diff --git a/operator/v1/0000_70_dns-operator_00.crd.yaml b/operator/v1/0000_70_dns-operator_00.crd.yaml index 158a99bd7ae..26bfa6974fc 100644 --- a/operator/v1/0000_70_dns-operator_00.crd.yaml +++ b/operator/v1/0000_70_dns-operator_00.crd.yaml @@ -160,6 +160,24 @@ spec: description: forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages to upstream resolvers. properties: + caBundle: + description: "caBundle references a ConfigMap that must + contain either a single CA Certificate or a CA Bundle + (in the case of multiple upstreams signed by different + CAs). This allows cluster administrators to provide their + own CA or CA bundle for validating the certificate of + upstream resolvers. \n 1. The configmap must contain a + `cabundle.crt` key 2. The value must be a PEM encoded + certificate or bundle. 3. The administrator must create + this configmap in the openshift-config namespace." + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object policy: default: Random description: "policy is used to determine the order in which @@ -176,6 +194,23 @@ spec: - RoundRobin - Sequential type: string + serverName: + description: serverName is the upstream server to connect + to for DNS resolution. This is required when Transport + is set to "tls" + pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z0-9-\p{L}]){2,63})$ + type: string + transport: + description: transport allows cluster administrators to + opt-in to using a DNS-over-TLS connection between cluster + DNS and an upstream resolver(s). Configuring TLS as the + transport at this level without configuring a CABundle + will result in the system certificates being used to verify + the serving certificate of the upstream resolver(s). + enum: + - tls + - cleartext + type: string upstreams: description: "upstreams is a list of resolvers to forward name queries for subdomains of Zones. Each instance of @@ -213,6 +248,23 @@ spec: default (\".\") server \n If this field is not specified, the upstream used will default to /etc/resolv.conf, with policy \"sequential\"" properties: + caBundle: + description: "caBundle references a ConfigMap that must contain + either a single CA Certificate or a CA Bundle (in the case of + multiple upstreams signed by different CAs). This allows cluster + administrators to provide their own CA or CA bundle for validating + the certificate of upstream resolvers. \n 1. The configmap must + contain a `cabundle.crt` key 2. The value must be a PEM encoded + certificate or bundle. 3. The administrator must create this + configmap in the openshift-config namespace." + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object policy: default: Sequential description: "Policy is used to determine the order in which upstream @@ -228,6 +280,22 @@ spec: - RoundRobin - Sequential type: string + serverName: + description: serverName is the upstream server to connect to for + DNS resolution. This is required when Transport is set to "tls" + pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z0-9-\p{L}]){2,63})$ + type: string + transport: + description: transport allows cluster administrators to opt-in + to using a DNS-over-TLS connection between cluster DNS and an + upstream resolver(s). Configuring TLS as the transport at this + level without configuring a CABundle will result in the system + certificates being used to verify the serving certificate of + the upstream resolver(s). + enum: + - tls + - cleartext + type: string upstreams: default: - type: SystemResolvConf diff --git a/operator/v1/types_dns.go b/operator/v1/types_dns.go index c05a826cdf7..670e09120b7 100644 --- a/operator/v1/types_dns.go +++ b/operator/v1/types_dns.go @@ -1,6 +1,7 @@ package v1 import ( + v1 "github.com/openshift/api/config/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" corev1 "k8s.io/api/core/v1" @@ -130,6 +131,19 @@ type Server struct { ForwardPlugin ForwardPlugin `json:"forwardPlugin"` } +// DNSTransport is indicates what type of connection should be used +// +kubebuilder:validation:Enum=tls;cleartext +type DNSTransport string + +const ( + // TLSTransport indicates that TLS should be used for the connection + TLSTransport DNSTransport = "tls" + + // CleartextTransport indicates that no encryption should be used for + // the connection. + CleartextTransport DNSTransport = "cleartext" +) + // ForwardingPolicy is the policy to use when forwarding DNS requests. // +kubebuilder:validation:Enum=Random;RoundRobin;Sequential type ForwardingPolicy string @@ -170,6 +184,35 @@ type ForwardPlugin struct { // +optional // +kubebuilder:default:="Random" Policy ForwardingPolicy `json:"policy,omitempty"` + + // transport allows cluster administrators to opt-in to using a DNS-over-TLS + // connection between cluster DNS and an upstream resolver(s). Configuring + // TLS as the transport at this level without configuring a CABundle will + // result in the system certificates being used to verify the serving + // certificate of the upstream resolver(s). + // + // +optional + Transport DNSTransport `json:"transport,omitempty"` + + // caBundle references a ConfigMap that must contain either a single + // CA Certificate or a CA Bundle (in the case of multiple upstreams signed + // by different CAs). This allows cluster administrators to provide their + // own CA or CA bundle for validating the certificate of upstream resolvers. + // + // 1. The configmap must contain a `cabundle.crt` key + // 2. The value must be a PEM encoded certificate or bundle. + // 3. The administrator must create this configmap in the openshift-config namespace. + // + // +optional + // +kubebuilder:validation:Optional + CABundle v1.ConfigMapNameReference `json:"caBundle,omitempty"` + + // serverName is the upstream server to connect to for DNS resolution. + // This is required when Transport is set to "tls" + // + // +optional + // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z0-9-\p{L}]){2,63})$` + ServerName string `json:"serverName,omitempty"` } // UpstreamResolvers defines a schema for configuring the CoreDNS forward plugin in the @@ -203,6 +246,35 @@ type UpstreamResolvers struct { // +optional // +kubebuilder:default="Sequential" Policy ForwardingPolicy `json:"policy,omitempty"` + + // transport allows cluster administrators to opt-in to using a DNS-over-TLS + // connection between cluster DNS and an upstream resolver(s). Configuring + // TLS as the transport at this level without configuring a CABundle will + // result in the system certificates being used to verify the serving + // certificate of the upstream resolver(s). + // + // +optional + Transport DNSTransport `json:"transport,omitempty"` + + // caBundle references a ConfigMap that must contain either a single + // CA Certificate or a CA Bundle (in the case of multiple upstreams signed + // by different CAs). This allows cluster administrators to provide their + // own CA or CA bundle for validating the certificate of upstream resolvers. + // + // 1. The configmap must contain a `cabundle.crt` key + // 2. The value must be a PEM encoded certificate or bundle. + // 3. The administrator must create this configmap in the openshift-config namespace. + // + // +optional + // +kubebuilder:validation:Optional + CABundle v1.ConfigMapNameReference `json:"caBundle,omitempty"` + + // serverName is the upstream server to connect to for DNS resolution. + // This is required when Transport is set to "tls" + // + // +optional + // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z0-9-\p{L}]){2,63})$` + ServerName string `json:"serverName,omitempty"` } // Upstream can either be of type SystemResolvConf, or of type Network. diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go index 23859af6d2b..a9043450859 100644 --- a/operator/v1/zz_generated.deepcopy.go +++ b/operator/v1/zz_generated.deepcopy.go @@ -1235,6 +1235,7 @@ func (in *ForwardPlugin) DeepCopyInto(out *ForwardPlugin) { *out = make([]string, len(*in)) copy(*out, *in) } + out.CABundle = in.CABundle return } @@ -3743,6 +3744,7 @@ func (in *UpstreamResolvers) DeepCopyInto(out *UpstreamResolvers) { *out = make([]Upstream, len(*in)) copy(*out, *in) } + out.CABundle = in.CABundle return } diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go index e42c685eb9b..5f02508a9d8 100644 --- a/operator/v1/zz_generated.swagger_doc_generated.go +++ b/operator/v1/zz_generated.swagger_doc_generated.go @@ -447,9 +447,12 @@ func (DNSStatus) SwaggerDoc() map[string]string { } var map_ForwardPlugin = map[string]string{ - "": "ForwardPlugin defines a schema for configuring the CoreDNS forward plugin.", - "upstreams": "upstreams is a list of resolvers to forward name queries for subdomains of Zones. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy. Each upstream is represented by an IP address or IP:port if the upstream listens on a port other than 53.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin.", - "policy": "policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:\n\n* \"Random\" picks a random upstream server for each query. * \"RoundRobin\" picks upstream servers in a round-robin order, moving to the next server for each new query. * \"Sequential\" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.\n\nThe default value is \"Random\"", + "": "ForwardPlugin defines a schema for configuring the CoreDNS forward plugin.", + "upstreams": "upstreams is a list of resolvers to forward name queries for subdomains of Zones. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy. Each upstream is represented by an IP address or IP:port if the upstream listens on a port other than 53.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin.", + "policy": "policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:\n\n* \"Random\" picks a random upstream server for each query. * \"RoundRobin\" picks upstream servers in a round-robin order, moving to the next server for each new query. * \"Sequential\" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.\n\nThe default value is \"Random\"", + "transport": "transport allows cluster administrators to opt-in to using a DNS-over-TLS connection between cluster DNS and an upstream resolver(s). Configuring TLS as the transport at this level without configuring a CABundle will result in the system certificates being used to verify the serving certificate of the upstream resolver(s).", + "caBundle": "caBundle references a ConfigMap that must contain either a single CA Certificate or a CA Bundle (in the case of multiple upstreams signed by different CAs). This allows cluster administrators to provide their own CA or CA bundle for validating the certificate of upstream resolvers.\n\n1. The configmap must contain a `cabundle.crt` key 2. The value must be a PEM encoded certificate or bundle. 3. The administrator must create this configmap in the openshift-config namespace.", + "serverName": "serverName is the upstream server to connect to for DNS resolution. This is required when Transport is set to \"tls\"", } func (ForwardPlugin) SwaggerDoc() map[string]string { @@ -479,9 +482,12 @@ func (Upstream) SwaggerDoc() map[string]string { } var map_UpstreamResolvers = map[string]string{ - "": "UpstreamResolvers defines a schema for configuring the CoreDNS forward plugin in the specific case of the default (\".\") server. It defers from ForwardPlugin in the default values it accepts: * At least one upstream should be specified. * the default policy is Sequential", - "upstreams": "Upstreams is a list of resolvers to forward name queries for the \".\" domain. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin. If no Upstreams are specified, /etc/resolv.conf is used by default", - "policy": "Policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:\n\n* \"Random\" picks a random upstream server for each query. * \"RoundRobin\" picks upstream servers in a round-robin order, moving to the next server for each new query. * \"Sequential\" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.\n\nThe default value is \"Sequential\"", + "": "UpstreamResolvers defines a schema for configuring the CoreDNS forward plugin in the specific case of the default (\".\") server. It defers from ForwardPlugin in the default values it accepts: * At least one upstream should be specified. * the default policy is Sequential", + "upstreams": "Upstreams is a list of resolvers to forward name queries for the \".\" domain. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy.\n\nA maximum of 15 upstreams is allowed per ForwardPlugin. If no Upstreams are specified, /etc/resolv.conf is used by default", + "policy": "Policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:\n\n* \"Random\" picks a random upstream server for each query. * \"RoundRobin\" picks upstream servers in a round-robin order, moving to the next server for each new query. * \"Sequential\" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.\n\nThe default value is \"Sequential\"", + "transport": "transport allows cluster administrators to opt-in to using a DNS-over-TLS connection between cluster DNS and an upstream resolver(s). Configuring TLS as the transport at this level without configuring a CABundle will result in the system certificates being used to verify the serving certificate of the upstream resolver(s).", + "caBundle": "caBundle references a ConfigMap that must contain either a single CA Certificate or a CA Bundle (in the case of multiple upstreams signed by different CAs). This allows cluster administrators to provide their own CA or CA bundle for validating the certificate of upstream resolvers.\n\n1. The configmap must contain a `cabundle.crt` key 2. The value must be a PEM encoded certificate or bundle. 3. The administrator must create this configmap in the openshift-config namespace.", + "serverName": "serverName is the upstream server to connect to for DNS resolution. This is required when Transport is set to \"tls\"", } func (UpstreamResolvers) SwaggerDoc() map[string]string {