-
Notifications
You must be signed in to change notification settings - Fork 535
/
types_apiserver.go
158 lines (140 loc) · 7.08 KB
/
types_apiserver.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// APIServer holds configuration (like serving certificates, client CA and CORS domains)
// shared by all API servers in the system, among them especially kube-apiserver
// and openshift-apiserver. The canonical name of an instance is 'cluster'.
type APIServer struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// spec holds user settable values for configuration
// +kubebuilder:validation:Required
// +required
Spec APIServerSpec `json:"spec"`
// status holds observed values from the cluster. They may not be overridden.
// +optional
Status APIServerStatus `json:"status"`
}
type APIServerSpec struct {
// servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
// will be used for serving secure traffic.
// +optional
ServingCerts APIServerServingCerts `json:"servingCerts"`
// clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for
// incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid.
// You usually only have to set this if you have your own PKI you wish to honor client certificates from.
// The ConfigMap must exist in the openshift-config namespace and contain the following required fields:
// - ConfigMap.Data["ca-bundle.crt"] - CA bundle.
// +optional
ClientCA ConfigMapNameReference `json:"clientCA"`
// additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the
// API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth
// server from JavaScript applications.
// The values are regular expressions that correspond to the Golang regular expression language.
// +optional
AdditionalCORSAllowedOrigins []string `json:"additionalCORSAllowedOrigins,omitempty"`
// encryption allows the configuration of encryption of resources at the datastore layer.
// +optional
Encryption APIServerEncryption `json:"encryption"`
// tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
//
// If unset, a default (which may change between releases) is chosen. Note that only Old and
// Intermediate profiles are currently supported, and the maximum available MinTLSVersions
// is VersionTLS12.
// +optional
TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
// audit specifies the settings for audit configuration to be applied to all OpenShift-provided
// API servers in the cluster.
// +optional
// +kubebuilder:default={profile: Default}
Audit Audit `json:"audit"`
}
// AuditProfileType defines the audit policy profile type.
// +kubebuilder:validation:Enum=Default;WriteRequestBodies;AllRequestBodies
type AuditProfileType string
const (
// "Default" is the existing default audit configuration policy.
AuditProfileDefaultType AuditProfileType = "Default"
// "WriteRequestBodies" is similar to Default but it logs request and response
// HTTP payloads for write requests (create, update, patch)
WriteRequestBodiesAuditProfileType AuditProfileType = "WriteRequestBodies"
// "AllRequestBodies" is similar to WriteRequestBodies, but also logs request
// and response HTTP payloads for read requests (get, list).
AllRequestBodiesAuditProfileType AuditProfileType = "AllRequestBodies"
)
type Audit struct {
// profile specifies the name of the desired audit policy configuration to be deployed to
// all OpenShift-provided API servers in the cluster.
//
// The following profiles are provided:
// - Default: the existing default policy.
// - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for
// write requests (create, update, patch).
// - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response
// HTTP payloads for read requests (get, list).
//
// If unset, the 'Default' profile is used as the default.
// +kubebuilder:default=Default
Profile AuditProfileType `json:"profile,omitempty"`
}
type APIServerServingCerts struct {
// namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames.
// If no named certificates are provided, or no named certificates match the server name as understood by a client,
// the defaultServingCertificate will be used.
// +optional
NamedCertificates []APIServerNamedServingCert `json:"namedCertificates,omitempty"`
}
// APIServerNamedServingCert maps a server DNS name, as understood by a client, to a certificate.
type APIServerNamedServingCert struct {
// names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to
// serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates.
// Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names.
// +optional
Names []string `json:"names,omitempty"`
// servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic.
// The secret must exist in the openshift-config namespace and contain the following required fields:
// - Secret.Data["tls.key"] - TLS private key.
// - Secret.Data["tls.crt"] - TLS certificate.
ServingCertificate SecretNameReference `json:"servingCertificate"`
}
type APIServerEncryption struct {
// type defines what encryption type should be used to encrypt resources at the datastore layer.
// When this field is unset (i.e. when it is set to the empty string), identity is implied.
// The behavior of unset can and will change over time. Even if encryption is enabled by default,
// the meaning of unset may change to a different encryption type based on changes in best practices.
//
// When encryption is enabled, all sensitive resources shipped with the platform are encrypted.
// This list of sensitive resources can and will change over time. The current authoritative list is:
//
// 1. secrets
// 2. configmaps
// 3. routes.route.openshift.io
// 4. oauthaccesstokens.oauth.openshift.io
// 5. oauthauthorizetokens.oauth.openshift.io
//
// +unionDiscriminator
// +optional
Type EncryptionType `json:"type,omitempty"`
}
// +kubebuilder:validation:Enum="";identity;aescbc
type EncryptionType string
const (
// identity refers to a type where no encryption is performed at the datastore layer.
// Resources are written as-is without encryption.
EncryptionTypeIdentity EncryptionType = "identity"
// aescbc refers to a type where AES-CBC with PKCS#7 padding and a 32-byte key
// is used to perform encryption at the datastore layer.
EncryptionTypeAESCBC EncryptionType = "aescbc"
)
type APIServerStatus struct {
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type APIServerList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []APIServer `json:"items"`
}