientConfigs, ClientConfig{})
+			if err := m.SpokeClientConfigs[len(m.SpokeClientConfigs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex

vendor/github.com/open-cluster-management/api/cluster/v1/generated.proto

@@ -64,9 +64,10 @@ message SpokeClusterList {
 // SpokeClusterSpec provides the information to securely connect to a remote server
 // and verify its identity.
 message SpokeClusterSpec {
-  // SpokeClientConfig represents the apiserver address of the spoke cluster
+  // SpokeClientConfigs represents a list of the apiserver address of the spoke cluster.
+  // If it is empty, spoke cluster has no accessible address to be visited from hub.
   // +optional
-  optional ClientConfig spokeClientConfig = 1;
+  repeated ClientConfig spokeClientConfigs = 1;
 
   // AcceptSpokeCluster reprsents that hub accepts the join of spoke agent.
   // Its default value is false, and can only be set true when the user on hub

vendor/github.com/open-cluster-management/api/cluster/v1/types.go

@@ -38,9 +38,10 @@ type SpokeCluster struct {
 // SpokeClusterSpec provides the information to securely connect to a remote server
 // and verify its identity.
 type SpokeClusterSpec struct {
-	// SpokeClientConfig represents the apiserver address of the spoke cluster
+	// SpokeClientConfigs represents a list of the apiserver address of the spoke cluster.
+	// If it is empty, spoke cluster has no accessible address to be visited from hub.
 	// +optional
-	SpokeClientConfig ClientConfig `json:"spokeClientConfig,omitempty" protobuf:"bytes,1,opt,name=spokeClientConfig"`
+	SpokeClientConfigs []ClientConfig `json:"spokeClientConfigs,omitempty" protobuf:"bytes,1,opt,name=spokeClientConfigs"`
 
 	// AcceptSpokeCluster reprsents that hub accepts the join of spoke agent.
 	// Its default value is false, and can only be set true when the user on hub

vendor/github.com/open-cluster-management/api/cluster/v1/zz_generated.deepcopy.go

@@ -115,7 +115,13 @@ func (in *SpokeClusterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpokeClusterSpec) DeepCopyInto(out *SpokeClusterSpec) {
 	*out = *in
-	in.SpokeClientConfig.DeepCopyInto(&out.SpokeClientConfig)
+	if in.SpokeClientConfigs != nil {
+		in, out := &in.SpokeClientConfigs, &out.SpokeClientConfigs
+		*out = make([]ClientConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 

vendor/github.com/open-cluster-management/api/cluster/v1/zz_generated.swagger_doc_generated.go

@@ -42,9 +42,9 @@ func (SpokeClusterList) SwaggerDoc() map[string]string {
 }
 
 var map_SpokeClusterSpec = map[string]string{
-	"":                  "SpokeClusterSpec provides the information to securely connect to a remote server and verify its identity.",
-	"spokeClientConfig": "SpokeClientConfig represents the apiserver address of the spoke cluster",
-	"hubAcceptsClient":  "AcceptSpokeCluster reprsents that hub accepts the join of spoke agent. Its default value is false, and can only be set true when the user on hub has an RBAC rule to UPDATE on the virtual subresource of spokeclusters/accept. When the vaule is set true, a namespace whose name is same as the name of SpokeCluster is created on hub representing the spoke cluster, also role/rolebinding is created on the namespace to grant the permision of access from agent on spoke. When the value is set false, the namespace representing the spoke cluster is deleted.",
+	"":                   "SpokeClusterSpec provides the information to securely connect to a remote server and verify its identity.",
+	"spokeClientConfigs": "SpokeClientConfigs represents a list of the apiserver address of the spoke cluster. If it is empty, spoke cluster has no accessible address to be visited from hub.",
+	"hubAcceptsClient":   "AcceptSpokeCluster reprsents that hub accepts the join of spoke agent. Its default value is false, and can only be set true when the user on hub has an RBAC rule to UPDATE on the virtual subresource of spokeclusters/accept. When the vaule is set true, a namespace whose name is same as the name of SpokeCluster is created on hub representing the spoke cluster, also role/rolebinding is created on the namespace to grant the permision of access from agent on spoke. When the value is set false, the namespace representing the spoke cluster is deleted.",
 }
 
 func (SpokeClusterSpec) SwaggerDoc() map[string]string {

vendor/github.com/open-cluster-management/api/nucleus/v1/0000_00_nucleus.open-cluster-management.io_agentcores.crd.yaml

@@ -43,6 +43,25 @@ spec:
                 on hub. The spoke agent generates a random name if it is not set,
                 or discovers the appropriate cluster name on openshift.
               type: string
+            externalServerURLs:
+              description: ExternalServerURLs represents the a list of apiserver urls
+                and ca bundles that is accessible externally If it is set empty, spoke
+                cluster has no externally accessible url that hub cluster can visit.
+              type: array
+              items:
+                description: ServerURL represents the apiserver url and ca bundle
+                  that is accessible externally
+                type: object
+                properties:
+                  caBundle:
+                    description: CABundle is the ca bundle to connect to apiserver
+                      of the spoke cluster. System certs are used if it is not set.
+                    type: string
+                    format: byte
+                  url:
+                    description: URL is the url of apiserver endpoint of the spoke
+                      cluster.
+                    type: string
             namespace:
               description: Namespace is the namespace to deploy the agent. The namespace
                 must have a prefix of "open-cluster-management-", and if it is not

vendor/github.com/open-cluster-management/api/nucleus/v1/generated.pb.go

@@ -140,10 +140,38 @@ func (m *HubCoreStatus) XXX_DiscardUnknown() {
 
 var xxx_messageInfo_HubCoreStatus proto.InternalMessageInfo
 
+func (m *ServerURL) Reset()      { *m = ServerURL{} }
+func (*ServerURL) ProtoMessage() {}
+func (*ServerURL) Descriptor() ([]byte, []int) {
+	return fileDescriptor_912e57c46e7530f2, []int{4}
+}
+func (m *ServerURL) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *ServerURL) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *ServerURL) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ServerURL.Merge(m, src)
+}
+func (m *ServerURL) XXX_Size() int {
+	return m.Size()
+}
+func (m *ServerURL) XXX_DiscardUnknown() {
+	xxx_messageInfo_ServerURL.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ServerURL proto.InternalMessageInfo
+
 func (m *SpokeCore) Reset()      { *m = SpokeCore{} }
 func (*SpokeCore) ProtoMessage() {}
 func (*SpokeCore) Descriptor() ([]byte, []int) {
-	return fileDescriptor_912e57c46e7530f2, []int{4}
+	return fileDescriptor_912e57c46e7530f2, []int{5}
 }
 func (m *SpokeCore) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -171,7 +199,7 @@ var xxx_messageInfo_SpokeCore proto.InternalMessageInfo
 func (m *SpokeCoreList) Reset()      { *m = SpokeCoreList{} }
 func (*SpokeCoreList) ProtoMessage() {}
 func (*SpokeCoreList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_912e57c46e7530f2, []int{5}
+	return fileDescriptor_912e57c46e7530f2, []int{6}
 }
 func (m *SpokeCoreList) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -199,7 +227,7 @@ var xxx_messageInfo_SpokeCoreList proto.InternalMessageInfo
 func (m *SpokeCoreSpec) Reset()      { *m = SpokeCoreSpec{} }
 func (*SpokeCoreSpec) ProtoMessage() {}
 func (*SpokeCoreSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_912e57c46e7530f2, []int{6}
+	return fileDescriptor_912e57c46e7530f2, []int{7}
 }
 func (m *SpokeCoreSpec) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -227,7 +255,7 @@ var xxx_messageInfo_SpokeCoreSpec proto.InternalMessageInfo
 func (m *SpokeCoreStatus) Reset()      { *m = SpokeCoreStatus{} }
 func (*SpokeCoreStatus) ProtoMessage() {}
 func (*SpokeCoreStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_912e57c46e7530f2, []int{7}
+	return fileDescriptor_912e57c46e7530f2, []int{8}
 }
 func (m *SpokeCoreStatus) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -255,7 +283,7 @@ var xxx_messageInfo_SpokeCoreStatus proto.InternalMessageInfo
 func (m *StatusCondition) Reset()      { *m = StatusCondition{} }
 func (*StatusCondition) ProtoMessage() {}
 func (*StatusCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_912e57c46e7530f2, []int{8}
+	return fileDescriptor_912e57c46e7530f2, []int{9}
 }
 func (m *StatusCondition) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -285,6 +313,7 @@ func init() {
 	proto.RegisterType((*HubCoreList)(nil), "github.com.open_cluster_management.api.nucleus.v1.HubCoreList")
 	proto.RegisterType((*HubCoreSpec)(nil), "github.com.open_cluster_management.api.nucleus.v1.HubCoreSpec")
 	proto.RegisterType((*HubCoreStatus)(nil), "github.com.open_cluster_management.api.nucleus.v1.HubCoreStatus")
+	proto.RegisterType((*ServerURL)(nil), "github.com.open_cluster_management.api.nucleus.v1.ServerURL")
 	proto.RegisterType((*SpokeCore)(nil), "github.com.open_cluster_management.api.nucleus.v1.SpokeCore")
 	proto.RegisterType((*SpokeCoreList)(nil), "github.com.open_cluster_management.api.nucleus.v1.SpokeCoreList")
 	proto.RegisterType((*SpokeCoreSpec)(nil), "github.com.open_cluster_management.api.nucleus.v1.SpokeCoreSpec")
@@ -297,54 +326,60 @@ func init() {
 }
 
 var fileDescriptor_912e57c46e7530f2 = []byte{
-	// 752 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x95, 0x4d, 0x4f, 0x13, 0x41,
-	0x18, 0xc7, 0xbb, 0x4b, 0x79, 0xe9, 0x54, 0x44, 0xc6, 0x4b, 0xe9, 0x61, 0xc1, 0x1e, 0x0c, 0x9a,
-	0x30, 0x6b, 0x89, 0x1a, 0x63, 0x8c, 0xd1, 0x25, 0x51, 0x49, 0x40, 0xcd, 0x40, 0x62, 0x62, 0x8c,
-	0x65, 0xba, 0x3c, 0x6e, 0x97, 0x76, 0x5f, 0xb2, 0x33, 0x5b, 0xc3, 0xcd, 0x9b, 0xf1, 0xe6, 0x57,
-	0xf0, 0x53, 0x78, 0xf2, 0xce, 0xc1, 0x03, 0x47, 0x4e, 0x8d, 0xd4, 0x6f, 0xe1, 0xc9, 0xec, 0x74,
-	0xba, 0x7d, 0x81, 0x12, 0xa4, 0x09, 0xde, 0x3a, 0xcf, 0xcb, 0xef, 0x3f, 0xcf, 0xb3, 0xf3, 0x4f,
-	0xd1, 0x53, 0xc7, 0x15, 0xb5, 0xb8, 0x4a, 0xec, 0xc0, 0x33, 0x83, 0x10, 0xfc, 0x15, 0xbb, 0x11,
-	0x73, 0x01, 0xd1, 0x8a, 0xc7, 0x7c, 0xe6, 0x80, 0x07, 0xbe, 0x30, 0x59, 0xe8, 0x9a, 0x7e, 0x6c,
-	0x37, 0x20, 0xe6, 0x66, 0xb3, 0x6c, 0x3a, 0xe0, 0x43, 0xc4, 0x04, 0xec, 0x92, 0x30, 0x0a, 0x44,
-	0x80, 0xcb, 0x3d, 0x04, 0x49, 0x10, 0x15, 0x85, 0xa8, 0xf4, 0x10, 0x84, 0x85, 0x2e, 0x51, 0x08,
-	0xd2, 0x2c, 0x17, 0x57, 0xfa, 0x54, 0x9d, 0xc0, 0x09, 0x4c, 0x49, 0xaa, 0xc6, 0x1f, 0xe4, 0x49,
-	0x1e, 0xe4, 0xaf, 0x8e, 0x42, 0xf1, 0x6e, 0xfd, 0x01, 0x27, 0x6e, 0x90, 0x5c, 0xc4, 0x63, 0x76,
-	0xcd, 0xf5, 0x21, 0xda, 0x37, 0xc3, 0xba, 0x93, 0x04, 0xb8, 0xe9, 0x81, 0x60, 0xa7, 0xdc, 0xab,
-	0x78, 0x7f, 0x54, 0x57, 0x14, 0xfb, 0xc2, 0xf5, 0xc0, 0xe4, 0x76, 0x0d, 0x3c, 0x36, 0xdc, 0x57,
-	0xfa, 0xae, 0xa3, 0xe9, 0x17, 0x71, 0x75, 0x2d, 0x88, 0x00, 0xef, 0xa0, 0x99, 0x04, 0xbf, 0xcb,
-	0x04, 0x2b, 0x68, 0x4b, 0xda, 0x72, 0x7e, 0xf5, 0x0e, 0xe9, 0x60, 0x49, 0x3f, 0x96, 0x84, 0x75,
-	0x27, 0x09, 0x70, 0x92, 0x54, 0x93, 0x66, 0x99, 0xbc, 0xaa, 0xee, 0x81, 0x2d, 0x36, 0x41, 0x30,
-	0x0b, 0x1f, 0xb4, 0x16, 0x33, 0xed, 0xd6, 0x22, 0xea, 0xc5, 0x68, 0x4a, 0xc5, 0x3b, 0x28, 0xcb,
-	0x43, 0xb0, 0x0b, 0xba, 0xa4, 0x3f, 0x26, 0xff, 0xbc, 0x4c, 0xa2, 0xee, 0xba, 0x15, 0x82, 0x6d,
-	0x5d, 0x51, 0x5a, 0xd9, 0xe4, 0x44, 0x25, 0x19, 0xd7, 0xd0, 0x14, 0x17, 0x4c, 0xc4, 0xbc, 0x30,
-	0x21, 0x35, 0x9e, 0x8c, 0xa1, 0x21, 0x39, 0xd6, 0x55, 0xa5, 0x32, 0xd5, 0x39, 0x53, 0xc5, 0x2f,
-	0xfd, 0xd4, 0x50, 0x5e, 0x55, 0x6e, 0xb8, 0x5c, 0xe0, 0x77, 0x27, 0xb6, 0x47, 0xce, 0xb7, 0xbd,
-	0xa4, 0x5b, 0xee, 0xee, 0x9a, 0x52, 0x9a, 0xe9, 0x46, 0xfa, 0x36, 0x57, 0x41, 0x93, 0xae, 0x00,
-	0x8f, 0x17, 0xf4, 0xa5, 0x89, 0xe5, 0xfc, 0xea, 0xc3, 0x8b, 0x8f, 0x65, 0xcd, 0x2a, 0x99, 0xc9,
-	0xf5, 0x04, 0x48, 0x3b, 0xdc, 0x92, 0x9f, 0x4e, 0x93, 0x6c, 0x13, 0x57, 0xd0, 0x42, 0x04, 0x8e,
-	0xcb, 0x45, 0xc4, 0x84, 0x1b, 0xf8, 0xeb, 0x1e, 0x73, 0xe0, 0x75, 0xdc, 0x68, 0x24, 0x49, 0x39,
-	0x5e, 0xce, 0xba, 0xa1, 0x38, 0x0b, 0x74, 0x54, 0x21, 0x1d, 0xcd, 0x28, 0x7d, 0xd6, 0xd0, 0xec,
-	0xc0, 0xa2, 0x71, 0x13, 0x21, 0x3b, 0xf0, 0x77, 0xdd, 0xa4, 0x96, 0x17, 0x34, 0x39, 0xa7, 0x75,
-	0x81, 0x39, 0x3b, 0xb8, 0xb5, 0x2e, 0xaa, 0xf7, 0x24, 0xd3, 0x10, 0xa7, 0x7d, 0x4a, 0xa5, 0x1f,
-	0x3a, 0xca, 0x6d, 0x85, 0x41, 0x1d, 0x2e, 0xc9, 0x04, 0xd5, 0x01, 0x13, 0x5c, 0xe4, 0x81, 0xa6,
-	0xb7, 0x1d, 0x69, 0x83, 0xbd, 0x21, 0x1b, 0x58, 0x63, 0xa9, 0x9c, 0x6d, 0x84, 0x43, 0x0d, 0xcd,
-	0xa6, 0xb5, 0x97, 0x60, 0x05, 0x36, 0x68, 0x85, 0x47, 0xe3, 0x8c, 0x36, 0xc2, 0x0c, 0xdf, 0xf4,
-	0xbe, 0x91, 0xa4, 0x1f, 0x4c, 0x94, 0xf3, 0x99, 0x07, 0x3c, 0x64, 0x36, 0xa8, 0xf7, 0x3f, 0xaf,
-	0x5a, 0x73, 0x2f, 0xbb, 0x09, 0xda, 0xab, 0x39, 0xdb, 0x40, 0xfa, 0xf8, 0x06, 0xc2, 0xcf, 0xd1,
-	0xfc, 0xc7, 0x20, 0xaa, 0x0f, 0x82, 0x27, 0x24, 0x78, 0x41, 0x81, 0xe7, 0xdf, 0x0c, 0x17, 0xd0,
-	0x93, 0x3d, 0xf8, 0x1e, 0xca, 0xab, 0x8d, 0x25, 0x83, 0x14, 0xb2, 0x12, 0x71, 0x5d, 0x21, 0xf2,
-	0x6b, 0xbd, 0x14, 0xed, 0xaf, 0x2b, 0x7d, 0xd1, 0xd0, 0xdc, 0xd0, 0x13, 0xf9, 0x6f, 0x16, 0x6e,
-	0xe9, 0x68, 0x6e, 0xa8, 0x07, 0x2f, 0xa1, 0xac, 0xd8, 0x0f, 0xbb, 0x1f, 0x2b, 0x35, 0xc9, 0xf6,
-	0x7e, 0x08, 0x54, 0x66, 0xf0, 0xfb, 0xd4, 0x24, 0x9d, 0xef, 0xf1, 0x6c, 0xf0, 0x81, 0xff, 0x69,
-	0x2d, 0x9e, 0xeb, 0xbf, 0x98, 0xa4, 0x9a, 0x83, 0xc6, 0xc0, 0x4d, 0x84, 0x1b, 0x8c, 0x8b, 0xed,
-	0x88, 0xf9, 0x5c, 0xe6, 0xb7, 0x5d, 0x0f, 0x94, 0x21, 0x6f, 0x9f, 0xcf, 0x10, 0x49, 0x87, 0x55,
-	0x54, 0xf7, 0xc2, 0x1b, 0x27, 0x68, 0xf4, 0x14, 0x05, 0x7c, 0x13, 0x4d, 0x45, 0xc0, 0x78, 0xe0,
-	0xab, 0x6f, 0x99, 0x1a, 0x97, 0xca, 0x28, 0x55, 0x59, 0x7c, 0x0b, 0x4d, 0x7b, 0xc0, 0x39, 0x73,
-	0xa0, 0x30, 0x29, 0x0b, 0xe7, 0x54, 0xe1, 0xf4, 0x66, 0x27, 0x4c, 0xbb, 0x79, 0x6b, 0xf9, 0xe0,
-	0xd8, 0xc8, 0x1c, 0x1e, 0x1b, 0x99, 0xa3, 0x63, 0x23, 0xf3, 0xa9, 0x6d, 0x68, 0x07, 0x6d, 0x43,
-	0x3b, 0x6c, 0x1b, 0xda, 0x51, 0xdb, 0xd0, 0x7e, 0xb5, 0x0d, 0xed, 0xeb, 0x6f, 0x23, 0xf3, 0x56,
-	0x6f, 0x96, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xbe, 0xe2, 0x62, 0x8c, 0x64, 0x09, 0x00, 0x00,
+	// 833 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x96, 0x4b, 0x6f, 0x23, 0x45,
+	0x10, 0xc7, 0x3d, 0x76, 0x5e, 0x6e, 0x27, 0x84, 0x34, 0x97, 0x49, 0x24, 0x26, 0xc1, 0x07, 0x14,
+	0x90, 0xd2, 0x83, 0x57, 0x80, 0x10, 0x42, 0x88, 0x9d, 0x88, 0xc7, 0x4a, 0x5e, 0x40, 0x1d, 0xaf,
+	0x90, 0x10, 0xc2, 0xdb, 0x1e, 0x17, 0xe3, 0x59, 0xcf, 0x4b, 0xd3, 0x3d, 0x86, 0xdc, 0xb8, 0x01,
+	0x37, 0x3e, 0x08, 0x77, 0x4e, 0xdc, 0x73, 0xe0, 0x90, 0xe3, 0x9e, 0x2c, 0x62, 0xbe, 0x05, 0x27,
+	0xd4, 0x3d, 0xed, 0xf1, 0x2b, 0x5e, 0x05, 0x5b, 0x0a, 0x37, 0x77, 0x3d, 0x7e, 0xd5, 0x55, 0x53,
+	0xff, 0x96, 0xd1, 0x43, 0xcf, 0x17, 0xbd, 0xac, 0x43, 0xdc, 0x38, 0xb4, 0xe3, 0x04, 0xa2, 0x33,
+	0x37, 0xc8, 0xb8, 0x80, 0xf4, 0x2c, 0x64, 0x11, 0xf3, 0x20, 0x84, 0x48, 0xd8, 0x2c, 0xf1, 0xed,
+	0x28, 0x73, 0x03, 0xc8, 0xb8, 0x3d, 0x68, 0xd8, 0x1e, 0x44, 0x90, 0x32, 0x01, 0x5d, 0x92, 0xa4,
+	0xb1, 0x88, 0x71, 0x63, 0x82, 0x20, 0x12, 0xd1, 0xd6, 0x88, 0xf6, 0x04, 0x41, 0x58, 0xe2, 0x13,
+	0x8d, 0x20, 0x83, 0xc6, 0xd1, 0xd9, 0x54, 0x55, 0x2f, 0xf6, 0x62, 0x5b, 0x91, 0x3a, 0xd9, 0x77,
+	0xea, 0xa4, 0x0e, 0xea, 0x57, 0x5e, 0xe1, 0xe8, 0xed, 0xfe, 0x7b, 0x9c, 0xf8, 0xb1, 0xbc, 0x48,
+	0xc8, 0xdc, 0x9e, 0x1f, 0x41, 0x7a, 0x69, 0x27, 0x7d, 0x4f, 0x1a, 0xb8, 0x1d, 0x82, 0x60, 0xb7,
+	0xdc, 0xeb, 0xe8, 0xdd, 0x65, 0x59, 0x69, 0x16, 0x09, 0x3f, 0x04, 0x9b, 0xbb, 0x3d, 0x08, 0xd9,
+	0x7c, 0x5e, 0xfd, 0xf7, 0x32, 0xda, 0xfe, 0x2c, 0xeb, 0x9c, 0xc7, 0x29, 0xe0, 0xa7, 0x68, 0x47,
+	0xe2, 0xbb, 0x4c, 0x30, 0xd3, 0x38, 0x31, 0x4e, 0x6b, 0x0f, 0xde, 0x22, 0x39, 0x96, 0x4c, 0x63,
+	0x49, 0xd2, 0xf7, 0xa4, 0x81, 0x13, 0x19, 0x4d, 0x06, 0x0d, 0xf2, 0x45, 0xe7, 0x19, 0xb8, 0xe2,
+	0x31, 0x08, 0xe6, 0xe0, 0xab, 0xe1, 0x71, 0x69, 0x34, 0x3c, 0x46, 0x13, 0x1b, 0x2d, 0xa8, 0xf8,
+	0x29, 0xda, 0xe0, 0x09, 0xb8, 0x66, 0x59, 0xd1, 0x3f, 0x24, 0xff, 0x79, 0x98, 0x44, 0xdf, 0xf5,
+	0x22, 0x01, 0xd7, 0xd9, 0xd5, 0xb5, 0x36, 0xe4, 0x89, 0x2a, 0x32, 0xee, 0xa1, 0x2d, 0x2e, 0x98,
+	0xc8, 0xb8, 0x59, 0x51, 0x35, 0x3e, 0x5a, 0xa3, 0x86, 0xe2, 0x38, 0x2f, 0xe9, 0x2a, 0x5b, 0xf9,
+	0x99, 0x6a, 0x7e, 0xfd, 0x4f, 0x03, 0xd5, 0x74, 0x64, 0xd3, 0xe7, 0x02, 0x7f, 0xb3, 0x30, 0x3d,
+	0x72, 0xb7, 0xe9, 0xc9, 0x6c, 0x35, 0xbb, 0x97, 0x75, 0xa5, 0x9d, 0xb1, 0x65, 0x6a, 0x72, 0x6d,
+	0xb4, 0xe9, 0x0b, 0x08, 0xb9, 0x59, 0x3e, 0xa9, 0x9c, 0xd6, 0x1e, 0xbc, 0xbf, 0x7a, 0x5b, 0xce,
+	0x9e, 0x2e, 0xb3, 0xf9, 0x48, 0x02, 0x69, 0xce, 0xad, 0x47, 0x45, 0x37, 0x72, 0x9a, 0xb8, 0x8d,
+	0x0e, 0x53, 0xf0, 0x7c, 0x2e, 0x52, 0x26, 0xfc, 0x38, 0x7a, 0x14, 0x32, 0x0f, 0xbe, 0xcc, 0x82,
+	0x40, 0x3a, 0x55, 0x7b, 0x55, 0xe7, 0x35, 0xcd, 0x39, 0xa4, 0xcb, 0x02, 0xe9, 0x72, 0x46, 0xfd,
+	0x27, 0x03, 0xed, 0xcd, 0x0c, 0x1a, 0x0f, 0x10, 0x72, 0xe3, 0xa8, 0xeb, 0xcb, 0x58, 0x6e, 0x1a,
+	0xaa, 0x4f, 0x67, 0x85, 0x3e, 0x73, 0xdc, 0xf9, 0x18, 0x35, 0x59, 0xc9, 0xc2, 0xc4, 0xe9, 0x54,
+	0xa5, 0x7a, 0x0b, 0x55, 0x2f, 0x20, 0x1d, 0x40, 0xfa, 0x84, 0x36, 0xf1, 0xab, 0xa8, 0x92, 0xa5,
+	0x81, 0xee, 0xb0, 0xa6, 0x33, 0x2b, 0x4f, 0x68, 0x93, 0x4a, 0x3b, 0x3e, 0x45, 0x3b, 0x2e, 0x73,
+	0xb2, 0xa8, 0x1b, 0x80, 0x5a, 0xe2, 0x5d, 0x67, 0x57, 0x7e, 0xb0, 0xf3, 0x87, 0xb9, 0x8d, 0x16,
+	0xde, 0xfa, 0x1f, 0x65, 0x54, 0xbd, 0x48, 0xe2, 0x3e, 0xdc, 0x93, 0xb4, 0x3a, 0x33, 0xd2, 0x5a,
+	0x65, 0xed, 0x8b, 0xdb, 0x2e, 0x15, 0xd7, 0xb3, 0x39, 0x71, 0x39, 0x6b, 0x55, 0x79, 0xb1, 0xbc,
+	0xae, 0x0d, 0xb4, 0x57, 0xc4, 0xde, 0x83, 0xc0, 0xd8, 0xac, 0xc0, 0x3e, 0x58, 0xa7, 0xb5, 0x25,
+	0x12, 0xfb, 0xad, 0x32, 0xd5, 0x92, 0x52, 0x99, 0x8d, 0xaa, 0x11, 0x0b, 0x81, 0x27, 0xcc, 0x05,
+	0xbd, 0x73, 0x07, 0x3a, 0xb5, 0xfa, 0xf9, 0xd8, 0x41, 0x27, 0x31, 0x2f, 0x96, 0x65, 0x79, 0x7d,
+	0x59, 0xe2, 0x4f, 0xd1, 0xc1, 0xf7, 0x71, 0xda, 0x9f, 0x05, 0x57, 0x14, 0xf8, 0x50, 0x83, 0x0f,
+	0xbe, 0x9a, 0x0f, 0xa0, 0x8b, 0x39, 0xf8, 0x1d, 0x54, 0xd3, 0x13, 0x93, 0x8d, 0x98, 0x1b, 0x0a,
+	0xf1, 0x8a, 0x46, 0xd4, 0xce, 0x27, 0x2e, 0x3a, 0x1d, 0x87, 0x7f, 0x36, 0x10, 0x86, 0x1f, 0x04,
+	0xa4, 0x11, 0x0b, 0x0a, 0x55, 0x72, 0x73, 0x73, 0xf5, 0x8f, 0x32, 0x86, 0x38, 0x47, 0xba, 0x38,
+	0xfe, 0x78, 0x81, 0x4f, 0x6f, 0xa9, 0x59, 0xff, 0xc5, 0x40, 0xfb, 0x73, 0xdb, 0xfa, 0xbf, 0xbd,
+	0x51, 0xc3, 0x32, 0xda, 0x9f, 0xcb, 0xc1, 0x27, 0x68, 0x43, 0x5c, 0x26, 0xe3, 0xbd, 0x29, 0xf4,
+	0xda, 0xba, 0x4c, 0x80, 0x2a, 0x0f, 0xfe, 0xb6, 0xd0, 0x6b, 0xbe, 0x1a, 0x9f, 0xcc, 0x6a, 0xed,
+	0x9f, 0xe1, 0xf1, 0x9d, 0xfe, 0x6c, 0x90, 0xa2, 0xe6, 0xac, 0x46, 0xf1, 0x00, 0xe1, 0x80, 0x71,
+	0xd1, 0x4a, 0x59, 0xc4, 0x95, 0xbf, 0xe5, 0x87, 0xa0, 0xdf, 0x86, 0x37, 0xef, 0xa6, 0x4d, 0x99,
+	0x31, 0xf9, 0x32, 0xcd, 0x05, 0x1a, 0xbd, 0xa5, 0x02, 0x7e, 0x1d, 0x6d, 0xa5, 0xc0, 0x78, 0x1c,
+	0xe9, 0xb5, 0x2a, 0xde, 0x10, 0xaa, 0xac, 0x54, 0x7b, 0xf1, 0x1b, 0x68, 0x3b, 0x04, 0xce, 0x99,
+	0x07, 0xe6, 0xa6, 0x0a, 0xdc, 0xd7, 0x81, 0xdb, 0x8f, 0x73, 0x33, 0x1d, 0xfb, 0x9d, 0xd3, 0xab,
+	0x1b, 0xab, 0x74, 0x7d, 0x63, 0x95, 0x9e, 0xdf, 0x58, 0xa5, 0x1f, 0x47, 0x96, 0x71, 0x35, 0xb2,
+	0x8c, 0xeb, 0x91, 0x65, 0x3c, 0x1f, 0x59, 0xc6, 0x5f, 0x23, 0xcb, 0xf8, 0xf5, 0x6f, 0xab, 0xf4,
+	0x75, 0x79, 0xd0, 0xf8, 0x37, 0x00, 0x00, 0xff, 0xff, 0x1e, 0xf4, 0x08, 0xfe, 0x45, 0x0a, 0x00,
+	0x00,
 }
 
 func (m *HubCore) Marshal() (dAtA []byte, err error) {
@@ -512,6 +547,41 @@ func (m *HubCoreStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *ServerURL) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServerURL) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *ServerURL) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.CABundle != nil {
+		i -= len(m.CABundle)
+		copy(dAtA[i:], m.CABundle)
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.CABundle)))
+		i--
+		dAtA[i] = 0x12
+	}
+	i -= len(m.URL)
+	copy(dAtA[i:], m.URL)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.URL)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
 func (m *SpokeCore) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -632,6 +702,20 @@ func (m *SpokeCoreSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.ExternalServerURLs) > 0 {
+		for iNdEx := len(m.ExternalServerURLs) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.ExternalServerURLs[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x2a
+		}
+	}
 	i -= len(m.ClusterName)
 	copy(dAtA[i:], m.ClusterName)
 	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ClusterName)))
@@ -814,6 +898,21 @@ func (m *HubCoreStatus) Size() (n int) {
 	return n
 }
 
+func (m *ServerURL) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.URL)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.CABundle != nil {
+		l = len(m.CABundle)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
 func (m *SpokeCore) Size() (n int) {
 	if m == nil {
 		return 0
@@ -860,6 +959,12 @@ func (m *SpokeCoreSpec) Size() (n int) {
 	n += 1 + l + sovGenerated(uint64(l))
 	l = len(m.ClusterName)
 	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.ExternalServerURLs) > 0 {
+		for _, e := range m.ExternalServerURLs {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -956,6 +1061,17 @@ func (this *HubCoreStatus) String() string {
 	}, "")
 	return s
 }
+func (this *ServerURL) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ServerURL{`,
+		`URL:` + fmt.Sprintf("%v", this.URL) + `,`,
+		`CABundle:` + valueToStringGenerated(this.CABundle) + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func (this *SpokeCore) String() string {
 	if this == nil {
 		return "nil"
@@ -988,11 +1104,17 @@ func (this *SpokeCoreSpec) String() string {
 	if this == nil {
 		return "nil"
 	}
+	repeatedStringForExternalServerURLs := "[]ServerURL{"
+	for _, f := range this.ExternalServerURLs {
+		repeatedStringForExternalServerURLs += strings.Replace(strings.Replace(f.String(), "ServerURL", "ServerURL", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForExternalServerURLs += "}"
 	s := strings.Join([]string{`&SpokeCoreSpec{`,
 		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
 		`RegistrationImagePullSpec:` + fmt.Sprintf("%v", this.RegistrationImagePullSpec) + `,`,
 		`WorkImagePullSpec:` + fmt.Sprintf("%v", this.WorkImagePullSpec) + `,`,
 		`ClusterName:` + fmt.Sprintf("%v", this.ClusterName) + `,`,
+		`ExternalServerURLs:` + repeatedStringForExternalServerURLs + `,`,
 		`}`,
 	}, "")
 	return s
@@ -1478,6 +1600,125 @@ func (m *HubCoreStatus) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *ServerURL) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServerURL: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServerURL: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field URL", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.URL = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CABundle", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CABundle = append(m.CABundle[:0], dAtA[iNdEx:postIndex]...)
+			if m.CABundle == nil {
+				m.CABundle = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *SpokeCore) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
@@ -1907,6 +2148,40 @@ func (m *SpokeCoreSpec) Unmarshal(dAtA []byte) error {
 			}
 			m.ClusterName = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExternalServerURLs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExternalServerURLs = append(m.ExternalServerURLs, ServerURL{})
+			if err := m.ExternalServerURLs[len(m.ExternalServerURLs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])

vendor/github.com/open-cluster-management/api/nucleus/v1/generated.proto

@@ -54,6 +54,18 @@ message HubCoreStatus {
   repeated StatusCondition conditions = 1;
 }
 
+// ServerURL represents the apiserver url and ca bundle that is accessible externally
+message ServerURL {
+  // URL is the url of apiserver endpoint of the spoke cluster.
+  // +required
+  optional string url = 1;
+
+  // CABundle is the ca bundle to connect to apiserver of the spoke cluster.
+  // System certs are used if it is not set.
+  // +optional
+  optional bytes caBundle = 2;
+}
+
 // SpokeCore represents a deployment of nucleus core agent on spoke cluster.
 // When the deployment of spoke core agent is deployed, it will requires a secret
 // with the name of bootstrap-hub-kubeconfig in the namespace defined in the spec.
@@ -98,6 +110,11 @@ message SpokeCoreSpec {
   // The spoke agent generates a random name if it is not set, or discovers the appropriate cluster name on openshift.
   // +optional
   optional string clusterName = 4;
+
+  // ExternalServerURLs represents the a list of apiserver urls and ca bundles that is accessible externally
+  // If it is set empty, spoke cluster has no externally accessible url that hub cluster can visit.
+  // +optional
+  repeated ServerURL externalServerURLs = 5;
 }
 
 // SpokeCoreStatus represents the current status of nucleus spoke agent.

vendor/github.com/open-cluster-management/api/nucleus/v1/types.go

@@ -97,6 +97,23 @@ type SpokeCoreSpec struct {
 	// The spoke agent generates a random name if it is not set, or discovers the appropriate cluster name on openshift.
 	// +optional
 	ClusterName string `json:"clusterName,omitempty" protobuf:"bytes,4,opt,name=clusterName"`
+
+	// ExternalServerURLs represents the a list of apiserver urls and ca bundles that is accessible externally
+	// If it is set empty, spoke cluster has no externally accessible url that hub cluster can visit.
+	// +optional
+	ExternalServerURLs []ServerURL `json:"externalServerURLs,omitempty" protobuf:"bytes,5,opt,name=externalServerURLs"`
+}
+
+// ServerURL represents the apiserver url and ca bundle that is accessible externally
+type ServerURL struct {
+	// URL is the url of apiserver endpoint of the spoke cluster.
+	// +required
+	URL string `json:"url" protobuf:"bytes,1,opt,name=url"`
+
+	// CABundle is the ca bundle to connect to apiserver of the spoke cluster.
+	// System certs are used if it is not set.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,2,opt,name=caBundle"`
 }
 
 // SpokeCoreStatus represents the current status of nucleus spoke agent.

vendor/github.com/open-cluster-management/api/nucleus/v1/zz_generated.deepcopy.go

@@ -108,12 +108,33 @@ func (in *HubCoreStatus) DeepCopy() *HubCoreStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServerURL) DeepCopyInto(out *ServerURL) {
+	*out = *in
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerURL.
+func (in *ServerURL) DeepCopy() *ServerURL {
+	if in == nil {
+		return nil
+	}
+	out := new(ServerURL)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpokeCore) DeepCopyInto(out *SpokeCore) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@@ -172,6 +193,13 @@ func (in *SpokeCoreList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpokeCoreSpec) DeepCopyInto(out *SpokeCoreSpec) {
 	*out = *in
+	if in.ExternalServerURLs != nil {
+		in, out := &in.ExternalServerURLs, &out.ExternalServerURLs
+		*out = make([]ServerURL, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 

vendor/github.com/open-cluster-management/api/nucleus/v1/zz_generated.swagger_doc_generated.go

@@ -49,6 +49,16 @@ func (HubCoreStatus) SwaggerDoc() map[string]string {
 	return map_HubCoreStatus
 }
 
+var map_ServerURL = map[string]string{
+	"":         "ServerURL represents the apiserver url and ca bundle that is accessible externally",
+	"url":      "URL is the url of apiserver endpoint of the spoke cluster.",
+	"caBundle": "CABundle is the ca bundle to connect to apiserver of the spoke cluster. System certs are used if it is not set.",
+}
+
+func (ServerURL) SwaggerDoc() map[string]string {
+	return map_ServerURL
+}
+
 var map_SpokeCore = map[string]string{
 	"":       "SpokeCore represents a deployment of nucleus core agent on spoke cluster. When the deployment of spoke core agent is deployed, it will requires a secret with the name of bootstrap-hub-kubeconfig in the namespace defined in the spec.",
 	"spec":   "Spec represents the desired deployment configuratioin of nucleus agent.",
@@ -75,6 +85,7 @@ var map_SpokeCoreSpec = map[string]string{
 	"registrationImagePullSpec": "RegistrationImagePullSpec represents the desired image configuration of registration agent.",
 	"workImagePullSpec":         "WorkImagePullSpec represents the desired image configuration of work agent.",
 	"clusterName":               "ClusterName is the name of the spoke cluster to be created on hub. The spoke agent generates a random name if it is not set, or discovers the appropriate cluster name on openshift.",
+	"externalServerURLs":        "ExternalServerURLs represents the a list of apiserver urls and ca bundles that is accessible externally If it is set empty, spoke cluster has no externally accessible url that hub cluster can visit.",
 }
 
 func (SpokeCoreSpec) SwaggerDoc() map[string]string {

vendor/github.com/open-cluster-management/api/work/v1/generated.pb.go

@@ -326,64 +326,64 @@ func init() {
 }
 
 var fileDescriptor_97234883da270a20 = []byte{
-	// 911 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4b, 0x6b, 0x24, 0x45,
-	0x1c, 0x9f, 0x9e, 0xcd, 0x24, 0x93, 0xca, 0x98, 0xdd, 0x2d, 0x96, 0x65, 0xc8, 0xa1, 0x13, 0x5a,
-	0x90, 0x28, 0xa6, 0xda, 0x04, 0x91, 0x3d, 0x88, 0x8f, 0x56, 0x57, 0xc4, 0xcd, 0x2e, 0xd4, 0x06,
-	0x17, 0x44, 0x5c, 0x2b, 0x3d, 0xb5, 0x9d, 0xda, 0x99, 0xae, 0x6a, 0xaa, 0x6a, 0x66, 0xcd, 0x41,
-	0x11, 0x04, 0xf1, 0xe0, 0x41, 0xfc, 0x2c, 0x7e, 0x00, 0x8f, 0x39, 0x2e, 0x78, 0xd9, 0x53, 0x30,
-	0xe3, 0xb7, 0xf0, 0x24, 0x55, 0x5d, 0x5d, 0xdd, 0x33, 0xc9, 0x62, 0x1e, 0xe0, 0x29, 0xe9, 0xff,
-	0xe3, 0xf7, 0xfb, 0xbf, 0x6b, 0xc0, 0x7b, 0x19, 0xd3, 0x07, 0xe3, 0x7d, 0x94, 0x8a, 0x3c, 0x16,
-	0x05, 0xe5, 0x5b, 0xe9, 0x68, 0xac, 0x34, 0x95, 0x5b, 0x39, 0xe1, 0x24, 0xa3, 0x39, 0xe5, 0x3a,
-	0x26, 0x05, 0x8b, 0x9f, 0x09, 0x39, 0x8c, 0x27, 0xdb, 0x71, 0x46, 0x39, 0x95, 0x44, 0xd3, 0x01,
-	0x2a, 0xa4, 0xd0, 0x02, 0xa2, 0xda, 0x1f, 0x19, 0xff, 0xc7, 0xce, 0xff, 0x71, 0xed, 0x8f, 0x48,
-	0xc1, 0x90, 0xf1, 0x47, 0x93, 0xed, 0xb5, 0xad, 0x06, 0x5f, 0x26, 0x32, 0x11, 0x5b, 0x98, 0xfd,
-	0xf1, 0x13, 0xfb, 0x65, 0x3f, 0xec, 0x7f, 0x25, 0xfc, 0xda, 0xdb, 0xc3, 0x3b, 0x0a, 0x31, 0x61,
-	0x42, 0xc8, 0x49, 0x7a, 0xc0, 0x38, 0x95, 0x87, 0x71, 0x31, 0xcc, 0x8c, 0x40, 0xc5, 0x39, 0xd5,
-	0xe4, 0x8c, 0xa0, 0xd6, 0xe2, 0x97, 0x79, 0xc9, 0x31, 0xd7, 0x2c, 0xa7, 0xa7, 0x1c, 0xde, 0xf9,
-	0x2f, 0x07, 0x95, 0x1e, 0xd0, 0x9c, 0xcc, 0xfb, 0x45, 0x0a, 0x74, 0x77, 0x09, 0x67, 0x4f, 0xa8,
-	0xd2, 0x30, 0x03, 0x3d, 0x49, 0x9e, 0x7d, 0xf2, 0xad, 0xa6, 0x5c, 0x31, 0xc1, 0xfb, 0xc1, 0x46,
-	0xb0, 0xb9, 0xb2, 0xb3, 0x85, 0x4a, 0x68, 0xd4, 0x84, 0x46, 0xc5, 0x30, 0x43, 0x0e, 0x1a, 0xe1,
-	0x86, 0x53, 0x72, 0xeb, 0xe8, 0x78, 0xbd, 0x35, 0x3d, 0x5e, 0xef, 0x35, 0xa5, 0x78, 0x06, 0x38,
-	0xfa, 0xb9, 0x0d, 0x6e, 0x56, 0xac, 0x1f, 0x09, 0x3e, 0x60, 0x9a, 0x09, 0x0e, 0xbf, 0x07, 0x3d,
-	0x49, 0x95, 0x18, 0xcb, 0x94, 0xee, 0x52, 0x4d, 0x1c, 0xfd, 0xc7, 0x17, 0xec, 0x0f, 0xaa, 0x80,
-	0x71, 0x03, 0xab, 0x11, 0x55, 0x43, 0x8a, 0x67, 0xf8, 0xa0, 0x02, 0x20, 0xad, 0x82, 0x51, 0xfd,
-	0xf6, 0xc6, 0xb5, 0xcd, 0x95, 0x9d, 0xf7, 0x2f, 0xca, 0xfe, 0x50, 0x13, 0x3d, 0x56, 0x3e, 0xa9,
-	0x04, 0x3a, 0x62, 0xe0, 0x45, 0x0a, 0x37, 0x68, 0xa2, 0xdf, 0xdb, 0xe0, 0xd6, 0x59, 0x11, 0xc3,
-	0xd7, 0xc1, 0x92, 0x90, 0x03, 0xc6, 0xc9, 0xc8, 0x16, 0xa2, 0x93, 0x5c, 0x77, 0x48, 0x4b, 0x0f,
-	0x4a, 0x31, 0xae, 0xf4, 0xf0, 0x55, 0xd0, 0xc9, 0xa4, 0x18, 0x17, 0xfd, 0xf6, 0x46, 0xb0, 0xb9,
-	0x9c, 0xbc, 0xe2, 0x0c, 0x3b, 0x9f, 0x1a, 0x21, 0x2e, 0x75, 0x06, 0x6f, 0x42, 0xa5, 0xed, 0xeb,
-	0x35, 0x6b, 0xe6, 0xf1, 0xbe, 0x28, 0xc5, 0xb8, 0xd2, 0xc3, 0x0d, 0xb0, 0x30, 0x64, 0x7c, 0xd0,
-	0x5f, 0xb0, 0x76, 0x3d, 0x67, 0xb7, 0xf0, 0x39, 0xe3, 0x03, 0x6c, 0x35, 0xf0, 0x4d, 0xd0, 0xad,
-	0x4a, 0xd7, 0xef, 0x58, 0xab, 0x1b, 0xce, 0xaa, 0x5b, 0x25, 0x81, 0xbd, 0x85, 0xc1, 0xe3, 0x24,
-	0xa7, 0xfd, 0xc5, 0x59, 0xbc, 0xfb, 0x24, 0xa7, 0xd8, 0x6a, 0x60, 0x0c, 0x96, 0xcd, 0x5f, 0x55,
-	0x90, 0x94, 0xf6, 0x97, 0xac, 0xd9, 0x4d, 0x67, 0xb6, 0x7c, 0xbf, 0x52, 0xe0, 0xda, 0x26, 0xfa,
-	0x25, 0x00, 0xb7, 0xe7, 0xcb, 0x56, 0x96, 0x1e, 0x4a, 0xb0, 0x9c, 0x3b, 0x4d, 0xd5, 0xc5, 0x0f,
-	0x2f, 0x3b, 0x43, 0x75, 0x1f, 0x7d, 0x38, 0x95, 0x4a, 0xe1, 0x9a, 0x26, 0xfa, 0xa3, 0x0d, 0x7a,
-	0x95, 0xe2, 0x91, 0x90, 0x43, 0xf8, 0x0d, 0xe8, 0x9a, 0xd5, 0x1e, 0x10, 0x3f, 0xc7, 0x6f, 0xbd,
-	0x74, 0x8d, 0xcc, 0x21, 0x40, 0xc6, 0xda, 0x30, 0x3f, 0xd8, 0x7f, 0x4a, 0x53, 0x6d, 0x67, 0xd6,
-	0x8f, 0x4e, 0x2d, 0xc3, 0x1e, 0x15, 0xee, 0x83, 0x05, 0x55, 0xd0, 0xd4, 0xf6, 0x7c, 0x65, 0xe7,
-	0x83, 0xcb, 0x66, 0x68, 0xa2, 0x7d, 0x58, 0xd0, 0xb4, 0x6e, 0x8b, 0xf9, 0xc2, 0x16, 0x1b, 0x3e,
-	0x05, 0x8b, 0xca, 0x16, 0xd5, 0x8e, 0xcc, 0xca, 0x4e, 0x72, 0x25, 0x16, 0x8b, 0x94, 0xac, 0x3a,
-	0x9e, 0xc5, 0xf2, 0x1b, 0x3b, 0x86, 0xe8, 0xcf, 0x00, 0xdc, 0x68, 0x9a, 0xdf, 0x63, 0x4a, 0xc3,
-	0xaf, 0x4e, 0x95, 0x11, 0x9d, 0xaf, 0x8c, 0xc6, 0xdb, 0x16, 0xd1, 0xcf, 0x65, 0x25, 0x69, 0x94,
-	0x90, 0x80, 0x0e, 0xd3, 0x34, 0xaf, 0xa6, 0xe4, 0xdd, 0xab, 0x64, 0x57, 0x6f, 0xdd, 0x67, 0x06,
-	0x12, 0x97, 0xc8, 0xd1, 0x8f, 0x73, 0x59, 0x99, 0xe2, 0x42, 0x01, 0xba, 0x06, 0x62, 0x24, 0xc8,
-	0xc0, 0x65, 0x75, 0xe9, 0x01, 0x55, 0x7b, 0x34, 0x2f, 0x46, 0x44, 0xd3, 0x3a, 0xd1, 0x47, 0x0e,
-	0x1a, 0x7b, 0x92, 0xe8, 0xb7, 0x36, 0x80, 0xa7, 0x5b, 0x31, 0x77, 0xf0, 0x82, 0xff, 0xe5, 0xe0,
-	0xc1, 0x9f, 0x02, 0xb0, 0x2a, 0x67, 0x36, 0xd6, 0x8d, 0xf0, 0xdd, 0xab, 0x1e, 0x7a, 0x37, 0x60,
-	0xb7, 0x5d, 0x00, 0xab, 0xb3, 0x72, 0x3c, 0xc7, 0x1a, 0x7d, 0x57, 0xbf, 0x41, 0xbe, 0x8a, 0xf0,
-	0xa0, 0x79, 0x3c, 0xca, 0x8a, 0xdc, 0xb9, 0x6c, 0x5c, 0x75, 0x4b, 0x7c, 0xa4, 0x8d, 0x93, 0x71,
-	0xdc, 0x06, 0xd7, 0xe7, 0x6a, 0x67, 0x0e, 0xa5, 0x3e, 0x2c, 0xa8, 0x1d, 0x8a, 0xc6, 0xa1, 0xdc,
-	0x3b, 0x2c, 0x28, 0xb6, 0x1a, 0xf8, 0xb5, 0xdf, 0xc8, 0xf2, 0xd6, 0xdf, 0x9d, 0xdd, 0xa6, 0x7f,
-	0x8e, 0xd7, 0xcf, 0xf5, 0x7b, 0x03, 0x79, 0xce, 0xd9, 0x2d, 0x84, 0x13, 0x00, 0x47, 0x44, 0xe9,
-	0x3d, 0x49, 0xb8, 0xb2, 0xfa, 0x3d, 0x96, 0x53, 0xb7, 0xfd, 0x6f, 0x9c, 0x6f, 0xf5, 0x8c, 0x47,
-	0xb2, 0xe6, 0xe2, 0x82, 0xf7, 0x4e, 0xa1, 0xe1, 0x33, 0x18, 0xe0, 0x6b, 0x60, 0x51, 0x52, 0xa2,
-	0x04, 0x77, 0x8f, 0x8e, 0xbf, 0x12, 0xd8, 0x4a, 0xb1, 0xd3, 0x9a, 0x57, 0x2c, 0xa7, 0x4a, 0x91,
-	0xac, 0x7a, 0x77, 0xfc, 0x2b, 0xb6, 0x5b, 0x8a, 0x71, 0xa5, 0x4f, 0x36, 0x8f, 0x4e, 0xc2, 0xd6,
-	0xf3, 0x93, 0xb0, 0xf5, 0xe2, 0x24, 0x6c, 0xfd, 0x30, 0x0d, 0x83, 0xa3, 0x69, 0x18, 0x3c, 0x9f,
-	0x86, 0xc1, 0x8b, 0x69, 0x18, 0xfc, 0x35, 0x0d, 0x83, 0x5f, 0xff, 0x0e, 0x5b, 0x5f, 0xb6, 0x27,
-	0xdb, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xd8, 0x4c, 0x96, 0x74, 0x42, 0x0a, 0x00, 0x00,
+	// 907 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4b, 0x6f, 0x1b, 0x45,
+	0x1c, 0xf7, 0x6e, 0xe3, 0xc4, 0x99, 0x98, 0xb4, 0x1d, 0x55, 0x95, 0x95, 0xc3, 0x26, 0x5a, 0x24,
+	0x14, 0x10, 0x99, 0x25, 0x11, 0x42, 0x3d, 0x20, 0x1e, 0x0b, 0x14, 0x21, 0x9a, 0x56, 0x9a, 0x46,
+	0x54, 0x42, 0x88, 0x32, 0x59, 0x4f, 0x37, 0x53, 0x7b, 0x67, 0x56, 0x33, 0x63, 0x97, 0x5c, 0x2a,
+	0x24, 0x24, 0xc4, 0x81, 0x03, 0xe2, 0xb3, 0xf0, 0x01, 0x38, 0xe6, 0x58, 0x89, 0x4b, 0x4f, 0x11,
+	0x31, 0xdf, 0x82, 0x13, 0x9a, 0xd9, 0xd9, 0x87, 0xed, 0x54, 0x4d, 0x1d, 0xa9, 0xa7, 0x64, 0xff,
+	0x8f, 0xdf, 0xef, 0xff, 0x1e, 0x83, 0x8f, 0x52, 0xa6, 0x8f, 0x46, 0x87, 0x28, 0x11, 0x59, 0x24,
+	0x72, 0xca, 0x77, 0x92, 0xe1, 0x48, 0x69, 0x2a, 0x77, 0x32, 0xc2, 0x49, 0x4a, 0x33, 0xca, 0x75,
+	0x44, 0x72, 0x16, 0x3d, 0x11, 0x72, 0x10, 0x8d, 0x77, 0xa3, 0x94, 0x72, 0x2a, 0x89, 0xa6, 0x7d,
+	0x94, 0x4b, 0xa1, 0x05, 0x44, 0xb5, 0x3f, 0x32, 0xfe, 0x0f, 0x9d, 0xff, 0xc3, 0xda, 0x1f, 0x91,
+	0x9c, 0x21, 0xe3, 0x8f, 0xc6, 0xbb, 0x1b, 0x3b, 0x0d, 0xbe, 0x54, 0xa4, 0x22, 0xb2, 0x30, 0x87,
+	0xa3, 0x47, 0xf6, 0xcb, 0x7e, 0xd8, 0xff, 0x0a, 0xf8, 0x8d, 0xf7, 0x07, 0xb7, 0x14, 0x62, 0xc2,
+	0x84, 0x90, 0x91, 0xe4, 0x88, 0x71, 0x2a, 0x8f, 0xa3, 0x7c, 0x90, 0x1a, 0x81, 0x8a, 0x32, 0xaa,
+	0xc9, 0x39, 0x41, 0x6d, 0x44, 0x2f, 0xf2, 0x92, 0x23, 0xae, 0x59, 0x46, 0xe7, 0x1c, 0x3e, 0x78,
+	0x99, 0x83, 0x4a, 0x8e, 0x68, 0x46, 0x66, 0xfd, 0x42, 0x05, 0x3a, 0xfb, 0x84, 0xb3, 0x47, 0x54,
+	0x69, 0x98, 0x82, 0xae, 0x24, 0x4f, 0xbe, 0xf8, 0x51, 0x53, 0xae, 0x98, 0xe0, 0x3d, 0x6f, 0xcb,
+	0xdb, 0x5e, 0xdb, 0xdb, 0x41, 0x05, 0x34, 0x6a, 0x42, 0xa3, 0x7c, 0x90, 0x22, 0x07, 0x8d, 0x70,
+	0xc3, 0x29, 0xbe, 0x71, 0x72, 0xba, 0xd9, 0x9a, 0x9c, 0x6e, 0x76, 0x9b, 0x52, 0x3c, 0x05, 0x1c,
+	0xfe, 0xea, 0x83, 0xeb, 0x25, 0xeb, 0x67, 0x82, 0xf7, 0x99, 0x66, 0x82, 0xc3, 0xa7, 0xa0, 0x2b,
+	0xa9, 0x12, 0x23, 0x99, 0xd0, 0x7d, 0xaa, 0x89, 0xa3, 0xff, 0xfc, 0x15, 0xfb, 0x83, 0x4a, 0x60,
+	0xdc, 0xc0, 0x6a, 0x44, 0xd5, 0x90, 0xe2, 0x29, 0x3e, 0xa8, 0x00, 0x48, 0xca, 0x60, 0x54, 0xcf,
+	0xdf, 0xba, 0xb2, 0xbd, 0xb6, 0xf7, 0xf1, 0xab, 0xb2, 0xdf, 0xd7, 0x44, 0x8f, 0x54, 0x95, 0x54,
+	0x0c, 0x1d, 0x31, 0xa8, 0x44, 0x0a, 0x37, 0x68, 0xc2, 0x3f, 0x7d, 0x70, 0xe3, 0xbc, 0x88, 0xe1,
+	0xdb, 0x60, 0x45, 0xc8, 0x3e, 0xe3, 0x64, 0x68, 0x0b, 0xd1, 0x8e, 0xaf, 0x3a, 0xa4, 0x95, 0x7b,
+	0x85, 0x18, 0x97, 0x7a, 0xf8, 0x26, 0x68, 0xa7, 0x52, 0x8c, 0xf2, 0x9e, 0xbf, 0xe5, 0x6d, 0xaf,
+	0xc6, 0x6f, 0x38, 0xc3, 0xf6, 0x97, 0x46, 0x88, 0x0b, 0x9d, 0xc1, 0x1b, 0x53, 0x69, 0xfb, 0x7a,
+	0xc5, 0x9a, 0x55, 0x78, 0xdf, 0x14, 0x62, 0x5c, 0xea, 0xe1, 0x16, 0x58, 0x1a, 0x30, 0xde, 0xef,
+	0x2d, 0x59, 0xbb, 0xae, 0xb3, 0x5b, 0xfa, 0x9a, 0xf1, 0x3e, 0xb6, 0x1a, 0xf8, 0x2e, 0xe8, 0x94,
+	0xa5, 0xeb, 0xb5, 0xad, 0xd5, 0x35, 0x67, 0xd5, 0x29, 0x93, 0xc0, 0x95, 0x85, 0xc1, 0xe3, 0x24,
+	0xa3, 0xbd, 0xe5, 0x69, 0xbc, 0xbb, 0x24, 0xa3, 0xd8, 0x6a, 0x60, 0x04, 0x56, 0xcd, 0x5f, 0x95,
+	0x93, 0x84, 0xf6, 0x56, 0xac, 0xd9, 0x75, 0x67, 0xb6, 0x7a, 0xb7, 0x54, 0xe0, 0xda, 0x26, 0xfc,
+	0xcd, 0x03, 0x37, 0x67, 0xcb, 0x56, 0x94, 0x1e, 0x4a, 0xb0, 0x9a, 0x39, 0x4d, 0xd9, 0xc5, 0x4f,
+	0x17, 0x9d, 0xa1, 0xba, 0x8f, 0x55, 0x38, 0xa5, 0x4a, 0xe1, 0x9a, 0x26, 0xfc, 0xcb, 0x07, 0xdd,
+	0x52, 0xf1, 0x40, 0xc8, 0x01, 0xfc, 0x01, 0x74, 0xcc, 0x6a, 0xf7, 0x49, 0x35, 0xc7, 0xef, 0xbd,
+	0x70, 0x8d, 0xcc, 0x21, 0x40, 0xc6, 0xda, 0x30, 0xdf, 0x3b, 0x7c, 0x4c, 0x13, 0x6d, 0x67, 0xb6,
+	0x1a, 0x9d, 0x5a, 0x86, 0x2b, 0x54, 0x78, 0x08, 0x96, 0x54, 0x4e, 0x13, 0xdb, 0xf3, 0xb5, 0xbd,
+	0x4f, 0x16, 0xcd, 0xd0, 0x44, 0x7b, 0x3f, 0xa7, 0x49, 0xdd, 0x16, 0xf3, 0x85, 0x2d, 0x36, 0x7c,
+	0x0c, 0x96, 0x95, 0x2d, 0xaa, 0x1d, 0x99, 0xb5, 0xbd, 0xf8, 0x52, 0x2c, 0x16, 0x29, 0x5e, 0x77,
+	0x3c, 0xcb, 0xc5, 0x37, 0x76, 0x0c, 0xe1, 0xdf, 0x1e, 0xb8, 0xd6, 0x34, 0xbf, 0xc3, 0x94, 0x86,
+	0xdf, 0xcd, 0x95, 0x11, 0x5d, 0xac, 0x8c, 0xc6, 0xdb, 0x16, 0xb1, 0x9a, 0xcb, 0x52, 0xd2, 0x28,
+	0x21, 0x01, 0x6d, 0xa6, 0x69, 0x56, 0x4e, 0xc9, 0x87, 0x97, 0xc9, 0xae, 0xde, 0xba, 0xaf, 0x0c,
+	0x24, 0x2e, 0x90, 0xc3, 0x9f, 0x67, 0xb2, 0x32, 0xc5, 0x85, 0x02, 0x74, 0x0c, 0xc4, 0x50, 0x90,
+	0xbe, 0xcb, 0x6a, 0xe1, 0x01, 0x55, 0x07, 0x34, 0xcb, 0x87, 0x44, 0xd3, 0x3a, 0xd1, 0x07, 0x0e,
+	0x1a, 0x57, 0x24, 0xe1, 0x1f, 0x3e, 0x80, 0xf3, 0xad, 0x98, 0x39, 0x78, 0xde, 0x6b, 0x39, 0x78,
+	0xf0, 0x17, 0x0f, 0xac, 0xcb, 0xa9, 0x8d, 0x75, 0x23, 0x7c, 0xfb, 0xb2, 0x87, 0xde, 0x0d, 0xd8,
+	0x4d, 0x17, 0xc0, 0xfa, 0xb4, 0x1c, 0xcf, 0xb0, 0x86, 0x4f, 0xeb, 0x37, 0xa8, 0xaa, 0x22, 0x64,
+	0xcd, 0xe3, 0x51, 0x54, 0xe4, 0xd6, 0xa2, 0x71, 0xbd, 0xe4, 0x66, 0x9c, 0xfa, 0xe0, 0xea, 0x4c,
+	0xf1, 0xcc, 0xa5, 0xd4, 0xc7, 0x39, 0xb5, 0x53, 0xd1, 0xb8, 0x94, 0x07, 0xc7, 0x39, 0xc5, 0x56,
+	0x03, 0xbf, 0xaf, 0x56, 0xb2, 0x38, 0xf6, 0xb7, 0xa7, 0xd7, 0xe9, 0xbf, 0xd3, 0xcd, 0x0b, 0xfd,
+	0xe0, 0x40, 0x15, 0xe7, 0xf4, 0x1a, 0xc2, 0x31, 0x80, 0x43, 0xa2, 0xf4, 0x81, 0x24, 0x5c, 0x59,
+	0xfd, 0x01, 0xcb, 0xa8, 0x5b, 0xff, 0x77, 0x2e, 0xb6, 0x7b, 0xc6, 0x23, 0xde, 0x70, 0x71, 0xc1,
+	0x3b, 0x73, 0x68, 0xf8, 0x1c, 0x06, 0xf8, 0x16, 0x58, 0x96, 0x94, 0x28, 0xc1, 0xdd, 0xab, 0x53,
+	0x9d, 0x09, 0x6c, 0xa5, 0xd8, 0x69, 0xcd, 0x33, 0x96, 0x51, 0xa5, 0x48, 0x5a, 0x3e, 0x3c, 0xd5,
+	0x33, 0xb6, 0x5f, 0x88, 0x71, 0xa9, 0x8f, 0xb7, 0x4f, 0xce, 0x82, 0xd6, 0xb3, 0xb3, 0xa0, 0xf5,
+	0xfc, 0x2c, 0x68, 0xfd, 0x34, 0x09, 0xbc, 0x93, 0x49, 0xe0, 0x3d, 0x9b, 0x04, 0xde, 0xf3, 0x49,
+	0xe0, 0xfd, 0x33, 0x09, 0xbc, 0xdf, 0xff, 0x0d, 0x5a, 0xdf, 0xfa, 0xe3, 0xdd, 0xff, 0x03, 0x00,
+	0x00, 0xff, 0xff, 0x49, 0x87, 0xf8, 0xee, 0x43, 0x0a, 0x00, 0x00,
 }
 
 func (m *Manifest) Marshal() (dAtA []byte, err error) {
@@ -759,10 +759,10 @@ func (m *ManifestsTemplate) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
-	if len(m.Manifest) > 0 {
-		for iNdEx := len(m.Manifest) - 1; iNdEx >= 0; iNdEx-- {
+	if len(m.Manifests) > 0 {
+		for iNdEx := len(m.Manifests) - 1; iNdEx >= 0; iNdEx-- {
 			{
-				size, err := m.Manifest[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				size, err := m.Manifests[iNdEx].MarshalToSizedBuffer(dAtA[:i])
 				if err != nil {
 					return 0, err
 				}
@@ -971,8 +971,8 @@ func (m *ManifestsTemplate) Size() (n int) {
 	}
 	var l int
 	_ = l
-	if len(m.Manifest) > 0 {
-		for _, e := range m.Manifest {
+	if len(m.Manifests) > 0 {
+		for _, e := range m.Manifests {
 			l = e.Size()
 			n += 1 + l + sovGenerated(uint64(l))
 		}
@@ -1120,13 +1120,13 @@ func (this *ManifestsTemplate) String() string {
 	if this == nil {
 		return "nil"
 	}
-	repeatedStringForManifest := "[]Manifest{"
-	for _, f := range this.Manifest {
-		repeatedStringForManifest += strings.Replace(strings.Replace(f.String(), "Manifest", "Manifest", 1), `&`, ``, 1) + ","
+	repeatedStringForManifests := "[]Manifest{"
+	for _, f := range this.Manifests {
+		repeatedStringForManifests += strings.Replace(strings.Replace(f.String(), "Manifest", "Manifest", 1), `&`, ``, 1) + ","
 	}
-	repeatedStringForManifest += "}"
+	repeatedStringForManifests += "}"
 	s := strings.Join([]string{`&ManifestsTemplate{`,
-		`Manifest:` + repeatedStringForManifest + `,`,
+		`Manifests:` + repeatedStringForManifests + `,`,
 		`}`,
 	}, "")
 	return s
@@ -2219,7 +2219,7 @@ func (m *ManifestsTemplate) Unmarshal(dAtA []byte) error {
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Manifest", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Manifests", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -2246,8 +2246,8 @@ func (m *ManifestsTemplate) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Manifest = append(m.Manifest, Manifest{})
-			if err := m.Manifest[len(m.Manifest)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			m.Manifests = append(m.Manifests, Manifest{})
+			if err := m.Manifests[len(m.Manifests)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex

vendor/github.com/open-cluster-management/api/work/v1/types.go

@@ -66,7 +66,7 @@ type Manifest struct {
 type ManifestsTemplate struct {
 	// Manifests represents a list of kuberenetes resources to be deployed on the spoke cluster.
 	// +optional
-	Manifest []Manifest `json:"manifests,omitempty" protobuf:"bytes,1,rep,name=manifests"`
+	Manifests []Manifest `json:"manifests,omitempty" protobuf:"bytes,1,rep,name=manifests"`
 }
 
 // ManifestResourceMeta represents the gvk, gvr, name and namespace of a resoure

vendor/github.com/open-cluster-management/api/work/v1/zz_generated.deepcopy.go

@@ -193,8 +193,8 @@ func (in *ManifestWorkStatus) DeepCopy() *ManifestWorkStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ManifestsTemplate) DeepCopyInto(out *ManifestsTemplate) {
 	*out = *in
-	if in.Manifest != nil {
-		in, out := &in.Manifest, &out.Manifest
+	if in.Manifests != nil {
+		in, out := &in.Manifests, &out.Manifests
 		*out = make([]Manifest, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])

vendor/modules.txt

@@ -89,7 +89,7 @@ github.com/modern-go/concurrent
 github.com/modern-go/reflect2
 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 github.com/munnerz/goautoneg
-# github.com/open-cluster-management/api v0.0.0-20200512021938-5f0d5c12ea67
+# github.com/open-cluster-management/api v0.0.0-20200512175145-bed9ce79e17e
 github.com/open-cluster-management/api/client/nucleus/clientset/versioned
 github.com/open-cluster-management/api/client/nucleus/clientset/versioned/fake
 github.com/open-cluster-management/api/client/nucleus/clientset/versioned/scheme