1 package v1 2 3 import ( 4 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 ) 6 7 // +genclient 8 // +genclient:nonNamespaced 9 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 10 11 // APIServer holds configuration (like serving certificates, client CA and CORS domains) 12 // shared by all API servers in the system, among them especially kube-apiserver 13 // and openshift-apiserver. The canonical name of an instance is 'cluster'. 14 // 15 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 16 // +openshift:compatibility-gen:level=1 17 type APIServer struct { 18 metav1.TypeMeta `json:",inline"` 19 20 // metadata is the standard object's metadata. 21 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 22 metav1.ObjectMeta `json:"metadata,omitempty"` 23 // spec holds user settable values for configuration 24 // +kubebuilder:validation:Required 25 // +required 26 Spec APIServerSpec `json:"spec"` 27 // status holds observed values from the cluster. They may not be overridden. 28 // +optional 29 Status APIServerStatus `json:"status"` 30 } 31 32 type APIServerSpec struct { 33 // servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates 34 // will be used for serving secure traffic. 35 // +optional 36 ServingCerts APIServerServingCerts `json:"servingCerts"` 37 // clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for 38 // incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. 39 // You usually only have to set this if you have your own PKI you wish to honor client certificates from. 40 // The ConfigMap must exist in the openshift-config namespace and contain the following required fields: 41 // - ConfigMap.Data["ca-bundle.crt"] - CA bundle. 42 // +optional 43 ClientCA ConfigMapNameReference `json:"clientCA"` 44 // additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the 45 // API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth 46 // server from JavaScript applications. 47 // The values are regular expressions that correspond to the Golang regular expression language. 48 // +optional 49 AdditionalCORSAllowedOrigins []string `json:"additionalCORSAllowedOrigins,omitempty"` 50 // encryption allows the configuration of encryption of resources at the datastore layer. 51 // +optional 52 Encryption APIServerEncryption `json:"encryption"` 53 // tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. 54 // 55 // If unset, a default (which may change between releases) is chosen. Note that only Old, 56 // Intermediate and Custom profiles are currently supported, and the maximum available 57 // MinTLSVersions is VersionTLS12. 58 // +optional 59 TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` 60 // audit specifies the settings for audit configuration to be applied to all OpenShift-provided 61 // API servers in the cluster. 62 // +optional 63 // +kubebuilder:default={profile: Default} 64 Audit Audit `json:"audit"` 65 } 66 67 // AuditProfileType defines the audit policy profile type. 68 // +kubebuilder:validation:Enum=Default;WriteRequestBodies;AllRequestBodies;None 69 type AuditProfileType string 70 71 const ( 72 // "None" disables audit logs. 73 NoneAuditProfileType AuditProfileType = "None" 74 75 // "Default" is the existing default audit configuration policy. 76 DefaultAuditProfileType AuditProfileType = "Default" 77 78 // "WriteRequestBodies" is similar to Default but it logs request and response 79 // HTTP payloads for write requests (create, update, patch) 80 WriteRequestBodiesAuditProfileType AuditProfileType = "WriteRequestBodies" 81 82 // "AllRequestBodies" is similar to WriteRequestBodies, but also logs request 83 // and response HTTP payloads for read requests (get, list). 84 AllRequestBodiesAuditProfileType AuditProfileType = "AllRequestBodies" 85 ) 86 87 type Audit struct { 88 // profile specifies the name of the desired top-level audit profile to be applied to all requests 89 // sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, 90 // openshift-apiserver and oauth-apiserver), with the exception of those requests that match 91 // one or more of the customRules. 92 // 93 // The following profiles are provided: 94 // - Default: default policy which means MetaData level logging with the exception of events 95 // (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody 96 // level). 97 // - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for 98 // write requests (create, update, patch). 99 // - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response 100 // HTTP payloads for read requests (get, list). 101 // - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. 102 // 103 // Warning: It is not recommended to disable audit logging by using the `None` profile unless you 104 // are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. 105 // If you disable audit logging and a support situation arises, you might need to enable audit logging 106 // and reproduce the issue in order to troubleshoot properly. 107 // 108 // If unset, the 'Default' profile is used as the default. 109 // 110 // +kubebuilder:default=Default 111 Profile AuditProfileType `json:"profile,omitempty"` 112 // customRules specify profiles per group. These profile take precedence over the 113 // top-level profile field if they apply. They are evaluation from top to bottom and 114 // the first one that matches, applies. 115 // +listType=map 116 // +listMapKey=group 117 // +optional 118 CustomRules []AuditCustomRule `json:"customRules,omitempty"` 119 } 120 121 // AuditCustomRule describes a custom rule for an audit profile that takes precedence over 122 // the top-level profile. 123 type AuditCustomRule struct { 124 // group is a name of group a request user must be member of in order to this profile to apply. 125 // 126 // +kubebuilder:validation:Required 127 // +kubebuilder:validation:MinLength=1 128 // +required 129 Group string `json:"group"` 130 // profile specifies the name of the desired audit policy configuration to be deployed to 131 // all OpenShift-provided API servers in the cluster. 132 // 133 // The following profiles are provided: 134 // - Default: the existing default policy. 135 // - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for 136 // write requests (create, update, patch). 137 // - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response 138 // HTTP payloads for read requests (get, list). 139 // - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. 140 // 141 // If unset, the 'Default' profile is used as the default. 142 // 143 // +kubebuilder:validation:Required 144 // +required 145 Profile AuditProfileType `json:"profile,omitempty"` 146 } 147 148 type APIServerServingCerts struct { 149 // namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. 150 // If no named certificates are provided, or no named certificates match the server name as understood by a client, 151 // the defaultServingCertificate will be used. 152 // +optional 153 NamedCertificates []APIServerNamedServingCert `json:"namedCertificates,omitempty"` 154 } 155 156 // APIServerNamedServingCert maps a server DNS name, as understood by a client, to a certificate. 157 type APIServerNamedServingCert struct { 158 // names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to 159 // serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. 160 // Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. 161 // +optional 162 Names []string `json:"names,omitempty"` 163 // servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. 164 // The secret must exist in the openshift-config namespace and contain the following required fields: 165 // - Secret.Data["tls.key"] - TLS private key. 166 // - Secret.Data["tls.crt"] - TLS certificate. 167 ServingCertificate SecretNameReference `json:"servingCertificate"` 168 } 169 170 type APIServerEncryption struct { 171 // type defines what encryption type should be used to encrypt resources at the datastore layer. 172 // When this field is unset (i.e. when it is set to the empty string), identity is implied. 173 // The behavior of unset can and will change over time. Even if encryption is enabled by default, 174 // the meaning of unset may change to a different encryption type based on changes in best practices. 175 // 176 // When encryption is enabled, all sensitive resources shipped with the platform are encrypted. 177 // This list of sensitive resources can and will change over time. The current authoritative list is: 178 // 179 // 1. secrets 180 // 2. configmaps 181 // 3. routes.route.openshift.io 182 // 4. oauthaccesstokens.oauth.openshift.io 183 // 5. oauthauthorizetokens.oauth.openshift.io 184 // 185 // +unionDiscriminator 186 // +optional 187 Type EncryptionType `json:"type,omitempty"` 188 } 189 190 // +kubebuilder:validation:Enum="";identity;aescbc;aesgcm 191 type EncryptionType string 192 193 const ( 194 // identity refers to a type where no encryption is performed at the datastore layer. 195 // Resources are written as-is without encryption. 196 EncryptionTypeIdentity EncryptionType = "identity" 197 198 // aescbc refers to a type where AES-CBC with PKCS#7 padding and a 32-byte key 199 // is used to perform encryption at the datastore layer. 200 EncryptionTypeAESCBC EncryptionType = "aescbc" 201 202 // aesgcm refers to a type where AES-GCM with random nonce and a 32-byte key 203 // is used to perform encryption at the datastore layer. 204 EncryptionTypeAESGCM EncryptionType = "aesgcm" 205 ) 206 207 type APIServerStatus struct { 208 } 209 210 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 211 212 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 213 // +openshift:compatibility-gen:level=1 214 type APIServerList struct { 215 metav1.TypeMeta `json:",inline"` 216 217 // metadata is the standard list's metadata. 218 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 219 metav1.ListMeta `json:"metadata"` 220 Items []APIServer `json:"items"` 221 } 222