From 4c5c71845aa0c66073b408121c9024a203439a8f Mon Sep 17 00:00:00 2001 From: Mulham Raee Date: Mon, 23 Oct 2023 13:03:34 +0200 Subject: [PATCH] validate accessTokenInactivityTimeout >= 300s --- api/v1beta1/hostedcluster_types.go | 1 + .../hypershift.openshift.io_hostedclusters.yaml | 6 ++++++ .../hypershift.openshift.io_hostedcontrolplanes.yaml | 6 ++++++ hack/app-sre/saas_template.yaml | 12 ++++++++++++ 4 files changed, 25 insertions(+) diff --git a/api/v1beta1/hostedcluster_types.go b/api/v1beta1/hostedcluster_types.go index 08b3e5a2e1..e9968cc3a2 100644 --- a/api/v1beta1/hostedcluster_types.go +++ b/api/v1beta1/hostedcluster_types.go @@ -2096,6 +2096,7 @@ type ClusterConfiguration struct { // It is used to configure the integrated OAuth server. // This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. // +optional + // +kubebuilder:validation:XValidation:rule="!has(self.tokenConfig.accessTokenInactivityTimeout) || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() >= 300", message="spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout minimum acceptable token timeout value is 300 seconds" OAuth *configv1.OAuthSpec `json:"oauth,omitempty"` // Scheduler holds cluster-wide config information to run the Kubernetes Scheduler diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml index 1fa8a39f46..941411e90c 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml @@ -5614,6 +5614,12 @@ spec: type: integer type: object type: object + x-kubernetes-validations: + - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout + minimum acceptable token timeout value is 300 seconds + rule: '!has(self.tokenConfig.accessTokenInactivityTimeout) || + duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() + >= 300' proxy: description: Proxy holds cluster-wide information on how to configure default proxies for the cluster. diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml index 70f6c3d724..4c090433b3 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml @@ -5594,6 +5594,12 @@ spec: type: integer type: object type: object + x-kubernetes-validations: + - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout + minimum acceptable token timeout value is 300 seconds + rule: '!has(self.tokenConfig.accessTokenInactivityTimeout) || + duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() + >= 300' proxy: description: Proxy holds cluster-wide information on how to configure default proxies for the cluster. diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml index 4893ea03f3..1310dd8296 100644 --- a/hack/app-sre/saas_template.yaml +++ b/hack/app-sre/saas_template.yaml @@ -35589,6 +35589,12 @@ objects: type: integer type: object type: object + x-kubernetes-validations: + - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout + minimum acceptable token timeout value is 300 seconds + rule: '!has(self.tokenConfig.accessTokenInactivityTimeout) + || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() + >= 300' proxy: description: Proxy holds cluster-wide information on how to configure default proxies for the cluster. @@ -43318,6 +43324,12 @@ objects: type: integer type: object type: object + x-kubernetes-validations: + - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout + minimum acceptable token timeout value is 300 seconds + rule: '!has(self.tokenConfig.accessTokenInactivityTimeout) + || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() + >= 300' proxy: description: Proxy holds cluster-wide information on how to configure default proxies for the cluster.