1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 api-approved.openshift.io: https://github.com/openshift/api/pull/470
6 include.release.openshift.io/ibm-cloud-managed: "true"
7 include.release.openshift.io/self-managed-high-availability: "true"
8 include.release.openshift.io/single-node-developer: "true"
9 name: ingresses.config.openshift.io
10spec:
11 group: config.openshift.io
12 names:
13 kind: Ingress
14 listKind: IngressList
15 plural: ingresses
16 singular: ingress
17 scope: Cluster
18 versions:
19 - name: v1
20 schema:
21 openAPIV3Schema:
22 description: "Ingress holds cluster-wide information about ingress, including the default ingress domain used for routes. The canonical name is `cluster`. \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)."
23 type: object
24 required:
25 - spec
26 properties:
27 apiVersion:
28 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
29 type: string
30 kind:
31 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
32 type: string
33 metadata:
34 type: object
35 spec:
36 description: spec holds user settable values for configuration
37 type: object
38 properties:
39 appsDomain:
40 description: appsDomain is an optional domain to use instead of the one specified in the domain field when a Route is created without specifying an explicit host. If appsDomain is nonempty, this value is used to generate default host values for Route. Unlike domain, appsDomain may be modified after installation. This assumes a new ingresscontroller has been setup with a wildcard certificate.
41 type: string
42 componentRoutes:
43 description: "componentRoutes is an optional list of routes that are managed by OpenShift components that a cluster-admin is able to configure the hostname and serving certificate for. The namespace and name of each route in this list should match an existing entry in the status.componentRoutes list. \n To determine the set of configurable Routes, look at namespace and name of entries in the .status.componentRoutes list, where participating operators write the status of configurable routes."
44 type: array
45 items:
46 description: ComponentRouteSpec allows for configuration of a route's hostname and serving certificate.
47 type: object
48 required:
49 - hostname
50 - name
51 - namespace
52 properties:
53 hostname:
54 description: hostname is the hostname that should be used by the route.
55 type: string
56 pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$
57 name:
58 description: "name is the logical name of the route to customize. \n The namespace and name of this componentRoute must match a corresponding entry in the list of status.componentRoutes if the route is to be customized."
59 type: string
60 maxLength: 256
61 minLength: 1
62 namespace:
63 description: "namespace is the namespace of the route to customize. \n The namespace and name of this componentRoute must match a corresponding entry in the list of status.componentRoutes if the route is to be customized."
64 type: string
65 maxLength: 63
66 minLength: 1
67 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
68 servingCertKeyPairSecret:
69 description: servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. If the custom hostname uses the default routing suffix of the cluster, the Secret specification for a serving certificate will not be needed.
70 type: object
71 required:
72 - name
73 properties:
74 name:
75 description: name is the metadata.name of the referenced secret
76 type: string
77 x-kubernetes-list-map-keys:
78 - namespace
79 - name
80 x-kubernetes-list-type: map
81 domain:
82 description: "domain is used to generate a default host name for a route when the route's host name is empty. The generated host name will follow this pattern: \"<route-name>.<route-namespace>.<domain>\". \n It is also used as the default wildcard domain suffix for ingress. The default ingresscontroller domain will follow this pattern: \"*.<domain>\". \n Once set, changing domain is not currently supported."
83 type: string
84 loadBalancer:
85 description: loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure provider of the current cluster and are required for Ingress Controller to work on OpenShift.
86 type: object
87 properties:
88 platform:
89 description: platform holds configuration specific to the underlying infrastructure provider for the ingress load balancers. When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time.
90 type: object
91 properties:
92 aws:
93 description: aws contains settings specific to the Amazon Web Services infrastructure provider.
94 type: object
95 required:
96 - type
97 properties:
98 type:
99 description: "type allows user to set a load balancer type. When this field is set the default ingresscontroller will get created using the specified LBType. If this field is not set then the default ingress controller of LBType Classic will be created. Valid values are: \n * \"Classic\": A Classic Load Balancer that makes routing decisions at either the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb \n * \"NLB\": A Network Load Balancer that makes routing decisions at the transport layer (TCP/SSL). See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb"
100 type: string
101 enum:
102 - NLB
103 - Classic
104 type:
105 description: type is the underlying infrastructure provider for the cluster. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.
106 type: string
107 enum:
108 - ""
109 - AWS
110 - Azure
111 - BareMetal
112 - GCP
113 - Libvirt
114 - OpenStack
115 - None
116 - VSphere
117 - oVirt
118 - IBMCloud
119 - KubeVirt
120 - EquinixMetal
121 - PowerVS
122 - AlibabaCloud
123 - Nutanix
124 - External
125 requiredHSTSPolicies:
126 description: "requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes matching the domainPattern/s and namespaceSelector/s that are specified in the policy. Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route annotation, and affect route admission. \n A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: \"haproxy.router.openshift.io/hsts_header\" E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains \n - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route is rejected. - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies determines the route's admission status. - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, then it may use any HSTS Policy annotation. \n The HSTS policy configuration may be changed after routes have already been created. An update to a previously admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. \n Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid."
127 type: array
128 items:
129 type: object
130 required:
131 - domainPatterns
132 properties:
133 domainPatterns:
134 description: "domainPatterns is a list of domains for which the desired HSTS annotations are required. If domainPatterns is specified and a route is created with a spec.host matching one of the domains, the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. \n The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*."
135 type: array
136 minItems: 1
137 items:
138 type: string
139 includeSubDomainsPolicy:
140 description: 'includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host''s domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com'
141 type: string
142 enum:
143 - RequireIncludeSubDomains
144 - RequireNoIncludeSubDomains
145 - NoOpinion
146 maxAge:
147 description: maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. If set to 0, it negates the effect, and hosts are removed as HSTS hosts. If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS policy will eventually expire on that client.
148 type: object
149 properties:
150 largestMaxAge:
151 description: The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age This value can be left unspecified, in which case no upper limit is enforced.
152 type: integer
153 format: int32
154 maximum: 2147483647
155 minimum: 0
156 smallestMaxAge:
157 description: The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary tool for administrators to quickly correct mistakes. This value can be left unspecified, in which case no lower limit is enforced.
158 type: integer
159 format: int32
160 maximum: 2147483647
161 minimum: 0
162 namespaceSelector:
163 description: namespaceSelector specifies a label selector such that the policy applies only to those routes that are in namespaces with labels that match the selector, and are in one of the DomainPatterns. Defaults to the empty LabelSelector, which matches everything.
164 type: object
165 properties:
166 matchExpressions:
167 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
168 type: array
169 items:
170 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
171 type: object
172 required:
173 - key
174 - operator
175 properties:
176 key:
177 description: key is the label key that the selector applies to.
178 type: string
179 operator:
180 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
181 type: string
182 values:
183 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
184 type: array
185 items:
186 type: string
187 matchLabels:
188 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
189 type: object
190 additionalProperties:
191 type: string
192 x-kubernetes-map-type: atomic
193 preloadPolicy:
194 description: preloadPolicy directs the client to include hosts in its host preload list so that it never needs to do an initial load to get the HSTS header (note that this is not defined in RFC 6797 and is therefore client implementation-dependent).
195 type: string
196 enum:
197 - RequirePreload
198 - RequireNoPreload
199 - NoOpinion
200 status:
201 description: status holds observed values from the cluster. They may not be overridden.
202 type: object
203 properties:
204 componentRoutes:
205 description: componentRoutes is where participating operators place the current route status for routes whose hostnames and serving certificates can be customized by the cluster-admin.
206 type: array
207 items:
208 description: ComponentRouteStatus contains information allowing configuration of a route's hostname and serving certificate.
209 type: object
210 required:
211 - defaultHostname
212 - name
213 - namespace
214 - relatedObjects
215 properties:
216 conditions:
217 description: "conditions are used to communicate the state of the componentRoutes entry. \n Supported conditions include Available, Degraded and Progressing. \n If available is true, the content served by the route can be accessed by users. This includes cases where a default may continue to serve content while the customized route specified by the cluster-admin is being configured. \n If Degraded is true, that means something has gone wrong trying to handle the componentRoutes entry. The currentHostnames field may or may not be in effect. \n If Progressing is true, that means the component is taking some action related to the componentRoutes entry."
218 type: array
219 items:
220 description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
221 type: object
222 required:
223 - lastTransitionTime
224 - message
225 - reason
226 - status
227 - type
228 properties:
229 lastTransitionTime:
230 description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
231 type: string
232 format: date-time
233 message:
234 description: message is a human readable message indicating details about the transition. This may be an empty string.
235 type: string
236 maxLength: 32768
237 observedGeneration:
238 description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
239 type: integer
240 format: int64
241 minimum: 0
242 reason:
243 description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
244 type: string
245 maxLength: 1024
246 minLength: 1
247 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
248 status:
249 description: status of the condition, one of True, False, Unknown.
250 type: string
251 enum:
252 - "True"
253 - "False"
254 - Unknown
255 type:
256 description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
257 type: string
258 maxLength: 316
259 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
260 x-kubernetes-list-map-keys:
261 - type
262 x-kubernetes-list-type: map
263 consumingUsers:
264 description: consumingUsers is a slice of ServiceAccounts that need to have read permission on the servingCertKeyPairSecret secret.
265 type: array
266 maxItems: 5
267 items:
268 description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported.
269 type: string
270 maxLength: 512
271 minLength: 1
272 pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
273 currentHostnames:
274 description: currentHostnames is the list of current names used by the route. Typically, this list should consist of a single hostname, but if multiple hostnames are supported by the route the operator may write multiple entries to this list.
275 type: array
276 minItems: 1
277 items:
278 description: "Hostname is an alias for hostname string validation. \n The left operand of the | is the original kubebuilder hostname validation format, which is incorrect because it allows upper case letters, disallows hyphen or number in the TLD, and allows labels to start/end in non-alphanumeric characters. See https://bugzilla.redhat.com/show_bug.cgi?id=2039256. ^([a-zA-Z0-9\\p{S}\\p{L}]((-?[a-zA-Z0-9\\p{S}\\p{L}]{0,62})?)|([a-zA-Z0-9\\p{S}\\p{L}](([a-zA-Z0-9-\\p{S}\\p{L}]{0,61}[a-zA-Z0-9\\p{S}\\p{L}])?)(\\.)){1,}([a-zA-Z\\p{L}]){2,63})$ \n The right operand of the | is a new pattern that mimics the current API route admission validation on hostname, except that it allows hostnames longer than the maximum length: ^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ \n Both operand patterns are made available so that modifications on ingress spec can still happen after an invalid hostname was saved via validation by the incorrect left operand of the | operator."
279 type: string
280 pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$
281 defaultHostname:
282 description: defaultHostname is the hostname of this route prior to customization.
283 type: string
284 pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$
285 name:
286 description: "name is the logical name of the route to customize. It does not have to be the actual name of a route resource but it cannot be renamed. \n The namespace and name of this componentRoute must match a corresponding entry in the list of spec.componentRoutes if the route is to be customized."
287 type: string
288 maxLength: 256
289 minLength: 1
290 namespace:
291 description: "namespace is the namespace of the route to customize. It must be a real namespace. Using an actual namespace ensures that no two components will conflict and the same component can be installed multiple times. \n The namespace and name of this componentRoute must match a corresponding entry in the list of spec.componentRoutes if the route is to be customized."
292 type: string
293 maxLength: 63
294 minLength: 1
295 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
296 relatedObjects:
297 description: relatedObjects is a list of resources which are useful when debugging or inspecting how spec.componentRoutes is applied.
298 type: array
299 minItems: 1
300 items:
301 description: ObjectReference contains enough information to let you inspect or modify the referred object.
302 type: object
303 required:
304 - group
305 - name
306 - resource
307 properties:
308 group:
309 description: group of the referent.
310 type: string
311 name:
312 description: name of the referent.
313 type: string
314 namespace:
315 description: namespace of the referent.
316 type: string
317 resource:
318 description: resource of the referent.
319 type: string
320 x-kubernetes-list-map-keys:
321 - namespace
322 - name
323 x-kubernetes-list-type: map
324 defaultPlacement:
325 description: "defaultPlacement is set at installation time to control which nodes will host the ingress router pods by default. The options are control-plane nodes or worker nodes. \n This field works by dictating how the Cluster Ingress Operator will consider unset replicas and nodePlacement fields in IngressController resources when creating the corresponding Deployments. \n See the documentation for the IngressController replicas and nodePlacement fields for more information. \n When omitted, the default value is Workers"
326 type: string
327 enum:
328 - ControlPlane
329 - Workers
330 - ""
331 served: true
332 storage: true
333 subresources:
334 status: {}
View as plain text