1 package v1 2 3 import ( 4 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 "k8s.io/apimachinery/pkg/runtime" 6 ) 7 8 // ConfigMapFileReference references a config map in a specific namespace. 9 // The namespace must be specified at the point of use. 10 type ConfigMapFileReference struct { 11 Name string `json:"name"` 12 // Key allows pointing to a specific key/value inside of the configmap. This is useful for logical file references. 13 Key string `json:"key,omitempty"` 14 } 15 16 // ConfigMapNameReference references a config map in a specific namespace. 17 // The namespace must be specified at the point of use. 18 type ConfigMapNameReference struct { 19 // name is the metadata.name of the referenced config map 20 // +kubebuilder:validation:Required 21 // +required 22 Name string `json:"name"` 23 } 24 25 // SecretNameReference references a secret in a specific namespace. 26 // The namespace must be specified at the point of use. 27 type SecretNameReference struct { 28 // name is the metadata.name of the referenced secret 29 // +kubebuilder:validation:Required 30 // +required 31 Name string `json:"name"` 32 } 33 34 // HTTPServingInfo holds configuration for serving HTTP 35 type HTTPServingInfo struct { 36 // ServingInfo is the HTTP serving information 37 ServingInfo `json:",inline"` 38 // MaxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit. 39 MaxRequestsInFlight int64 `json:"maxRequestsInFlight"` 40 // RequestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if 41 // -1 there is no limit on requests. 42 RequestTimeoutSeconds int64 `json:"requestTimeoutSeconds"` 43 } 44 45 // ServingInfo holds information about serving web pages 46 type ServingInfo struct { 47 // BindAddress is the ip:port to serve on 48 BindAddress string `json:"bindAddress"` 49 // BindNetwork is the type of network to bind to - defaults to "tcp4", accepts "tcp", 50 // "tcp4", and "tcp6" 51 BindNetwork string `json:"bindNetwork"` 52 // CertInfo is the TLS cert info for serving secure traffic. 53 // this is anonymous so that we can inline it for serialization 54 CertInfo `json:",inline"` 55 // ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates 56 // +optional 57 ClientCA string `json:"clientCA,omitempty"` 58 // NamedCertificates is a list of certificates to use to secure requests to specific hostnames 59 NamedCertificates []NamedCertificate `json:"namedCertificates,omitempty"` 60 // MinTLSVersion is the minimum TLS version supported. 61 // Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants 62 MinTLSVersion string `json:"minTLSVersion,omitempty"` 63 // CipherSuites contains an overridden list of ciphers for the server to support. 64 // Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants 65 CipherSuites []string `json:"cipherSuites,omitempty"` 66 } 67 68 // CertInfo relates a certificate with a private key 69 type CertInfo struct { 70 // CertFile is a file containing a PEM-encoded certificate 71 CertFile string `json:"certFile"` 72 // KeyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile 73 KeyFile string `json:"keyFile"` 74 } 75 76 // NamedCertificate specifies a certificate/key, and the names it should be served for 77 type NamedCertificate struct { 78 // Names is a list of DNS names this certificate should be used to secure 79 // A name can be a normal DNS name, or can contain leading wildcard segments. 80 Names []string `json:"names,omitempty"` 81 // CertInfo is the TLS cert info for serving secure traffic 82 CertInfo `json:",inline"` 83 } 84 85 // LeaderElection provides information to elect a leader 86 type LeaderElection struct { 87 // disable allows leader election to be suspended while allowing a fully defaulted "normal" startup case. 88 Disable bool `json:"disable,omitempty"` 89 // namespace indicates which namespace the resource is in 90 Namespace string `json:"namespace,omitempty"` 91 // name indicates what name to use for the resource 92 Name string `json:"name,omitempty"` 93 94 // leaseDuration is the duration that non-leader candidates will wait 95 // after observing a leadership renewal until attempting to acquire 96 // leadership of a led but unrenewed leader slot. This is effectively the 97 // maximum duration that a leader can be stopped before it is replaced 98 // by another candidate. This is only applicable if leader election is 99 // enabled. 100 // +nullable 101 LeaseDuration metav1.Duration `json:"leaseDuration"` 102 // renewDeadline is the interval between attempts by the acting master to 103 // renew a leadership slot before it stops leading. This must be less 104 // than or equal to the lease duration. This is only applicable if leader 105 // election is enabled. 106 // +nullable 107 RenewDeadline metav1.Duration `json:"renewDeadline"` 108 // retryPeriod is the duration the clients should wait between attempting 109 // acquisition and renewal of a leadership. This is only applicable if 110 // leader election is enabled. 111 // +nullable 112 RetryPeriod metav1.Duration `json:"retryPeriod"` 113 } 114 115 // StringSource allows specifying a string inline, or externally via env var or file. 116 // When it contains only a string value, it marshals to a simple JSON string. 117 type StringSource struct { 118 // StringSourceSpec specifies the string value, or external location 119 StringSourceSpec `json:",inline"` 120 } 121 122 // StringSourceSpec specifies a string value, or external location 123 type StringSourceSpec struct { 124 // Value specifies the cleartext value, or an encrypted value if keyFile is specified. 125 Value string `json:"value"` 126 127 // Env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified. 128 Env string `json:"env"` 129 130 // File references a file containing the cleartext value, or an encrypted value if a keyFile is specified. 131 File string `json:"file"` 132 133 // KeyFile references a file containing the key to use to decrypt the value. 134 KeyFile string `json:"keyFile"` 135 } 136 137 // RemoteConnectionInfo holds information necessary for establishing a remote connection 138 type RemoteConnectionInfo struct { 139 // URL is the remote URL to connect to 140 URL string `json:"url"` 141 // CA is the CA for verifying TLS connections 142 CA string `json:"ca"` 143 // CertInfo is the TLS client cert information to present 144 // this is anonymous so that we can inline it for serialization 145 CertInfo `json:",inline"` 146 } 147 148 type AdmissionConfig struct { 149 PluginConfig map[string]AdmissionPluginConfig `json:"pluginConfig,omitempty"` 150 151 // enabledPlugins is a list of admission plugins that must be on in addition to the default list. 152 // Some admission plugins are disabled by default, but certain configurations require them. This is fairly uncommon 153 // and can result in performance penalties and unexpected behavior. 154 EnabledAdmissionPlugins []string `json:"enabledPlugins,omitempty"` 155 156 // disabledPlugins is a list of admission plugins that must be off. Putting something in this list 157 // is almost always a mistake and likely to result in cluster instability. 158 DisabledAdmissionPlugins []string `json:"disabledPlugins,omitempty"` 159 } 160 161 // AdmissionPluginConfig holds the necessary configuration options for admission plugins 162 type AdmissionPluginConfig struct { 163 // Location is the path to a configuration file that contains the plugin's 164 // configuration 165 Location string `json:"location"` 166 167 // Configuration is an embedded configuration object to be used as the plugin's 168 // configuration. If present, it will be used instead of the path to the configuration file. 169 // +nullable 170 // +kubebuilder:pruning:PreserveUnknownFields 171 Configuration runtime.RawExtension `json:"configuration"` 172 } 173 174 type LogFormatType string 175 176 type WebHookModeType string 177 178 const ( 179 // LogFormatLegacy saves event in 1-line text format. 180 LogFormatLegacy LogFormatType = "legacy" 181 // LogFormatJson saves event in structured json format. 182 LogFormatJson LogFormatType = "json" 183 184 // WebHookModeBatch indicates that the webhook should buffer audit events 185 // internally, sending batch updates either once a certain number of 186 // events have been received or a certain amount of time has passed. 187 WebHookModeBatch WebHookModeType = "batch" 188 // WebHookModeBlocking causes the webhook to block on every attempt to process 189 // a set of events. This causes requests to the API server to wait for a 190 // round trip to the external audit service before sending a response. 191 WebHookModeBlocking WebHookModeType = "blocking" 192 ) 193 194 // AuditConfig holds configuration for the audit capabilities 195 type AuditConfig struct { 196 // If this flag is set, audit log will be printed in the logs. 197 // The logs contains, method, user and a requested URL. 198 Enabled bool `json:"enabled"` 199 // All requests coming to the apiserver will be logged to this file. 200 AuditFilePath string `json:"auditFilePath"` 201 // Maximum number of days to retain old log files based on the timestamp encoded in their filename. 202 MaximumFileRetentionDays int32 `json:"maximumFileRetentionDays"` 203 // Maximum number of old log files to retain. 204 MaximumRetainedFiles int32 `json:"maximumRetainedFiles"` 205 // Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB. 206 MaximumFileSizeMegabytes int32 `json:"maximumFileSizeMegabytes"` 207 208 // PolicyFile is a path to the file that defines the audit policy configuration. 209 PolicyFile string `json:"policyFile"` 210 // PolicyConfiguration is an embedded policy configuration object to be used 211 // as the audit policy configuration. If present, it will be used instead of 212 // the path to the policy file. 213 // +nullable 214 // +kubebuilder:pruning:PreserveUnknownFields 215 PolicyConfiguration runtime.RawExtension `json:"policyConfiguration"` 216 217 // Format of saved audits (legacy or json). 218 LogFormat LogFormatType `json:"logFormat"` 219 220 // Path to a .kubeconfig formatted file that defines the audit webhook configuration. 221 WebHookKubeConfig string `json:"webHookKubeConfig"` 222 // Strategy for sending audit events (block or batch). 223 WebHookMode WebHookModeType `json:"webHookMode"` 224 } 225 226 // EtcdConnectionInfo holds information necessary for connecting to an etcd server 227 type EtcdConnectionInfo struct { 228 // URLs are the URLs for etcd 229 URLs []string `json:"urls,omitempty"` 230 // CA is a file containing trusted roots for the etcd server certificates 231 CA string `json:"ca"` 232 // CertInfo is the TLS client cert information for securing communication to etcd 233 // this is anonymous so that we can inline it for serialization 234 CertInfo `json:",inline"` 235 } 236 237 type EtcdStorageConfig struct { 238 EtcdConnectionInfo `json:",inline"` 239 240 // StoragePrefix is the path within etcd that the OpenShift resources will 241 // be rooted under. This value, if changed, will mean existing objects in etcd will 242 // no longer be located. 243 StoragePrefix string `json:"storagePrefix"` 244 } 245 246 // GenericAPIServerConfig is an inline-able struct for aggregated apiservers that need to store data in etcd 247 type GenericAPIServerConfig struct { 248 // servingInfo describes how to start serving 249 ServingInfo HTTPServingInfo `json:"servingInfo"` 250 251 // corsAllowedOrigins 252 CORSAllowedOrigins []string `json:"corsAllowedOrigins"` 253 254 // auditConfig describes how to configure audit information 255 AuditConfig AuditConfig `json:"auditConfig"` 256 257 // storageConfig contains information about how to use 258 StorageConfig EtcdStorageConfig `json:"storageConfig"` 259 260 // admissionConfig holds information about how to configure admission. 261 AdmissionConfig AdmissionConfig `json:"admission"` 262 263 KubeClientConfig KubeClientConfig `json:"kubeClientConfig"` 264 } 265 266 type KubeClientConfig struct { 267 // kubeConfig is a .kubeconfig filename for going to the owning kube-apiserver. Empty uses an in-cluster-config 268 KubeConfig string `json:"kubeConfig"` 269 270 // connectionOverrides specifies client overrides for system components to loop back to this master. 271 ConnectionOverrides ClientConnectionOverrides `json:"connectionOverrides"` 272 } 273 274 type ClientConnectionOverrides struct { 275 // acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the 276 // default value of 'application/json'. This field will control all connections to the server used by a particular 277 // client. 278 AcceptContentTypes string `json:"acceptContentTypes"` 279 // contentType is the content type used when sending data to the server from this client. 280 ContentType string `json:"contentType"` 281 282 // qps controls the number of queries per second allowed for this connection. 283 QPS float32 `json:"qps"` 284 // burst allows extra queries to accumulate when a client is exceeding its rate. 285 Burst int32 `json:"burst"` 286 } 287 288 // GenericControllerConfig provides information to configure a controller 289 type GenericControllerConfig struct { 290 // ServingInfo is the HTTP serving information for the controller's endpoints 291 ServingInfo HTTPServingInfo `json:"servingInfo"` 292 293 // leaderElection provides information to elect a leader. Only override this if you have a specific need 294 LeaderElection LeaderElection `json:"leaderElection"` 295 296 // authentication allows configuration of authentication for the endpoints 297 Authentication DelegatedAuthentication `json:"authentication"` 298 // authorization allows configuration of authentication for the endpoints 299 Authorization DelegatedAuthorization `json:"authorization"` 300 } 301 302 // DelegatedAuthentication allows authentication to be disabled. 303 type DelegatedAuthentication struct { 304 // disabled indicates that authentication should be disabled. By default it will use delegated authentication. 305 Disabled bool `json:"disabled,omitempty"` 306 } 307 308 // DelegatedAuthorization allows authorization to be disabled. 309 type DelegatedAuthorization struct { 310 // disabled indicates that authorization should be disabled. By default it will use delegated authorization. 311 Disabled bool `json:"disabled,omitempty"` 312 } 313 type RequiredHSTSPolicy struct { 314 // namespaceSelector specifies a label selector such that the policy applies only to those routes that 315 // are in namespaces with labels that match the selector, and are in one of the DomainPatterns. 316 // Defaults to the empty LabelSelector, which matches everything. 317 // +optional 318 NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` 319 320 // domainPatterns is a list of domains for which the desired HSTS annotations are required. 321 // If domainPatterns is specified and a route is created with a spec.host matching one of the domains, 322 // the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. 323 // 324 // The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. 325 // foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. 326 // +kubebuilder:validation:MinItems=1 327 // +kubebuilder:validation:Required 328 // +required 329 DomainPatterns []string `json:"domainPatterns"` 330 331 // maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. 332 // If set to 0, it negates the effect, and hosts are removed as HSTS hosts. 333 // If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. 334 // maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS 335 // policy will eventually expire on that client. 336 MaxAge MaxAgePolicy `json:"maxAge"` 337 338 // preloadPolicy directs the client to include hosts in its host preload list so that 339 // it never needs to do an initial load to get the HSTS header (note that this is not defined 340 // in RFC 6797 and is therefore client implementation-dependent). 341 // +optional 342 PreloadPolicy PreloadPolicy `json:"preloadPolicy,omitempty"` 343 344 // includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's 345 // domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: 346 // - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com 347 // - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com 348 // - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com 349 // - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com 350 // +optional 351 IncludeSubDomainsPolicy IncludeSubDomainsPolicy `json:"includeSubDomainsPolicy,omitempty"` 352 } 353 354 // MaxAgePolicy contains a numeric range for specifying a compliant HSTS max-age for the enclosing RequiredHSTSPolicy 355 type MaxAgePolicy struct { 356 // The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age 357 // This value can be left unspecified, in which case no upper limit is enforced. 358 // +kubebuilder:validation:Minimum=0 359 // +kubebuilder:validation:Maximum=2147483647 360 LargestMaxAge *int32 `json:"largestMaxAge,omitempty"` 361 362 // The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age 363 // Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary 364 // tool for administrators to quickly correct mistakes. 365 // This value can be left unspecified, in which case no lower limit is enforced. 366 // +kubebuilder:validation:Minimum=0 367 // +kubebuilder:validation:Maximum=2147483647 368 SmallestMaxAge *int32 `json:"smallestMaxAge,omitempty"` 369 } 370 371 // PreloadPolicy contains a value for specifying a compliant HSTS preload policy for the enclosing RequiredHSTSPolicy 372 // +kubebuilder:validation:Enum=RequirePreload;RequireNoPreload;NoOpinion 373 type PreloadPolicy string 374 375 const ( 376 // RequirePreloadPolicy means HSTS "preload" is required by the RequiredHSTSPolicy 377 RequirePreloadPolicy PreloadPolicy = "RequirePreload" 378 379 // RequireNoPreloadPolicy means HSTS "preload" is forbidden by the RequiredHSTSPolicy 380 RequireNoPreloadPolicy PreloadPolicy = "RequireNoPreload" 381 382 // NoOpinionPreloadPolicy means HSTS "preload" doesn't matter to the RequiredHSTSPolicy 383 NoOpinionPreloadPolicy PreloadPolicy = "NoOpinion" 384 ) 385 386 // IncludeSubDomainsPolicy contains a value for specifying a compliant HSTS includeSubdomains policy 387 // for the enclosing RequiredHSTSPolicy 388 // +kubebuilder:validation:Enum=RequireIncludeSubDomains;RequireNoIncludeSubDomains;NoOpinion 389 type IncludeSubDomainsPolicy string 390 391 const ( 392 // RequireIncludeSubDomains means HSTS "includeSubDomains" is required by the RequiredHSTSPolicy 393 RequireIncludeSubDomains IncludeSubDomainsPolicy = "RequireIncludeSubDomains" 394 395 // RequireNoIncludeSubDomains means HSTS "includeSubDomains" is forbidden by the RequiredHSTSPolicy 396 RequireNoIncludeSubDomains IncludeSubDomainsPolicy = "RequireNoIncludeSubDomains" 397 398 // NoOpinionIncludeSubDomains means HSTS "includeSubDomains" doesn't matter to the RequiredHSTSPolicy 399 NoOpinionIncludeSubDomains IncludeSubDomainsPolicy = "NoOpinion" 400 ) 401