[release-4.14] OCPBUGS-22360: Validate accessTokenInactivityTimeout >= 300s

api/v1beta1/hostedcluster_types.go

@@ -2096,6 +2096,7 @@ type ClusterConfiguration struct {
 	// It is used to configure the integrated OAuth server.
 	// This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth.
 	// +optional
+	// +kubebuilder:validation:XValidation:rule="!has(self.tokenConfig.accessTokenInactivityTimeout) || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() >= 300", message="spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout minimum acceptable token timeout value is 300 seconds"
 	OAuth *configv1.OAuthSpec `json:"oauth,omitempty"`
 
 	// Scheduler holds cluster-wide config information to run the Kubernetes Scheduler

cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml

@@ -5614,6 +5614,12 @@ spec:
                             type: integer
                         type: object
                     type: object
+                    x-kubernetes-validations:
+                    - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout
+                        minimum acceptable token timeout value is 300 seconds
+                      rule: '!has(self.tokenConfig.accessTokenInactivityTimeout) ||
+                        duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds()
+                        >= 300'
                   proxy:
                     description: Proxy holds cluster-wide information on how to configure
                       default proxies for the cluster.

cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml

@@ -5594,6 +5594,12 @@ spec:
                             type: integer
                         type: object
                     type: object
+                    x-kubernetes-validations:
+                    - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout
+                        minimum acceptable token timeout value is 300 seconds
+                      rule: '!has(self.tokenConfig.accessTokenInactivityTimeout) ||
+                        duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds()
+                        >= 300'
                   proxy:
                     description: Proxy holds cluster-wide information on how to configure
                       default proxies for the cluster.

hack/app-sre/saas_template.yaml

@@ -35589,6 +35589,12 @@ objects:
                               type: integer
                           type: object
                       type: object
+                      x-kubernetes-validations:
+                      - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout
+                          minimum acceptable token timeout value is 300 seconds
+                        rule: '!has(self.tokenConfig.accessTokenInactivityTimeout)
+                          || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds()
+                          >= 300'
                     proxy:
                       description: Proxy holds cluster-wide information on how to
                         configure default proxies for the cluster.
@@ -43318,6 +43324,12 @@ objects:
                               type: integer
                           type: object
                       type: object
+                      x-kubernetes-validations:
+                      - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout
+                          minimum acceptable token timeout value is 300 seconds
+                        rule: '!has(self.tokenConfig.accessTokenInactivityTimeout)
+                          || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds()
+                          >= 300'
                     proxy:
                       description: Proxy holds cluster-wide information on how to
                         configure default proxies for the cluster.